diff options
author | Yorhel <git@yorhel.nl> | 2009-07-30 10:17:16 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2009-07-30 10:17:16 +0200 |
commit | d02c9f73c8f6896bc6ed7ffc2b4a5782586c2589 (patch) | |
tree | 5306171b1f95b776afdf2a077a0fe2f86e4351d8 /lib/VNDB/Util/Auth.pm | |
parent | 54ff8e3219e22b24640b2d5273c2a635ee6976da (diff) |
Util::Auth: check cookie for sanity and delete incorrect cookies
This fixes a 500 error when the cookie was longer than 40 bytes but the
characters after the 40th byte aren't a number. (i.e. the cookies of the
previous auth system)
This will also purge the cookie from the user's browser when
dbSessionCheck() returns false. (There's no sense in keeping it in such
a case)
Diffstat (limited to 'lib/VNDB/Util/Auth.pm')
-rw-r--r-- | lib/VNDB/Util/Auth.pm | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index 00700e6e..519e5523 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -20,10 +20,12 @@ sub authInit { $self->{_auth} = undef; my $cookie = $self->reqCookie('vndb_auth'); - return 0 if !$cookie || length($cookie) < 41; + return 0 if !$cookie; + return _rmcookie($self) if length($cookie) < 41; my $token = substr($cookie, 0, 40); my $uid = substr($cookie, 40); - $self->{_auth} = $self->dbUserGet(uid => $uid, what => 'mymessages')->[0] if $self->dbSessionCheck($uid, $token); + return _rmcookie($self) if $uid !~ /^\d+$/ || !$self->dbSessionCheck($uid, $token); + $self->{_auth} = $self->dbUserGet(uid => $uid, what => 'mymessages')->[0]; } @@ -63,7 +65,7 @@ sub authLogout { } $self->resRedirect('/', 'temp'); - $self->resHeader('Set-Cookie', "vndb_auth= ; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/; domain=$self->{cookie_domain}"); + _rmcookie($self); } @@ -95,11 +97,11 @@ sub _authCheck { my $d = $self->dbUserGet(username => $user, what => 'mymessages')->[0]; return 0 if !defined $d->{id} || !$d->{rank}; - if (_authEncryptPass($self, $pass, $d->{salt}, 1) eq $d->{passwd}) { + if(_authEncryptPass($self, $pass, $d->{salt}, 1) eq $d->{passwd}) { $self->{_auth} = $d; return 1; } - if (md5($pass) eq $d->{passwd}) { + if(md5($pass) eq $d->{passwd}) { $self->{_auth} = $d; my %o; ($o{passwd}, $o{salt}) = authPreparePass($self, $pass); @@ -132,5 +134,12 @@ sub authPreparePass{ } +# removes the vndb_auth cookie +sub _rmcookie { + $_[0]->resHeader('Set-Cookie', + "vndb_auth= ; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/; domain=$_[0]->{cookie_domain}"); +} + + 1; |