login system tweaks

diff --git a/backend.php b/backend.php
index b4eeaf5e0dcace95a6bb4a88715a386c8bbe0f8f..67bdabb56fe788ced67f360c352ebf516b064d86 100644 (file)
--- a/backend.php
+++ b/backend.php
@@ -16,8 +16,6 @@
        
        error_reporting(DEFAULT_ERROR_LEVEL); */
 
-       $op = $_REQUEST["op"];
-
        define('SCHEMA_VERSION', 13);
 
        require_once "sanity_check.php";
@@ -27,6 +25,25 @@
        require_once "db-prefs.php";
        require_once "functions.php";
 
+       $script_started = getmicrotime();
+
+       $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); 
+
+       if (!$link) {
+               if (DB_TYPE == "mysql") {
+                       print mysql_error();
+               }
+               // PG seems to display its own errors just fine by default.             
+               return;
+       }
+
+       if (DB_TYPE == "pgsql") {
+               pg_query("set client_encoding = 'UTF-8'");
+               pg_set_client_encoding("UNICODE");
+       }
+
+       $op = $_REQUEST["op"];
+
        $print_exec_time = false;
 
        if ((!$op || $op == "rpc" || $op == "rss" || $op == "digestSend" ||
@@ -41,7 +58,8 @@
                print_error_xml(7); exit;
        }
 
-       if (!$_SESSION["uid"] && $op != "globalUpdateFeeds" && $op != "rss" && $op != "getUnread") {
+       if (!($_SESSION["uid"] && validate_session($link)) && $op != "globalUpdateFeeds" 
+                       && $op != "rss" && $op != "getUnread") {
 
                if ($op == "rpc") {
                        print_error_xml(6); die;
@@ -95,22 +113,6 @@
        require_once "modules/pref-users.php";
        require_once "modules/pref-feed-browser.php"; 
 
-       $script_started = getmicrotime();
-
-       $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); 
-
-       if (!$link) {
-               if (DB_TYPE == "mysql") {
-                       print mysql_error();
-               }
-               // PG seems to display its own errors just fine by default.             
-               return;
-       }
-
-       if (DB_TYPE == "pgsql") {
-               pg_query("set client_encoding = 'UTF-8'");
-               pg_set_client_encoding("UNICODE");
-       }
 
        if (!sanity_check($link)) { return; }
 

diff --git a/functions.php b/functions.php
index 5f7565f73a843e9f61d1797eb4c28734576c93a6..98bfc2e64588530af85eae207367f17b45093d9f 100644 (file)
--- a/functions.php
+++ b/functions.php
@@ -1163,6 +1163,7 @@
                if (SESSION_CHECK_ADDRESS && $_SESSION["uid"]) {
                        if ($_SESSION["ip_address"]) {
                                if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
+                                       $_SESSION["login_error_msg"] = "Session failed to validate (incorrect IP)";
                                        return false;
                                }
                        }
@@ -1191,20 +1192,22 @@
                                }
                        }
 
-                       if ($_COOKIE[get_session_cookie_name()]) {
+/*                     if ($_COOKIE[get_session_cookie_name()]) {
                                require_once "sessions.php";
-                       }
+} */
+
+                       $login_action = $_POST["login_action"];
 
-                       if (!validate_session($link)) {
+/*                     if (!validate_session($link) && $login_action != "do_login") {
                                logout_user();
                                render_login_form($link);
                                exit;
-                       }
+} */
 
-                       $login_action = $_POST["login_action"];
+                       $session_started = false;
 
                        # try to authenticate user if called from login form                    
-                       if ($login_action == "do_login" && !$_SESSION["uid"]) {
+                       if ($login_action == "do_login") {
                                $login = $_POST["login"];
                                $password = $_POST["password"];
                                $remember_me = $_POST["remember_me"];
@@ -1217,7 +1220,7 @@
 
                                require_once "sessions.php";
 
-                               session_regenerate_id();
+                               $session_started = true;
 
                                if (authenticate_user($link, $login, $password)) {
                                        $_POST["password"] = "";
@@ -1236,10 +1239,16 @@
                                        exit;
 
                                        return;
+                               } else {
+                                       $_SESSION["login_error_msg"] = "Incorrect username or password";
                                }
                        }
 
-                       if (!$_SESSION["uid"]) {
+                       if (!$session_started) {
+                               require_once "sessions.php";
+                       }
+
+                       if (!$_SESSION["uid"] || !validate_session($link)) {
                                render_login_form($link);
                                exit;
                        }

diff --git a/login_form.php b/login_form.php
index 6139b0205b9a8b642897993597f7164dfbe04584..0ecf3cc120837df4cc503dc8ad04dba7598a2f97 100644 (file)
--- a/login_form.php
+++ b/login_form.php
@@ -41,8 +41,9 @@ window.onload = init;
        </td>
 </tr><tr>
        <td align="center" valign="middle" class="loginMiddle" height="100%">
-               <?php if ($error_msg) { ?>
-                       <div class="loginError"><?php echo $error_msg ?></div>
+               <?php if ($_SESSION['login_error_msg']) { ?>
+                       <div class="loginError"><?php echo $_SESSION['login_error_msg'] ?></div>
+                       <?php $_SESSION['login_error_msg'] = ""; ?>
                <?php } ?>
                <table>
                        <tr><td align="right">Login:</td>