leftypol
/
leftypol
4
5
Fork 2
Code Issues 55 Pull Requests 1 Projects Releases Wiki Activity
Browse Source

ammended mod authentication system (no more $_SESSION)

pull/40/head
Savetheinternet 13 years ago
parent
313012f034
commit
c1be29ce35
3 changed files with 71 additions and 68 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 111
      inc/mod.php
  2. 16
      mod.php
  3. 12
      post.php

111
inc/mod.php
View File

@ -5,13 +5,24 @@
exit;
}
// Creates a small random string for validating moderators' cookies
function mkhash($length=12) {
// The method here isn't really important,
// but I think this generates a relatively
// unique string that looks cool.
// If you choose to change this, make sure it cannot include a ':' character.
return substr(base64_encode(sha1(rand() . time(), true)), 0, $length);
// create a hash/salt pair for validate logins
function mkhash($username, $password, $salt = false) {
global $config;
if(!$salt) {
// create some sort of salt for the hash
$salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15);
$generated_salt = true;
}
// generate hash (method is not important as long as it's strong)
$hash = substr(base64_encode(md5($username . sha1($username . $password . $salt . ($config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''), true), true)), 0, 20);
if(isset($generated_salt))
return Array($hash, $salt);
else
return $hash;
}
function hasPermission($action = null, $board = null, $_mod = null) {
@ -52,8 +63,7 @@
'id' => $user['id'],
'type' => $user['type'],
'username' => $username,
'password' => $password,
'hash' => isset($_SESSION['mod']['hash']) ? $_SESSION['mod']['hash'] : mkhash(),
'hash' => mkhash($username, $password),
'boards' => explode(',', $user['boards'])
);
} else return false;
@ -61,26 +71,22 @@
function setCookies() {
global $mod, $config;
if(!$mod) error('setCookies() was called for a non-moderator!');
// $config['cookies']['mod'] contains username:hash
setcookie($config['cookies']['mod'], $mod['username'] . ':' . $mod['hash'], time()+$config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, true);
// Put $mod in the session
$_SESSION['mod'] = $mod;
if(!$mod)
error('setCookies() was called for a non-moderator!');
// Lock sessions to IP addresses
if($config['mod']['lock_ip'])
$_SESSION['mod']['ip'] = $_SERVER['REMOTE_ADDR'];
setcookie($config['cookies']['mod'],
$mod['username'] . // username
':' .
$mod['hash'][0] . // password
':' .
$mod['hash'][1], // salt
time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
}
function destroyCookies() {
global $config;
// Delete the cookies
setcookie($config['cookies']['mod'], 'deleted', time()-$config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, true);
// Unset the session
unset($_SESSION['mod']);
setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, false, true);
}
function create_pm_header() {
@ -112,33 +118,6 @@
$query->execute() or error(db_error($query));
}
if(isset($_COOKIE[$config['cookies']['mod']]) && isset($_SESSION['mod']) && is_array($_SESSION['mod'])) {
// Should be username:session hash
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
if(count($cookie) != 2) {
destroyCookies();
error($config['error']['malformed']);
}
// Validate session
if( $cookie[0] != $_SESSION['mod']['username'] ||
$cookie[1] != $_SESSION['mod']['hash']) {
// Malformed cookies
destroyCookies();
error($config['error']['malformed']);
}
// Open connection
sql_open();
// Check username/password
if(!login($_SESSION['mod']['username'], $_SESSION['mod']['password'], false)) {
destroyCookies();
error($config['error']['invalidafter']);
}
}
// Generates a <ul> element with a list of linked
// boards and their subtitles. (without the <ul> opening and ending tags)
function ulBoards() {
@ -288,4 +267,34 @@
//}
}
?>
// Validate session
if(isset($_COOKIE[$config['cookies']['mod']])) {
// Should be username:hash:salt
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
if(count($cookie) != 3) {
destroyCookies();
error($config['error']['malformed']);
}
$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username LIMIT 1");
$query->bindValue(':username', $cookie[0]);
$query->execute() or error(db_error($query));
$user = $query->fetch();
// validate password hash
if($cookie[1] != mkhash($cookie[0], $user['password'], $cookie[2])) {
// Malformed cookies
destroyCookies();
error($config['error']['malformed']);
}
$mod = Array(
'id' => $user['id'],
'type' => $user['type'],
'username' => $cookie[0],
'boards' => explode(',', $user['boards'])
);
}

16
mod.php
View File

@ -171,8 +171,8 @@
if($mod['type'] >= ADMIN && $config['check_updates']) {
if(!$config['version'])
error('Could not find current version! (Check .installed)');
if(isset($_SESSION['update']) && time() - $_SESSION['update']['time'] < $config['check_updates_time']) {
$latest = unserialize($_SESSION['update']['latest']);
if(isset($_COOKIE['update'])) {
$latest = unserialize($_COOKIE['update']);
} else {
$ctx = stream_context_create(array(
'http' => array(
@ -208,7 +208,9 @@
// TODO: Display some sort of warning message
$latest = false;
}
$_SESSION['update'] = Array('time' => time(), 'latest' => serialize($latest));
setcookie('update', serialize($latest), time() + $config['check_updates_time'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
}
if($latest) {
@ -236,8 +238,7 @@
'title'=>_('Dashboard'),
'body'=>$body,
'__mod'=>true
)
);
));
} elseif(preg_match('/^\/logout$/', $query)) {
destroyCookies();
@ -1221,6 +1222,9 @@
if($_mod['id'] == $mod['id']) {
// Changed own password. Update cookies
login($mod['username'], $_POST['password']);
setCookies();
}
}
@ -2248,7 +2252,7 @@
openBoard($targetBoard);
foreach($replies as &$post) {
var_dump(post($post, false));
post($post, false);
if($post['has_file']) {
$clone($post['file_src'], sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']);
$clone($post['file_thumb'], sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']);

12
post.php
View File

@ -164,17 +164,6 @@
if(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], $_SERVER['HTTP_REFERER']))
error($config['error']['referer']);
// TODO: Since we're now using static HTML files, we can't give them cookies on their first page view
// Find another anti-spam method.
/*
// Check if he has a valid cookie.
if(!$user['valid']) error($config['error']['bot']);
// Check how long he has been here.
if(time()-$user['appeared']<LURKTIME) error(ERROR_LURK);
*/
checkDNSBL();
// Check if board exists
@ -597,6 +586,7 @@
}
rebuildThemes('post');
header('Location: ' . $redirect, true, $config['redirect_http']);

Write Preview
Loading…
Cancel
Save