Introduced PHP sessions

public_html/admin/auth.inc.php

@@ -8,7 +8,7 @@
 // |                                                                           |
 // | Geeklog admin authentication module                                       |
 // +---------------------------------------------------------------------------+
-// | Copyright (C) 2000-2010 by the following authors:                         |
+// | Copyright (C) 2000-2019 by the following authors:                         |
 // |                                                                           |
 // | Authors: Tony Bibbs        - tony AT tonybibbs DOT com                    |
 // |          Mark Limburg      - mlimburg AT users DOT sourceforge DOT net    |
@@ -36,6 +36,8 @@
     die('This file can not be used on its own.');
 }
 
+global $_TABLES;
+
 // MAIN
 COM_clearSpeedlimit($_CONF['login_speedlimit'], 'login');
 if (COM_checkSpeedlimit('login', $_CONF['login_attempts']) > 0) {
@@ -65,22 +67,15 @@
 if ($status == USER_ACCOUNT_ACTIVE) {
     DB_query("UPDATE {$_TABLES['users']} SET pwrequestid = NULL WHERE uid = $uid");
     $_USER = SESS_getUserDataFromId($uid);
-    $sessid = SESS_newSession($_USER['uid'], $_SERVER['REMOTE_ADDR'],
-            $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
-    SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'],
-            $_CONF['cookie_session'], $_CONF['cookie_path'],
-            $_CONF['cookiedomain'], $_CONF['cookiesecure']);
+    SESS_newSession($_USER['uid'], $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout']);
     PLG_loginUser($_USER['uid']);
 
-    // Now that we handled session cookies, handle longterm cookie
-    if (!isset($_COOKIE[$_CONF['cookie_name']])) {
-        // Either their cookie expired or they are new
-        $cooktime = COM_getUserCookieTimeout();
-
-        if (!empty($cooktime)) {
-            // They want their cookie to persist for some amount of time so set it now
-            SEC_setCookie($_CONF['cookie_name'], $_USER['uid'], time() + $cooktime);
-        }
+    // Now that we handled session cookies, handle long-term cookie
+    $cookieTime = COM_getUserCookieTimeout();
+    if (!empty($cookieTime) && ($cookieTime > 0)) {
+        SESS_handleAutoLogin($cookieTime);
+    } else {
+        SESS_deleteAutoLoginKey();
     }
 
     if (!SEC_hasRights('story.edit,block.edit,topic.edit,user.edit,plugin.edit,syndication.edit,theme.edit','OR')) {

public_html/admin/install/classes/installer.class.php

@@ -4586,7 +4586,7 @@ private function installEngine($installType, $installStep)
                                     '1.3.5', '1.3.6', '1.3.7', '1.3.8', '1.3.9', '1.3.10', '1.3.11',
                                     '1.4.0', '1.4.1', '1.5.0', '1.5.1', '1.5.2', '1.6.0', '1.6.1',
                                     '1.7.0', '1.7.1', '1.7.2', '1.8.0', '1.8.1', '1.8.2', '2.0.0',
-                                    '2.1.0', '2.1.1',
+                                    '2.1.0', '2.1.1', '2.2.0',
                                 );
                                 $tempCounter = 0;
 

public_html/admin/install/classes/micro_template.class.php

@@ -93,8 +93,6 @@ private function parseVarName($s)
 
     /**
      * Evaluate the content of a template
-     *
-     * @return string
      */
     private function evaluate()
     {

public_html/admin/install/config-install.php

@@ -414,12 +414,10 @@ function install_config()
     $c->add('fs_cookies', NULL, 'fieldset', 7, 30, NULL, 0, TRUE, $me, 30);
     $c->add('cookie_session','gl_session','text',7,30,NULL,530,TRUE, $me, 30);
     $c->add('cookie_name','geeklog','text',7,30,NULL,540,TRUE, $me, 30);
-    $c->add('cookie_password','password','text',7,30,NULL,550,TRUE, $me, 30);
     $c->add('cookie_theme','theme','text',7,30,NULL,560,TRUE, $me, 30);
     $c->add('cookie_language','language','text',7,30,NULL,570,TRUE, $me, 30);
     $c->add('cookie_tzid','timezone','text',7,30,NULL,575,TRUE, $me, 30);
     $c->add('cookie_anon_name','anon_name','text',7,30,NULL,577,TRUE, $me, 30);
-    $c->add('cookie_ip',0,'select',7,30,0,580,TRUE, $me, 30);
     $c->add('default_perm_cookie_timeout',28800,'select',7,30,NULL,590,TRUE, $me, 30);
     $c->add('session_cookie_timeout',7200,'text',7,30,NULL,600,TRUE, $me, 30);
     $c->add('cookie_path','/','text',7,30,NULL,610,TRUE, $me, 30);

public_html/users.php

@@ -40,6 +40,8 @@
  * @author   Jason Whittenburg
  */
 
+use Geeklog\Session;
+
 /**
  * Geeklog common function library
  */
@@ -656,50 +658,13 @@ function USER_doLogin()
     global $_CONF, $_USER, $USER_VERBOSE;
 
     COM_resetSpeedlimit('login');
-    $sessionId = SESS_newSession($_USER['uid'], $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
-    SESS_setSessionCookie(
-        $sessionId, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'],
-        $_CONF['cookiedomain'], $_CONF['cookiesecure']
-    );
+    SESS_newSession($_USER['uid'], $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout']);
     PLG_loginUser($_USER['uid']);
 
-    // Now that we handled session cookies, handle long-term cookie
-    if (!isset($_COOKIE[$_CONF['cookie_name']]) || !isset($_COOKIE['cookie_password'])) {
-        // Either their cookie expired or they are new
-        $cookTime = COM_getUserCookieTimeout();
-        if ($USER_VERBOSE) {
-            COM_errorLog("Trying to set permanent cookie with time of $cookTime", 1);
-        }
-        if ($cookTime > 0) {
-            // They want their cookie to persist for some amount of time so set it now
-            if ($USER_VERBOSE) {
-                COM_errorLog('Trying to set permanent cookie', 1);
-            }
-            SEC_setCookie($_CONF['cookie_name'], $_USER['uid'], time() + $cookTime);
-            SEC_setCookie($_CONF['cookie_password'], $_USER['passwd'], time() + $cookTime);
-        }
-    } else {
-        $userId = Geeklog\Input::fCookie($_CONF['cookie_name']);
-
-        if (!empty($userId) && ($userId !== 'deleted')) {
-            $userId = (int) $userId;
-
-            if ($userId > 1) {
-                if ($USER_VERBOSE) {
-                    COM_errorLog('NOW trying to set permanent cookie', 1);
-                    COM_errorLog('Got ' . $userId . ' from perm cookie in users.php', 1);
-                }
-
-                // Create new session
-                $_USER = SESS_getUserDataFromId($userId);
-                if ($USER_VERBOSE) {
-                    COM_errorLog('Got ' . $_USER['username'] . ' for the username in user.php', 1);
-                }
-            }
-        }
-    }
+    // Issue an auto-login key
+    SESS_issueAutoLoginCookie($_USER['uid']);
 
-    // Now that we have users data see if their theme cookie is set.
+    // Now that we have user's data see if their theme cookie is set.
     // If not set it
     if (!empty($_USER['theme'])) {
         setcookie(
@@ -905,10 +870,8 @@ function USER_tryTwoFactorAuth()
             SESS_endUserSession($_USER['uid']);
             PLG_logoutUser($_USER['uid']);
         }
-        SEC_setCookie($_CONF['cookie_session'], '', time() - 10000);
-        SEC_setCookie($_CONF['cookie_password'], '', time() - 10000);
-        SEC_setCookie($_CONF['cookie_name'], '', time() - 10000);
-
+        SESS_deleteAutoLoginKey();
+
         $msg = (int) Geeklog\Input::fGet('msg', 0);
         if ($msg == 0) {
             $msg = 8;

public_html/usersettings.php

@@ -1142,12 +1142,6 @@ function saveuser(array $A)
                     (SEC_encryptUserPassword($A['old_passwd'], $_USER['uid']) == 0)
                 ) {
                     SEC_updateUserPassword($A['passwd'], $_USER['uid']);
-                    if ($A['cooktime'] > 0) {
-                        $cooktime = $A['cooktime'];
-                    } else {
-                        $cooktime = -1000;
-                    }
-                    SEC_setCookie($_CONF['cookie_password'], $passwd, time() + $cooktime);
                 } elseif (SEC_encryptUserPassword($A['old_passwd'], $_USER['uid']) < 0) {
                     COM_redirect($_CONF['site_url'] . '/usersettings.php?msg=68');
                 } elseif ($A['passwd'] != $A['passwd_conf']) {
@@ -1158,23 +1152,16 @@ function saveuser(array $A)
             }
         } else {
             // Cookie
-            if ($A['cooktime'] > 0) {
-                $cooktime = $A['cooktime'];
-            } else {
-                $cooktime = -1000;
-            }
-            SEC_setCookie($_CONF['cookie_password'], $passwd, time() + $cooktime);
         }
 
         if ($_US_VERBOSE) {
             COM_errorLog('cooktime = ' . $A['cooktime'], 1);
         }
 
         if ($A['cooktime'] <= 0) {
-            $cooktime = 1000;
-            SEC_setCookie($_CONF['cookie_name'], $_USER['uid'], time() - $cooktime);
+            SESS_deleteAutoLoginKey();
         } else {
-            SEC_setCookie($_CONF['cookie_name'], $_USER['uid'], time() + $A['cooktime']);
+            SESS_handleAutoLogin();
         }
 
         if ($_CONF['allow_user_photo'] == 1) {

sql/mysql_tableanddata.php

@@ -1,5 +1,7 @@
 <?php
 
+global $_TABLES;
+
 $_SQL[] = "
 CREATE TABLE {$_TABLES['access']} (
   acc_ft_id mediumint(8) NOT NULL default '0',
@@ -241,26 +243,24 @@
 ";
 
 $_SQL[] = "CREATE TABLE {$_TABLES['routes']} (
-    rid int(11) NOT NULL AUTO_INCREMENT,
-    method int(11) NOT NULL DEFAULT 1,
-    rule varchar(255) NOT NULL DEFAULT '',
-    route varchar(255) NOT NULL DEFAULT '',
-    status_code int(11) NOT NULL DEFAULT 200,
-    priority int(11) NOT NULL DEFAULT 100,
-    enabled tinyint(1) unsigned NOT NULL default '1',
-    PRIMARY KEY (rid)
+  rid int(11) NOT NULL AUTO_INCREMENT,
+  method int(11) NOT NULL DEFAULT 1,
+  rule varchar(255) NOT NULL DEFAULT '',
+  route varchar(255) NOT NULL DEFAULT '',
+  status_code int(11) NOT NULL DEFAULT 200,
+  priority int(11) NOT NULL DEFAULT 100,
+  enabled tinyint(1) unsigned NOT NULL default '1',
+  PRIMARY KEY (rid)
 ) ENGINE=MyISAM
 ";
 
 $_SQL[] = "
 CREATE TABLE {$_TABLES['sessions']} (
-  sess_id int(10) unsigned NOT NULL default '0',
-  start_time int(10) unsigned NOT NULL default '0',
-  remote_ip varchar(39) NOT NULL default '',
-  uid mediumint(8) NOT NULL default '1',
-  md5_sess_id varchar(128) default NULL,
-  whos_online tinyint(1) NOT NULL default '1',
-  topic varchar(75) NOT NULL default '',
+  sess_id VARCHAR(250) NOT NULL DEFAULT '',
+  start_time INT(10) unsigned NOT NULL DEFAULT '0',
+  remote_ip VARCHAR(39) NOT NULL DEFAULT '',
+  uid MEDIUMINT(8) NOT NULL DEFAULT '1',
+  whos_online TINYINT(1) NOT NULL DEFAULT '1',
   PRIMARY KEY  (sess_id),
   KEY sess_id (sess_id),
   KEY start_time (start_time),
@@ -521,6 +521,7 @@
   lastinvalid int(10) unsigned default NULL,
   twofactorauth_enabled TINYINT(3) NOT NULL DEFAULT 0,
   twofactorauth_secret VARCHAR(255) NOT NULL DEFAULT '',
+  autologin_key VARCHAR(255) NOT NULL DEFAULT '',
   PRIMARY KEY  (uid),
   KEY LOGIN (uid,passwd,username),
   UNIQUE KEY users_username (username), 

sql/pgsql_tableanddata.php

@@ -254,13 +254,11 @@
 
 $_SQL[] = "
 CREATE TABLE {$_TABLES['sessions']} (
-  sess_id int NOT NULL default '0',
+  sess_id VARCHAR(250) NOT NULL default '',
   start_time int NOT NULL default '0',
   remote_ip varchar(39) NOT NULL default '',
   uid smallint NOT NULL default '1',
-  md5_sess_id varchar(128) default NULL,
   whos_online smallint NOT NULL default '1',
-  topic varchar(75) NOT NULL default '',
   PRIMARY KEY (sess_id)
 );
   CREATE INDEX {$_TABLES['sessions']}_start_time ON {$_TABLES['sessions']} (start_time);
@@ -521,6 +519,7 @@
   lastinvalid int(10) unsigned default NULL, 
   twofactorauth_enabled SMALLINT NOT NULL DEFAULT 0,
   twofactorauth_secret VARCHAR(255) NOT NULL DEFAULT '',
+  autologin_key VARCHAR(255) NOT NULL DEFAULT '',
   PRIMARY KEY (uid)
 );
   CREATE INDEX {$_TABLES['users']}_LOGIN ON {$_TABLES['users']}(uid,passwd,username);

sql/updates/mysql_2.2.0_to_2.2.1.php

@@ -49,6 +49,15 @@
      `id`);
 ";
 
+// Modify `sessions` table
+$_SQL[] = "DELETE FROM {$_TABLES['sessions']}";
+$_SQL[] = "ALTER TABLE {$_TABLES['sessions']} MODIFY `sess_id` VARCHAR(250) NOT NULL default ''";
+$_SQL[] = "ALTER TABLE {$_TABLES['sessions']} DROP COLUMN `md5_sess_id`}";
+$_SQL[] = "ALTER TABLE {$_TABLES['sessions']} DROP COLUMN `topic`}";
+
+// Add `autologin_key` column to `users' table
+$_SQL[] = "ALTER TABLE {$_TABLES['users']} ADD `autologin_key` VARCHAR(250) NOT NULL DEFAULT '' AFTER `twofactorauth_secret`";
+
 /**
  * Upgrade Messages
  */
@@ -110,6 +119,10 @@ function update_ConfValuesFor221()
     $c->add('likes_speedlimit',20,'text',$sg,$fs,NULL,$so,TRUE, $me, $tab);    
     $so += 10;
 
+    // Delete some cookie-related settings
+    $c->del('cookie_password', $me);
+    $c->del('cookie_ip', $me);
+
     return true;
 }
 

sql/updates/pgsql_2.2.0_to_2.2.1.php

@@ -49,6 +49,15 @@
      `id`);
 ";
 
+// Modify `sessions` table
+$_SQL[] = "DELETE FROM {$_TABLES['sessions']}";
+$_SQL[] = "ALTER TABLE {$_TABLES['sessions']} ALTER COLUMN sess_id TYPE VARCHAR(250) NOT NULL default ''";
+$_SQL[] = "ALTER TABLE {$_TABLES['sessions']} DROP COLUMN md5_sess_id}";
+$_SQL[] = "ALTER TABLE {$_TABLES['sessions']} DROP COLUMN topic}";
+
+// Add `autologin_key` column to `users' table
+$_SQL[] = "ALTER TABLE {$_TABLES['users']} ADD COLUMN autologin_key VARCHAR(250) NOT NULL DEFAULT ''";
+
 /**
  * Upgrade Messages
  */
@@ -112,6 +121,10 @@ function update_ConfValuesFor221()
     $c->add('likes_speedlimit',20,'text',$sg,$fs,NULL,$so,TRUE, $me, $tab);    
     $so += 10;
 
+    // Delete some cookie-related settings
+    $c->del('cookie_password', $me);
+    $c->del('cookie_ip', $me);
+
     return true;
 }