fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks

This commit is contained in:
Andrew Dolgov 2018-10-16 14:07:42 +03:00
parent d246fb9fe1
commit 5f66f872b6
3 changed files with 27 additions and 26 deletions

View File

@ -465,14 +465,6 @@ class Handler_Public extends Handler {
function login() {
if (!SINGLE_USER_MODE) {
/* if a session is started here there's a stale login cookie we need to clean */
if (session_status() != PHP_SESSION_NONE) {
$_SESSION["login_error_msg"] = __("Stale session cookie found, try logging in again");
header("Location: " . get_self_url_prefix());
exit;
}
$login = clean($_POST["login"]);
$password = clean($_POST["password"]);

View File

@ -714,8 +714,8 @@
if ($user_id && !$check_only) {
session_regenerate_id(true);
session_start();
session_regenerate_id(true);
$_SESSION["uid"] = $user_id;
$_SESSION["version"] = VERSION_STATIC;

View File

@ -45,7 +45,7 @@
__("Session failed to validate (schema version changed)");
return false;
}
$pdo = Db::pdo();
$pdo = Db::pdo();
if ($_SESSION["uid"]) {
@ -59,21 +59,21 @@
// user not found
if ($row = $sth->fetch()) {
$pwd_hash = $row["pwd_hash"];
$pwd_hash = $row["pwd_hash"];
if ($pwd_hash != $_SESSION["pwd_hash"]) {
if ($pwd_hash != $_SESSION["pwd_hash"]) {
$_SESSION["login_error_msg"] =
__("Session failed to validate (password changed)");
$_SESSION["login_error_msg"] =
__("Session failed to validate (password changed)");
return false;
}
return false;
}
} else {
$_SESSION["login_error_msg"] =
__("Session failed to validate (user not found)");
$_SESSION["login_error_msg"] =
__("Session failed to validate (user not found)");
return false;
return false;
}
}
@ -95,16 +95,16 @@
$sth->execute([$id]);
if ($row = $sth->fetch()) {
return base64_decode($row["data"]);
return base64_decode($row["data"]);
} else {
$expire = time() + $session_expire;
$expire = time() + $session_expire;
$sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
$sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
VALUES (?, '', ?)");
$sth->execute([$id, $expire]);
$sth->execute([$id, $expire]);
return "";
return "";
}
@ -116,8 +116,17 @@
$data = base64_encode($data);
$expire = time() + $session_expire;
$sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
$sth->execute([$data, $expire, $id]);
$sth = Db::pdo()->prepare("SELECT id FROM ttrss_sessions WHERE id=?");
$sth->execute([$id]);
if ($row = $sth->fetch()) {
$sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
$sth->execute([$data, $expire, $id]);
} else {
$sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
VALUES (?, ?, ?)");
$sth->execute([$id, $data, $expire]);
}
return true;
}