New "Remember me" cookie content format could potentially cause problems for users login with "."
- Status
- Closed
- Subject
- New "Remember me" cookie content format could potentially cause problems for users login with "."
- Version
- 1.9.x
- Category
- Error
- Feature
- User Administration (Registration, Login & Banning)
- Resolution status
- Fixed or Solved
- Submitted by
- shonseet
- Lastmod by
- Marc Laporte
- Rating
- Description
If your users login has a ".", as in "firstname.lastname", the remember me feature breaks.
This is the snippets in tiki-login.php use to set the cookie:
Copy to clipboard// Now if the remember me feature is on and the user checked the rememberme checkbox then ... if ($rememberme != 'disabled') { if (isset($_REQUEST['rme']) && $_REQUEST['rme'] == 'on') { $hash = $userlib->get_user_hash($_REQUEST['user']); $hash = $userlib->create_user_cookie($_REQUEST['user']); $time = substr($hash,strpos($hash,'.')+1); setcookie($user_cookie_site, $hash.'.'.$user, $time, $cookie_path, $cookie_domain); $logslib->add_log('login',"got a cookie for $remembertime seconds"); } }
The cookie content has the following format:
Copy to clipboardmd5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']).(date('U') + $remembertime).$user
The following code in userslib.php parse the cookie content. This function will successfully returns
the user only if your users login does not have a ".", otherwise this function will always return
false, and users have to re-login everytime.
Copy to clipboardfunction get_user_by_cookie($hash) { list($check,$expire,$userCookie) = explode('.',$hash); if ($check == md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) { $query = 'select `user` from `tiki_user_preferences` where `prefName`=? and `value`=? and `user`=?'; $user = $this->getOne($query, array('cookie',"$check.$expire", $userCookie)); if ($user) { if ($expire < date('U')) { $query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?'; $user = $this->query($query, array('cookie',$hash)); return false; } else { return $user; } } } return false; }- Solution
thank you for the fix
Done in 1.9.10 and 1.10
The quick fix is to specify the limit in the explode function. This will return maximum of 3 elements where the last contains the rest of the string, even the "." in your user login.
Copy to clipboardfunction get_user_by_cookie($hash) { list($check,$expire,$userCookie) = explode('.',$hash,3); if ($check == md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) { $query = 'select `user` from `tiki_user_preferences` where `prefName`=? and `value`=? and `user`=?'; $user = $this->getOne($query, array('cookie',"$check.$expire", $userCookie)); if ($user) { if ($expire < date('U')) { $query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?'; $user = $this->query($query, array('cookie',$hash)); return false; } else { return $user; } } } return false; }- Importance
- 8
- Priority
- 40
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Version: Create show2.tiki.org instanceAbout show2.tiki.orgTo help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
- Ticket ID
- 1517
- Created
- Thursday 31 January, 2008 01:37:25 GMT-0000
by Unknown - LastModif
- Sunday 18 June, 2017 23:01:14 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- Wikiplugin img, the plugin is not able to display an image from anywhere on the internet
- Server check is raising false alarms about Tiki requirements
- File Galleries, Upload; have to try several times before successfully upload an image on dev.t.o
- Structures, Wiki pages; It should not be possible to create a page through structure with an "illegal" name
- Daily build zip file for Tiki26 is not available (404)
;){kind=link}
;){kind=link}