New "Remember me" cookie content format could potentially cause problems for users login with "."
- Status
- Closed
- Subject
- New "Remember me" cookie content format could potentially cause problems for users login with "."
- Version
- 1.9.x
- Category
- Error
- Feature
- User Administration (Registration, Login & Banning)
- Resolution status
- Fixed or Solved
- Submitted by
- shonseet
- Lastmod by
- Marc Laporte
- Rating
- Description
If your users login has a ".", as in "firstname.lastname", the remember me feature breaks.
This is the snippets in tiki-login.php use to set the cookie:
Copy to clipboard// Now if the remember me feature is on and the user checked the rememberme checkbox then ... if ($rememberme != 'disabled') { if (isset($_REQUEST['rme']) && $_REQUEST['rme'] == 'on') { $hash = $userlib->get_user_hash($_REQUEST['user']); $hash = $userlib->create_user_cookie($_REQUEST['user']); $time = substr($hash,strpos($hash,'.')+1); setcookie($user_cookie_site, $hash.'.'.$user, $time, $cookie_path, $cookie_domain); $logslib->add_log('login',"got a cookie for $remembertime seconds"); } }
The cookie content has the following format:
Copy to clipboardmd5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']).(date('U') + $remembertime).$user
The following code in userslib.php parse the cookie content. This function will successfully returns
the user only if your users login does not have a ".", otherwise this function will always return
false, and users have to re-login everytime.
Copy to clipboardfunction get_user_by_cookie($hash) { list($check,$expire,$userCookie) = explode('.',$hash); if ($check == md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) { $query = 'select `user` from `tiki_user_preferences` where `prefName`=? and `value`=? and `user`=?'; $user = $this->getOne($query, array('cookie',"$check.$expire", $userCookie)); if ($user) { if ($expire < date('U')) { $query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?'; $user = $this->query($query, array('cookie',$hash)); return false; } else { return $user; } } } return false; }- Solution
thank you for the fix
Done in 1.9.10 and 1.10
The quick fix is to specify the limit in the explode function. This will return maximum of 3 elements where the last contains the rest of the string, even the "." in your user login.
Copy to clipboardfunction get_user_by_cookie($hash) { list($check,$expire,$userCookie) = explode('.',$hash,3); if ($check == md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) { $query = 'select `user` from `tiki_user_preferences` where `prefName`=? and `value`=? and `user`=?'; $user = $this->getOne($query, array('cookie',"$check.$expire", $userCookie)); if ($user) { if ($expire < date('U')) { $query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?'; $user = $this->query($query, array('cookie',$hash)); return false; } else { return $user; } } } return false; }- Importance
- 8
- Priority
- 40
- Demonstrate Bug on Tiki 19+
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show2.tiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show.tikiwiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Ticket ID
- 1517
- Created
- Thursday 31 January, 2008 01:37:25 UTC
by Unknown - LastModif
- Sunday 18 June, 2017 23:01:14 UTC