ammended mod authentication system (no more $_SESSION)
This commit is contained in:
parent
313012f034
commit
c1be29ce35
111
inc/mod.php
111
inc/mod.php
@ -5,13 +5,24 @@
|
||||
exit;
|
||||
}
|
||||
|
||||
// Creates a small random string for validating moderators' cookies
|
||||
function mkhash($length=12) {
|
||||
// The method here isn't really important,
|
||||
// but I think this generates a relatively
|
||||
// unique string that looks cool.
|
||||
// If you choose to change this, make sure it cannot include a ':' character.
|
||||
return substr(base64_encode(sha1(rand() . time(), true)), 0, $length);
|
||||
// create a hash/salt pair for validate logins
|
||||
function mkhash($username, $password, $salt = false) {
|
||||
global $config;
|
||||
|
||||
if(!$salt) {
|
||||
// create some sort of salt for the hash
|
||||
$salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15);
|
||||
|
||||
$generated_salt = true;
|
||||
}
|
||||
|
||||
// generate hash (method is not important as long as it's strong)
|
||||
$hash = substr(base64_encode(md5($username . sha1($username . $password . $salt . ($config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''), true), true)), 0, 20);
|
||||
|
||||
if(isset($generated_salt))
|
||||
return Array($hash, $salt);
|
||||
else
|
||||
return $hash;
|
||||
}
|
||||
|
||||
function hasPermission($action = null, $board = null, $_mod = null) {
|
||||
@ -52,8 +63,7 @@
|
||||
'id' => $user['id'],
|
||||
'type' => $user['type'],
|
||||
'username' => $username,
|
||||
'password' => $password,
|
||||
'hash' => isset($_SESSION['mod']['hash']) ? $_SESSION['mod']['hash'] : mkhash(),
|
||||
'hash' => mkhash($username, $password),
|
||||
'boards' => explode(',', $user['boards'])
|
||||
);
|
||||
} else return false;
|
||||
@ -61,26 +71,22 @@
|
||||
|
||||
function setCookies() {
|
||||
global $mod, $config;
|
||||
if(!$mod) error('setCookies() was called for a non-moderator!');
|
||||
if(!$mod)
|
||||
error('setCookies() was called for a non-moderator!');
|
||||
|
||||
// $config['cookies']['mod'] contains username:hash
|
||||
setcookie($config['cookies']['mod'], $mod['username'] . ':' . $mod['hash'], time()+$config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, true);
|
||||
|
||||
// Put $mod in the session
|
||||
$_SESSION['mod'] = $mod;
|
||||
|
||||
// Lock sessions to IP addresses
|
||||
if($config['mod']['lock_ip'])
|
||||
$_SESSION['mod']['ip'] = $_SERVER['REMOTE_ADDR'];
|
||||
setcookie($config['cookies']['mod'],
|
||||
$mod['username'] . // username
|
||||
':' .
|
||||
$mod['hash'][0] . // password
|
||||
':' .
|
||||
$mod['hash'][1], // salt
|
||||
time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
|
||||
}
|
||||
|
||||
function destroyCookies() {
|
||||
global $config;
|
||||
// Delete the cookies
|
||||
setcookie($config['cookies']['mod'], 'deleted', time()-$config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, true);
|
||||
|
||||
// Unset the session
|
||||
unset($_SESSION['mod']);
|
||||
setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, false, true);
|
||||
}
|
||||
|
||||
function create_pm_header() {
|
||||
@ -112,33 +118,6 @@
|
||||
$query->execute() or error(db_error($query));
|
||||
}
|
||||
|
||||
if(isset($_COOKIE[$config['cookies']['mod']]) && isset($_SESSION['mod']) && is_array($_SESSION['mod'])) {
|
||||
// Should be username:session hash
|
||||
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
|
||||
if(count($cookie) != 2) {
|
||||
destroyCookies();
|
||||
error($config['error']['malformed']);
|
||||
}
|
||||
|
||||
// Validate session
|
||||
if( $cookie[0] != $_SESSION['mod']['username'] ||
|
||||
$cookie[1] != $_SESSION['mod']['hash']) {
|
||||
// Malformed cookies
|
||||
destroyCookies();
|
||||
error($config['error']['malformed']);
|
||||
}
|
||||
|
||||
// Open connection
|
||||
sql_open();
|
||||
|
||||
// Check username/password
|
||||
if(!login($_SESSION['mod']['username'], $_SESSION['mod']['password'], false)) {
|
||||
destroyCookies();
|
||||
error($config['error']['invalidafter']);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Generates a <ul> element with a list of linked
|
||||
// boards and their subtitles. (without the <ul> opening and ending tags)
|
||||
function ulBoards() {
|
||||
@ -288,4 +267,34 @@
|
||||
//}
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
// Validate session
|
||||
|
||||
if(isset($_COOKIE[$config['cookies']['mod']])) {
|
||||
// Should be username:hash:salt
|
||||
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
|
||||
if(count($cookie) != 3) {
|
||||
destroyCookies();
|
||||
error($config['error']['malformed']);
|
||||
}
|
||||
|
||||
$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username LIMIT 1");
|
||||
$query->bindValue(':username', $cookie[0]);
|
||||
$query->execute() or error(db_error($query));
|
||||
$user = $query->fetch();
|
||||
|
||||
// validate password hash
|
||||
if($cookie[1] != mkhash($cookie[0], $user['password'], $cookie[2])) {
|
||||
// Malformed cookies
|
||||
destroyCookies();
|
||||
error($config['error']['malformed']);
|
||||
}
|
||||
|
||||
$mod = Array(
|
||||
'id' => $user['id'],
|
||||
'type' => $user['type'],
|
||||
'username' => $cookie[0],
|
||||
'boards' => explode(',', $user['boards'])
|
||||
);
|
||||
}
|
||||
|
||||
|
16
mod.php
16
mod.php
@ -171,8 +171,8 @@
|
||||
if($mod['type'] >= ADMIN && $config['check_updates']) {
|
||||
if(!$config['version'])
|
||||
error('Could not find current version! (Check .installed)');
|
||||
if(isset($_SESSION['update']) && time() - $_SESSION['update']['time'] < $config['check_updates_time']) {
|
||||
$latest = unserialize($_SESSION['update']['latest']);
|
||||
if(isset($_COOKIE['update'])) {
|
||||
$latest = unserialize($_COOKIE['update']);
|
||||
} else {
|
||||
$ctx = stream_context_create(array(
|
||||
'http' => array(
|
||||
@ -208,7 +208,9 @@
|
||||
// TODO: Display some sort of warning message
|
||||
$latest = false;
|
||||
}
|
||||
$_SESSION['update'] = Array('time' => time(), 'latest' => serialize($latest));
|
||||
|
||||
|
||||
setcookie('update', serialize($latest), time() + $config['check_updates_time'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
|
||||
}
|
||||
|
||||
if($latest) {
|
||||
@ -236,8 +238,7 @@
|
||||
'title'=>_('Dashboard'),
|
||||
'body'=>$body,
|
||||
'__mod'=>true
|
||||
)
|
||||
);
|
||||
));
|
||||
} elseif(preg_match('/^\/logout$/', $query)) {
|
||||
destroyCookies();
|
||||
|
||||
@ -1221,6 +1222,9 @@
|
||||
|
||||
if($_mod['id'] == $mod['id']) {
|
||||
// Changed own password. Update cookies
|
||||
|
||||
login($mod['username'], $_POST['password']);
|
||||
|
||||
setCookies();
|
||||
}
|
||||
}
|
||||
@ -2248,7 +2252,7 @@
|
||||
|
||||
openBoard($targetBoard);
|
||||
foreach($replies as &$post) {
|
||||
var_dump(post($post, false));
|
||||
post($post, false);
|
||||
if($post['has_file']) {
|
||||
$clone($post['file_src'], sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']);
|
||||
$clone($post['file_thumb'], sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']);
|
||||
|
12
post.php
12
post.php
@ -164,17 +164,6 @@
|
||||
if(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], $_SERVER['HTTP_REFERER']))
|
||||
error($config['error']['referer']);
|
||||
|
||||
// TODO: Since we're now using static HTML files, we can't give them cookies on their first page view
|
||||
// Find another anti-spam method.
|
||||
|
||||
/*
|
||||
// Check if he has a valid cookie.
|
||||
if(!$user['valid']) error($config['error']['bot']);
|
||||
|
||||
// Check how long he has been here.
|
||||
if(time()-$user['appeared']<LURKTIME) error(ERROR_LURK);
|
||||
*/
|
||||
|
||||
checkDNSBL();
|
||||
|
||||
// Check if board exists
|
||||
@ -597,6 +586,7 @@
|
||||
|
||||
}
|
||||
|
||||
|
||||
rebuildThemes('post');
|
||||
header('Location: ' . $redirect, true, $config['redirect_http']);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user