Author | zPlus <-> 2016-03-18 20:32:19 |
Committer | zPlus <-> 2016-03-18 20:32:19 |
Commit | 24f070f (patch) |
Tree | 10a6254 |
Parent(s) |
-rw-r--r-- | database.php | 81 | ||
-rw-r--r-- | login.php | 17 | ||
-rw-r--r-- | logout.php | 30 | ||
-rw-r--r-- | session.php | 49 |
index 68098c5..c12b9e5 | |||
old size: 36K - new size: 38K | |||
@@ -13,7 +13,7 @@ class Database | |||
13 | 13 | $hash_id = ''; | |
14 | 14 | ||
15 | 15 | for ($i = 0; $i < $length; $i++) | |
16 | - | $hash_id .= $characters[rand (0, $characters_length - 1)]; | |
16 | + | $hash_id .= $characters[mt_rand (0, $characters_length - 1)]; | |
17 | 17 | ||
18 | 18 | return $hash_id; | |
19 | 19 | } | |
@@ -145,6 +145,69 @@ class Database | |||
145 | 145 | } | |
146 | 146 | ||
147 | 147 | /** | |
148 | + | * Retrieve a $user from database using remember_me token | |
149 | + | */ | |
150 | + | function get_remember_me ($token) | |
151 | + | { | |
152 | + | $user = array(); | |
153 | + | ||
154 | + | if (is_null ($this->database)) | |
155 | + | return $user; | |
156 | + | ||
157 | + | $query = $this->database->prepare( | |
158 | + | 'SELECT U.* ' . | |
159 | + | 'FROM `user` AS U ' . | |
160 | + | 'JOIN `remember_me` AS R ON R.`userId` = U.`id`' . | |
161 | + | 'WHERE R.`token` = ? AND R.`expires` > NOW()'); | |
162 | + | ||
163 | + | $query->execute (array (hash ('sha512', $token))); | |
164 | + | ||
165 | + | $user = $query->fetch (PDO::FETCH_ASSOC); | |
166 | + | ||
167 | + | return $user; | |
168 | + | } | |
169 | + | ||
170 | + | /** | |
171 | + | * Set a new remember_me token to database | |
172 | + | * | |
173 | + | * @return secret token (cleartext) | |
174 | + | */ | |
175 | + | function set_remember_me ($user_id) | |
176 | + | { | |
177 | + | /* Set remember me token. | |
178 | + | * The cleartext token is stored as a user cookie, while in our | |
179 | + | * database we store hash(token). | |
180 | + | */ | |
181 | + | ||
182 | + | // Delete all previous remember_me tokens for $user | |
183 | + | self::delete_remember_me ($user_id); | |
184 | + | ||
185 | + | // Create a new secret token | |
186 | + | $token = self::get_random_string (128); | |
187 | + | ||
188 | + | $query = $this->database->prepare ( | |
189 | + | 'INSERT INTO `remember_me` (`token`, `userId`, `expires`)' . | |
190 | + | 'VALUES (?, ?, NOW() + INTERVAL 30 DAY)'); | |
191 | + | ||
192 | + | $query->execute (array (hash('sha512', $token), $user_id)); | |
193 | + | ||
194 | + | return $token; | |
195 | + | } | |
196 | + | ||
197 | + | /** | |
198 | + | * Delete $user "remember_me" token | |
199 | + | */ | |
200 | + | function delete_remember_me ($user_id) | |
201 | + | { | |
202 | + | // Delete all previous remember_me tokens for $user | |
203 | + | $query = $this->database->prepare( | |
204 | + | 'DELETE FROM `remember_me`' . | |
205 | + | 'WHERE `userId` = ?'); | |
206 | + | ||
207 | + | $query->execute (array ($user_id)); | |
208 | + | } | |
209 | + | ||
210 | + | /** | |
148 | 211 | * Retrieve a post | |
149 | 212 | */ | |
150 | 213 | function get_post ($hash_id) | |
@@ -815,15 +878,15 @@ class Database | |||
815 | 878 | 'DELETE FROM `vote_post`' . | |
816 | 879 | 'WHERE `postId` = ? AND `userId` = ?'); | |
817 | 880 | ||
818 | - | $query->execute (array ($post['id'], $user_id)); | |
881 | + | $query->execute (array ($post['id'], $user_id)); | |
882 | + | ||
883 | + | // Remove upvote from post | |
884 | + | $query = $this->database->prepare ( | |
885 | + | 'UPDATE `post`' . | |
886 | + | 'SET `vote` = `vote` - 1 ' . | |
887 | + | 'WHERE `id` = ?'); | |
819 | 888 | ||
820 | - | // Remove upvote from post | |
821 | - | $query = $this->database->prepare ( | |
822 | - | 'UPDATE `post`' . | |
823 | - | 'SET `vote` = `vote` - 1 ' . | |
824 | - | 'WHERE `id` = ?'); | |
825 | - | ||
826 | - | $query->execute (array ($post['id'])); | |
889 | + | $query->execute (array ($post['id'])); | |
827 | 890 | ||
828 | 891 | } elseif ($vote['vote'] == -1) { | |
829 | 892 | // Already downvoted before. Change to upvote. |
index 70d7baf..9b87235 | |||
old size: 3K - new size: 3K | |||
@@ -37,9 +37,26 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') | |||
37 | 37 | if (is_null ($user) || empty ($user)) | |
38 | 38 | { | |
39 | 39 | $feedback = 'Bad login!'; | |
40 | + | ||
40 | 41 | } else { | |
42 | + | ||
43 | + | // Set session | |
41 | 44 | Session::set ($user); | |
42 | 45 | ||
46 | + | // Also set "remember_me" cookie | |
47 | + | // Add "remember_me" cookie with secret token (30 days) | |
48 | + | $token = $db->set_remember_me ($user['id']); | |
49 | + | ||
50 | + | setcookie ( | |
51 | + | 'remember_me', // name | |
52 | + | $token, // value | |
53 | + | time()+60*60*24*30, // expire (30 days) | |
54 | + | '/', // path | |
55 | + | 'freepo.st', // domain | |
56 | + | false, // secure (clients send cookie only through HTTPS) | |
57 | + | true); // httponly (no javascript) | |
58 | + | ||
59 | + | // After login, redirect to homepage | |
43 | 60 | header ('Location: ./'); | |
44 | 61 | exit (); | |
45 | 62 | } |
index e8c7235..7d7a2c2 | |||
old size: 90B - new size: 849B | |||
@@ -1,8 +1,38 @@ | |||
1 | 1 | <?php | |
2 | 2 | ||
3 | 3 | require_once 'session.php'; | |
4 | + | require_once 'database.php'; | |
4 | 5 | ||
6 | + | // Not a valid session | |
7 | + | if (!Session::is_valid ()) | |
8 | + | { | |
9 | + | header ('Location: ./'); | |
10 | + | exit (); | |
11 | + | } | |
12 | + | ||
13 | + | // Delete "remember_me" cookie | |
14 | + | if (isset ($_COOKIE['remember_me'])) | |
15 | + | { | |
16 | + | $db = new Database (); | |
17 | + | $db->connect (); | |
18 | + | $db->delete_remember_me (Session::get_userid ()); | |
19 | + | ||
20 | + | unset ($_COOKIE['remember_me']); | |
21 | + | ||
22 | + | // Invalidate cookie | |
23 | + | setcookie ( | |
24 | + | 'remember_me', // name | |
25 | + | NULL, // value | |
26 | + | -1, // expire | |
27 | + | '/', // path | |
28 | + | 'freepo.st', // domain | |
29 | + | false, // secure (clients send cookie only through HTTPS) | |
30 | + | true); // httponly (no javascript) | |
31 | + | } | |
32 | + | ||
33 | + | // Delete session | |
5 | 34 | Session::delete (); | |
6 | 35 | ||
36 | + | // Logged out, redirect to homepage | |
7 | 37 | header ('Location: ./'); | |
8 | 38 | exit (); | |
8 | 38 | = | \ No newline at end of file |
index ded267d..5a3abe2 | |||
old size: 2K - new size: 3K | |||
@@ -1,7 +1,6 @@ | |||
1 | 1 | <?php | |
2 | 2 | ||
3 | - | session_name ('freepost'); | |
4 | - | session_start (); | |
3 | + | require_once 'database.php'; | |
5 | 4 | ||
6 | 5 | class Session { | |
7 | 6 | public static function is_valid () | |
@@ -40,6 +39,10 @@ class Session { | |||
40 | 39 | */ | |
41 | 40 | public static function set ($user) | |
42 | 41 | { | |
42 | + | if (is_null ($user) || empty ($user)) | |
43 | + | return; | |
44 | + | ||
45 | + | // Set session variable | |
43 | 46 | $_SESSION = array ( | |
44 | 47 | 'user' => array ( | |
45 | 48 | 'id' => $user['id'], | |
@@ -60,11 +63,51 @@ class Session { | |||
60 | 63 | $_SESSION['user'][$property] = $value; | |
61 | 64 | } | |
62 | 65 | ||
66 | + | // Retrieve session from cookie | |
67 | + | public static function remember_me () | |
68 | + | { | |
69 | + | // We already have a session, nothing to do here | |
70 | + | if (Session::is_valid ()) | |
71 | + | return; | |
72 | + | ||
73 | + | // Check if user does not have a "remember_me" cookie | |
74 | + | if (!isset ($_COOKIE['remember_me'])) | |
75 | + | return; | |
76 | + | ||
77 | + | // Validate token | |
78 | + | $db = new Database (); | |
79 | + | $db->connect (); | |
80 | + | ||
81 | + | $user = $db->get_remember_me ($_COOKIE['remember_me']); | |
82 | + | ||
83 | + | self::set ($user); | |
84 | + | } | |
85 | + | ||
63 | 86 | public static function delete () | |
64 | 87 | { | |
65 | 88 | unset ($_SESSION); | |
66 | 89 | session_destroy (); | |
67 | 90 | ||
91 | + | // Delete session | |
68 | 92 | $_SESSION = NULL; | |
69 | 93 | } | |
70 | - | } | |
70 | > | \ No newline at end of file | |
94 | + | } | |
95 | + | ||
96 | + | session_name ('freepost'); | |
97 | + | session_start (); | |
98 | + | ||
99 | + | /* Once the session is started, check for "remember_me" tokens. | |
100 | + | * If the session is already set, this function doesn't do anything. | |
101 | + | * If session is not set, and a valid token is set on user's cookies, | |
102 | + | * than the user is retrieved. | |
103 | + | */ | |
104 | + | Session::remember_me (); | |
105 | + | ||
106 | + | ||
107 | + | ||
108 | + | ||
109 | + | ||
110 | + | ||
111 | + | ||
112 | + | ||
113 | + |