diff options
| -rw-r--r-- | backend.php | 40 | ||||
| -rw-r--r-- | functions.php | 25 | ||||
| -rw-r--r-- | login_form.php | 5 |
3 files changed, 41 insertions, 29 deletions
diff --git a/backend.php b/backend.php index b4eeaf5e0..67bdabb56 100644 --- a/backend.php +++ b/backend.php @@ -16,8 +16,6 @@ error_reporting(DEFAULT_ERROR_LEVEL); */ - $op = $_REQUEST["op"]; - define('SCHEMA_VERSION', 13); require_once "sanity_check.php"; @@ -27,6 +25,25 @@ require_once "db-prefs.php"; require_once "functions.php"; + $script_started = getmicrotime(); + + $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); + + if (!$link) { + if (DB_TYPE == "mysql") { + print mysql_error(); + } + // PG seems to display its own errors just fine by default. + return; + } + + if (DB_TYPE == "pgsql") { + pg_query("set client_encoding = 'UTF-8'"); + pg_set_client_encoding("UNICODE"); + } + + $op = $_REQUEST["op"]; + $print_exec_time = false; if ((!$op || $op == "rpc" || $op == "rss" || $op == "digestSend" || @@ -41,7 +58,8 @@ print_error_xml(7); exit; } - if (!$_SESSION["uid"] && $op != "globalUpdateFeeds" && $op != "rss" && $op != "getUnread") { + if (!($_SESSION["uid"] && validate_session($link)) && $op != "globalUpdateFeeds" + && $op != "rss" && $op != "getUnread") { if ($op == "rpc") { print_error_xml(6); die; @@ -95,22 +113,6 @@ require_once "modules/pref-users.php"; require_once "modules/pref-feed-browser.php"; - $script_started = getmicrotime(); - - $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); - - if (!$link) { - if (DB_TYPE == "mysql") { - print mysql_error(); - } - // PG seems to display its own errors just fine by default. - return; - } - - if (DB_TYPE == "pgsql") { - pg_query("set client_encoding = 'UTF-8'"); - pg_set_client_encoding("UNICODE"); - } if (!sanity_check($link)) { return; } diff --git a/functions.php b/functions.php index 5f7565f73..98bfc2e64 100644 --- a/functions.php +++ b/functions.php @@ -1163,6 +1163,7 @@ if (SESSION_CHECK_ADDRESS && $_SESSION["uid"]) { if ($_SESSION["ip_address"]) { if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) { + $_SESSION["login_error_msg"] = "Session failed to validate (incorrect IP)"; return false; } } @@ -1191,20 +1192,22 @@ } } - if ($_COOKIE[get_session_cookie_name()]) { +/* if ($_COOKIE[get_session_cookie_name()]) { require_once "sessions.php"; - } +} */ + + $login_action = $_POST["login_action"]; - if (!validate_session($link)) { +/* if (!validate_session($link) && $login_action != "do_login") { logout_user(); render_login_form($link); exit; - } +} */ - $login_action = $_POST["login_action"]; + $session_started = false; # try to authenticate user if called from login form - if ($login_action == "do_login" && !$_SESSION["uid"]) { + if ($login_action == "do_login") { $login = $_POST["login"]; $password = $_POST["password"]; $remember_me = $_POST["remember_me"]; @@ -1217,7 +1220,7 @@ require_once "sessions.php"; - session_regenerate_id(); + $session_started = true; if (authenticate_user($link, $login, $password)) { $_POST["password"] = ""; @@ -1236,10 +1239,16 @@ exit; return; + } else { + $_SESSION["login_error_msg"] = "Incorrect username or password"; } } - if (!$_SESSION["uid"]) { + if (!$session_started) { + require_once "sessions.php"; + } + + if (!$_SESSION["uid"] || !validate_session($link)) { render_login_form($link); exit; } diff --git a/login_form.php b/login_form.php index 6139b0205..0ecf3cc12 100644 --- a/login_form.php +++ b/login_form.php @@ -41,8 +41,9 @@ window.onload = init; </td> </tr><tr> <td align="center" valign="middle" class="loginMiddle" height="100%"> - <?php if ($error_msg) { ?> - <div class="loginError"><?php echo $error_msg ?></div> + <?php if ($_SESSION['login_error_msg']) { ?> + <div class="loginError"><?php echo $_SESSION['login_error_msg'] ?></div> + <?php $_SESSION['login_error_msg'] = ""; ?> <?php } ?> <table> <tr><td align="right">Login:</td> |