If your users login has a ".", as in "firstname.lastname", the remember me feature breaks.
This is the snippets in tiki-login.php use to set the cookie:
// Now if the remember me feature is on and the user checked the rememberme checkbox then ... if ($rememberme != 'disabled') { if (isset($_REQUEST['rme']) && $_REQUEST['rme'] == 'on') { $hash = $userlib->get_user_hash($_REQUEST['user']); $hash = $userlib->create_user_cookie($_REQUEST['user']); $time = substr($hash,strpos($hash,'.')+1); setcookie($user_cookie_site, $hash.'.'.$user, $time, $cookie_path, $cookie_domain); $logslib->add_log('login',"got a cookie for $remembertime seconds"); } }
The cookie content has the following format:
md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']).(date('U') + $remembertime).$user
The following code in userslib.php parse the cookie content. This function will successfully returns
the user only if your users login does not have a ".", otherwise this function will always return
false, and users have to re-login everytime.
function get_user_by_cookie($hash) { list($check,$expire,$userCookie) = explode('.',$hash); if ($check == md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) { $query = 'select `user` from `tiki_user_preferences` where `prefName`=? and `value`=? and `user`=?'; $user = $this->getOne($query, array('cookie',"$check.$expire", $userCookie)); if ($user) { if ($expire < date('U')) { $query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?'; $user = $this->query($query, array('cookie',$hash)); return false; } else { return $user; } } } return false; }
thank you for the fix
Done in 1.9.10 and 1.10
The quick fix is to specify the limit in the explode function. This will return maximum of 3 elements where the last contains the rest of the string, even the "." in your user login.
function get_user_by_cookie($hash) { list($check,$expire,$userCookie) = explode('.',$hash,3); if ($check == md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) { $query = 'select `user` from `tiki_user_preferences` where `prefName`=? and `value`=? and `user`=?'; $user = $this->getOne($query, array('cookie',"$check.$expire", $userCookie)); if ($user) { if ($expire < date('U')) { $query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?'; $user = $this->query($query, array('cookie',$hash)); return false; } else { return $user; } } } return false; }
To help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
Unable to connect to show.tikiwiki.org. Please let us know of the problem so that we can do something about it. Thanks.
filename | created | hits | comment | version | filetype | ||
---|---|---|---|---|---|---|---|
No attachments for this item |