some http auth fixes

author Andrew Dolgov <fox@bah.spb.su>

Wed, 23 Nov 2005 13:52:02 +0000 (14:52 +0100)

committer Andrew Dolgov <fox@bah.spb.su>

Wed, 23 Nov 2005 13:52:02 +0000 (14:52 +0100)
author Andrew Dolgov <fox@bah.spb.su>
Wed, 23 Nov 2005 13:52:02 +0000 (14:52 +0100)
committer Andrew Dolgov <fox@bah.spb.su>
Wed, 23 Nov 2005 13:52:02 +0000 (14:52 +0100)
diff --git a/functions.php b/functions.php

index 410c76eac6d40a5ce79f41ea3cacb71e0fe7bb2a..4ba7da748b57f71af28c9568737b52c20626cc8b 100644 (file)
--- a/functions.php
+++ b/functions.php
@@ -606,6 +606,8 @@
                         db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " . 
                                 $_SESSION["uid"]);
  
+                       initialize_user_prefs($link, $_SESSION["uid"]);
+
                         return true;
                 }
  
@@ -613,27 +615,6 @@
  
         }
  
-       function http_authenticate_user($link, $force_logout) {
-
-               if (!$_SERVER['PHP_AUTH_USER'] || $force_logout) {
-
-                       if ($force_logout) logout_user();
-
-                       header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
-                       header('HTTP/1.0 401 Unauthorized');
-                       print "<h1>401 Unathorized</h1>";
-                       
-                       exit;
-                       
-               } else {
-
-                       $login = db_escape_string($_SERVER['PHP_AUTH_USER']);
-                       $password = db_escape_string($_SERVER['PHP_AUTH_PW']);
-
-                       return authenticate_user($link, $login, $password);
-               }
-       }
-
         function make_password($length = 8) {
  
                 $password = "";
@@ -672,10 +653,7 @@
                 }
  
         function logout_user() {
-               $_SESSION["uid"] = null;
-               $_SESSION["name"] = null;
-               $_SESSION["access_level"] = null;
-               session_destroy();
+               session_destroy();              
         }
  
         function login_sequence($link) {
@@ -687,9 +665,24 @@
                                         exit;
                                 }
                         } else {
-                               if (!http_authenticate_user($link, false)) {
-                                       exit;
-                               }
+                               if (!$_SESSION["uid"]) {
+                                       if (!$_SERVER["PHP_AUTH_USER"]) {
+
+                                               header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
+                                               header('HTTP/1.0 401 Unauthorized');
+                                               exit;
+                                               
+                                       } else {
+                                               $auth_result = authenticate_user($link, 
+                                                       $_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]);
+
+                                               if (!$auth_result) {
+                                                       header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
+                                                       header('HTTP/1.0 401 Unauthorized');
+                                                       exit;
+                                               }
+                                       }
+                               }                               
                         }
                 } else {
                         $_SESSION["uid"] = 1;
diff --git a/logout.php b/logout.php

index 7757689dcccebe9d7acdad692e4d2372c1f00b8c..9af2bab61beb0b3a9e664191450a7040badbbf3f 100644 (file)
--- a/logout.php
+++ b/logout.php
@@ -8,7 +8,25 @@
  
         if (!USE_HTTP_AUTH) {
                 header("Location: login.php");
-       } else {
-               header("Location: tt-rss.php");
-       }
-?>
+       } else { ?>
+       
+       <html>
+               <head>
+                       <title>Tiny Tiny RSS : Logout</title>
+                       <link rel="stylesheet" type="text/css" href="tt-rss.css">
+       <body class="logoutBody">
+               <div class="logoutContent">     
+               
+                       <h1>You have been logged out.</h1>
+
+                       <p><span class="logoutWarning">Warning:</span>
+                       As there is no way to reliably clear HTTP Authentication 
+                       credentials from your browser, it is recommended for you to close
+                       this browser window, otherwise your browser could automatically
+                       authenticate again using previously supplied credentials, which
+                       is a security risk.</p>
+                       
+               </div>
+       </body>
+       </html>
+<?     } ?>
diff --git a/tt-rss.css b/tt-rss.css

index 20e4d546c630a41933697de3a79dee3a8ee2dcf2..aa40c7ea53b68d0f61e8bf0d7d34296ab190a791 100644 (file)
--- a/tt-rss.css
+++ b/tt-rss.css
@@ -636,3 +636,23 @@ span.insensitive {
  div.prefGenericAddBox {
         margin : 5px;
  }
+
+body.logoutBody {
+       background-color : #f0f0f0;
+       color : black;
+}
+
+span.logoutWarning {
+       color : red;
+       font-weight : bold;
+}
+
+div.logoutContent {
+       width : 600px;
+       border : 1px solid #c0c0c0;
+       background-color : white;
+       margin-left : auto;
+       margin-right : auto;
+       margin-top : 20px;
+       padding : 10px;
+}
author	Andrew Dolgov <fox@bah.spb.su>
	Wed, 23 Nov 2005 13:52:02 +0000 (14:52 +0100)
committer	Andrew Dolgov <fox@bah.spb.su>
	Wed, 23 Nov 2005 13:52:02 +0000 (14:52 +0100)
functions.php		patch \| blob \| blame \| history
logout.php		patch \| blob \| blame \| history
tt-rss.css		patch \| blob \| blame \| history