ammended mod authentication system (no more $_SESSION)

This commit is contained in:
Savetheinternet 2011-12-02 15:11:13 +11:00
parent 313012f034
commit c1be29ce35
3 changed files with 71 additions and 68 deletions

View File

@ -5,13 +5,24 @@
exit; exit;
} }
// Creates a small random string for validating moderators' cookies // create a hash/salt pair for validate logins
function mkhash($length=12) { function mkhash($username, $password, $salt = false) {
// The method here isn't really important, global $config;
// but I think this generates a relatively
// unique string that looks cool. if(!$salt) {
// If you choose to change this, make sure it cannot include a ':' character. // create some sort of salt for the hash
return substr(base64_encode(sha1(rand() . time(), true)), 0, $length); $salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15);
$generated_salt = true;
}
// generate hash (method is not important as long as it's strong)
$hash = substr(base64_encode(md5($username . sha1($username . $password . $salt . ($config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''), true), true)), 0, 20);
if(isset($generated_salt))
return Array($hash, $salt);
else
return $hash;
} }
function hasPermission($action = null, $board = null, $_mod = null) { function hasPermission($action = null, $board = null, $_mod = null) {
@ -52,8 +63,7 @@
'id' => $user['id'], 'id' => $user['id'],
'type' => $user['type'], 'type' => $user['type'],
'username' => $username, 'username' => $username,
'password' => $password, 'hash' => mkhash($username, $password),
'hash' => isset($_SESSION['mod']['hash']) ? $_SESSION['mod']['hash'] : mkhash(),
'boards' => explode(',', $user['boards']) 'boards' => explode(',', $user['boards'])
); );
} else return false; } else return false;
@ -61,26 +71,22 @@
function setCookies() { function setCookies() {
global $mod, $config; global $mod, $config;
if(!$mod) error('setCookies() was called for a non-moderator!'); if(!$mod)
error('setCookies() was called for a non-moderator!');
// $config['cookies']['mod'] contains username:hash setcookie($config['cookies']['mod'],
setcookie($config['cookies']['mod'], $mod['username'] . ':' . $mod['hash'], time()+$config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, true); $mod['username'] . // username
':' .
// Put $mod in the session $mod['hash'][0] . // password
$_SESSION['mod'] = $mod; ':' .
$mod['hash'][1], // salt
// Lock sessions to IP addresses time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
if($config['mod']['lock_ip'])
$_SESSION['mod']['ip'] = $_SERVER['REMOTE_ADDR'];
} }
function destroyCookies() { function destroyCookies() {
global $config; global $config;
// Delete the cookies // Delete the cookies
setcookie($config['cookies']['mod'], 'deleted', time()-$config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path']:'/', null, false, true); setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, false, true);
// Unset the session
unset($_SESSION['mod']);
} }
function create_pm_header() { function create_pm_header() {
@ -112,33 +118,6 @@
$query->execute() or error(db_error($query)); $query->execute() or error(db_error($query));
} }
if(isset($_COOKIE[$config['cookies']['mod']]) && isset($_SESSION['mod']) && is_array($_SESSION['mod'])) {
// Should be username:session hash
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
if(count($cookie) != 2) {
destroyCookies();
error($config['error']['malformed']);
}
// Validate session
if( $cookie[0] != $_SESSION['mod']['username'] ||
$cookie[1] != $_SESSION['mod']['hash']) {
// Malformed cookies
destroyCookies();
error($config['error']['malformed']);
}
// Open connection
sql_open();
// Check username/password
if(!login($_SESSION['mod']['username'], $_SESSION['mod']['password'], false)) {
destroyCookies();
error($config['error']['invalidafter']);
}
}
// Generates a <ul> element with a list of linked // Generates a <ul> element with a list of linked
// boards and their subtitles. (without the <ul> opening and ending tags) // boards and their subtitles. (without the <ul> opening and ending tags)
function ulBoards() { function ulBoards() {
@ -288,4 +267,34 @@
//} //}
} }
?>
// Validate session
if(isset($_COOKIE[$config['cookies']['mod']])) {
// Should be username:hash:salt
$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);
if(count($cookie) != 3) {
destroyCookies();
error($config['error']['malformed']);
}
$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username LIMIT 1");
$query->bindValue(':username', $cookie[0]);
$query->execute() or error(db_error($query));
$user = $query->fetch();
// validate password hash
if($cookie[1] != mkhash($cookie[0], $user['password'], $cookie[2])) {
// Malformed cookies
destroyCookies();
error($config['error']['malformed']);
}
$mod = Array(
'id' => $user['id'],
'type' => $user['type'],
'username' => $cookie[0],
'boards' => explode(',', $user['boards'])
);
}

16
mod.php
View File

@ -171,8 +171,8 @@
if($mod['type'] >= ADMIN && $config['check_updates']) { if($mod['type'] >= ADMIN && $config['check_updates']) {
if(!$config['version']) if(!$config['version'])
error('Could not find current version! (Check .installed)'); error('Could not find current version! (Check .installed)');
if(isset($_SESSION['update']) && time() - $_SESSION['update']['time'] < $config['check_updates_time']) { if(isset($_COOKIE['update'])) {
$latest = unserialize($_SESSION['update']['latest']); $latest = unserialize($_COOKIE['update']);
} else { } else {
$ctx = stream_context_create(array( $ctx = stream_context_create(array(
'http' => array( 'http' => array(
@ -208,7 +208,9 @@
// TODO: Display some sort of warning message // TODO: Display some sort of warning message
$latest = false; $latest = false;
} }
$_SESSION['update'] = Array('time' => time(), 'latest' => serialize($latest));
setcookie('update', serialize($latest), time() + $config['check_updates_time'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
} }
if($latest) { if($latest) {
@ -236,8 +238,7 @@
'title'=>_('Dashboard'), 'title'=>_('Dashboard'),
'body'=>$body, 'body'=>$body,
'__mod'=>true '__mod'=>true
) ));
);
} elseif(preg_match('/^\/logout$/', $query)) { } elseif(preg_match('/^\/logout$/', $query)) {
destroyCookies(); destroyCookies();
@ -1221,6 +1222,9 @@
if($_mod['id'] == $mod['id']) { if($_mod['id'] == $mod['id']) {
// Changed own password. Update cookies // Changed own password. Update cookies
login($mod['username'], $_POST['password']);
setCookies(); setCookies();
} }
} }
@ -2248,7 +2252,7 @@
openBoard($targetBoard); openBoard($targetBoard);
foreach($replies as &$post) { foreach($replies as &$post) {
var_dump(post($post, false)); post($post, false);
if($post['has_file']) { if($post['has_file']) {
$clone($post['file_src'], sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']); $clone($post['file_src'], sprintf($config['board_path'], $board['uri']) . $config['dir']['img'] . $post['file']);
$clone($post['file_thumb'], sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']); $clone($post['file_thumb'], sprintf($config['board_path'], $board['uri']) . $config['dir']['thumb'] . $post['thumb']);

View File

@ -164,17 +164,6 @@
if(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], $_SERVER['HTTP_REFERER'])) if(!isset($_SERVER['HTTP_REFERER']) || !preg_match($config['referer_match'], $_SERVER['HTTP_REFERER']))
error($config['error']['referer']); error($config['error']['referer']);
// TODO: Since we're now using static HTML files, we can't give them cookies on their first page view
// Find another anti-spam method.
/*
// Check if he has a valid cookie.
if(!$user['valid']) error($config['error']['bot']);
// Check how long he has been here.
if(time()-$user['appeared']<LURKTIME) error(ERROR_LURK);
*/
checkDNSBL(); checkDNSBL();
// Check if board exists // Check if board exists
@ -597,6 +586,7 @@
} }
rebuildThemes('post'); rebuildThemes('post');
header('Location: ' . $redirect, true, $config['redirect_http']); header('Location: ' . $redirect, true, $config['redirect_http']);