Loading...
 
Skip to main content

New "Remember me" cookie content format could potentially cause problems for users login with "."

Status
Closed
Subject
New "Remember me" cookie content format could potentially cause problems for users login with "."
Version
1.9.x
Category
  • Error
Feature
User Administration (Registration, Login & Banning)
Resolution status
Fixed or Solved
Submitted by
shonseet
Lastmod by
Marc Laporte
Rating
(0)
Description

If your users login has a ".", as in "firstname.lastname", the remember me feature breaks.

This is the snippets in tiki-login.php use to set the cookie:

Image
Copy to clipboard
// Now if the remember me feature is on and the user checked the rememberme checkbox then ... if ($rememberme != 'disabled') { if (isset($_REQUEST['rme']) && $_REQUEST['rme'] == 'on') { $hash = $userlib->get_user_hash($_REQUEST['user']); $hash = $userlib->create_user_cookie($_REQUEST['user']); $time = substr($hash,strpos($hash,'.')+1); setcookie($user_cookie_site, $hash.'.'.$user, $time, $cookie_path, $cookie_domain); $logslib->add_log('login',"got a cookie for $remembertime seconds"); } }



The cookie content has the following format:

Image
Copy to clipboard
md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']).(date('U') + $remembertime).$user


The following code in userslib.php parse the cookie content. This function will successfully returns
the user only if your users login does not have a ".", otherwise this function will always return
false, and users have to re-login everytime.

Image
Copy to clipboard
function get_user_by_cookie($hash) { list($check,$expire,$userCookie) = explode('.',$hash); if ($check == md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) { $query = 'select `user` from `tiki_user_preferences` where `prefName`=? and `value`=? and `user`=?'; $user = $this->getOne($query, array('cookie',"$check.$expire", $userCookie)); if ($user) { if ($expire < date('U')) { $query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?'; $user = $this->query($query, array('cookie',$hash)); return false; } else { return $user; } } } return false; }

Solution

thank you for the fix
Done in 1.9.10 and 1.10
The quick fix is to specify the limit in the explode function. This will return maximum of 3 elements where the last contains the rest of the string, even the "." in your user login.

Image
Copy to clipboard
function get_user_by_cookie($hash) { list($check,$expire,$userCookie) = explode('.',$hash,3); if ($check == md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) { $query = 'select `user` from `tiki_user_preferences` where `prefName`=? and `value`=? and `user`=?'; $user = $this->getOne($query, array('cookie',"$check.$expire", $userCookie)); if ($user) { if ($expire < date('U')) { $query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?'; $user = $this->query($query, array('cookie',$hash)); return false; } else { return $user; } } } return false; }

Importance
8
Priority
40
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
1517
Created
Thursday 31 January, 2008 01:37:25 UTC
by Unknown
LastModif
Sunday 18 June, 2017 23:01:14 UTC


Show PHP error messages