From 6537ca63e0ef7e992f4a46190b4f62cf3ce5a2b9 Mon Sep 17 00:00:00 2001
From: Marcel Minke <maziminke@users.sourceforge.net>
Date: Fri, 20 Mar 2009 00:16:39 +0000
Subject: [PATCH] dev: more work on one time passwords, still some bugs

git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey181@6569 b72ed6b6-b9f8-46b5-92b4-906544132732
---
 admin/login_check.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/admin/login_check.php b/admin/login_check.php
index b9fa3392bda..2c71fc33669 100644
--- a/admin/login_check.php
+++ b/admin/login_check.php
@@ -59,7 +59,8 @@
 			if ($result->RecordCount() < 1)
 			{
 				// wrong or unknown username 
-				$loginsummary = $clang->gT("No one time password found for user")." ".$user."<br />";			
+				$loginsummary = $clang->gT("No one time password found for user")." ".$user."<br />";
+				session_regenerate_id();			
 			}
 			else
 			{
@@ -92,6 +93,8 @@
 					$_SESSION['checksessionpost'] = randomkey(10);
 					$_SESSION['loginID'] = $srow['uid'];
 					$loginsummary = "";
+					GetSessionUserRights($_SESSION['loginID']);
+					//$adminoutput = "";
 					
 					// Check if the user has changed his default password
 					if (strtolower($srow['password'])=='password')
@@ -103,6 +106,10 @@
 						$_SESSION['pw_notify']=false;
 					} 
 					
+					//delete passed information
+					unset($_GET['user']);
+					unset($_GET['onepass']);
+					
 				}			
 				
 			}
@@ -119,7 +126,6 @@
 	($action == "logout") || 
 	($useWebserverAuth === true && !isset($_SESSION['loginID'])) )	// added by Dennis
 {
-	echo '<script language="javascript" type="text/javascript">alert("USERCONTROL");</script>';
 	include("usercontrol.php");
 }