From f557cd78ff5d9fba54eb2e660a2a5fa512b0bd90 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@bah.spb.su>
Date: Wed, 23 Nov 2005 14:52:02 +0100
Subject: [PATCH] some http auth fixes

---
 functions.php | 49 +++++++++++++++++++++----------------------------
 logout.php    | 26 ++++++++++++++++++++++----
 tt-rss.css    | 20 ++++++++++++++++++++
 3 files changed, 63 insertions(+), 32 deletions(-)

diff --git a/functions.php b/functions.php
index 410c76ea..4ba7da74 100644
--- a/functions.php
+++ b/functions.php
@@ -606,6 +606,8 @@
 			db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " . 
 				$_SESSION["uid"]);
 
+			initialize_user_prefs($link, $_SESSION["uid"]);
+
 			return true;
 		}
 
@@ -613,27 +615,6 @@
 
 	}
 
-	function http_authenticate_user($link, $force_logout) {
-
-		if (!$_SERVER['PHP_AUTH_USER'] || $force_logout) {
-
-			if ($force_logout) logout_user();
-
-			header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
-			header('HTTP/1.0 401 Unauthorized');
-			print "<h1>401 Unathorized</h1>";
-			
-			exit;
-			
-		} else {
-
-			$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
-			$password = db_escape_string($_SERVER['PHP_AUTH_PW']);
-
-			return authenticate_user($link, $login, $password);
-		}
-	}
-
 	function make_password($length = 8) {
 
 		$password = "";
@@ -672,10 +653,7 @@
 		}
 
 	function logout_user() {
-		$_SESSION["uid"] = null;
-		$_SESSION["name"] = null;
-		$_SESSION["access_level"] = null;
-		session_destroy();
+		session_destroy();		
 	}
 
 	function login_sequence($link) {
@@ -687,9 +665,24 @@
 					exit;
 				}
 			} else {
-				if (!http_authenticate_user($link, false)) {
-					exit;
-				}
+				if (!$_SESSION["uid"]) {
+					if (!$_SERVER["PHP_AUTH_USER"]) {
+
+						header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
+						header('HTTP/1.0 401 Unauthorized');
+						exit;
+						
+					} else {
+						$auth_result = authenticate_user($link, 
+							$_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]);
+
+						if (!$auth_result) {
+							header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
+							header('HTTP/1.0 401 Unauthorized');
+							exit;
+						}
+					}
+				}				
 			}
 		} else {
 			$_SESSION["uid"] = 1;
diff --git a/logout.php b/logout.php
index 7757689d..9af2bab6 100644
--- a/logout.php
+++ b/logout.php
@@ -8,7 +8,25 @@
 
 	if (!USE_HTTP_AUTH) {
 		header("Location: login.php");
-	} else {
-		header("Location: tt-rss.php");
-	}
-?>
+	} else { ?>
+	
+	<html>
+		<head>
+			<title>Tiny Tiny RSS : Logout</title>
+			<link rel="stylesheet" type="text/css" href="tt-rss.css">
+	<body class="logoutBody">
+		<div class="logoutContent">	
+		
+			<h1>You have been logged out.</h1>
+
+			<p><span class="logoutWarning">Warning:</span>
+			As there is no way to reliably clear HTTP Authentication 
+			credentials from your browser, it is recommended for you to close
+			this browser window, otherwise your browser could automatically
+			authenticate again using previously supplied credentials, which
+			is a security risk.</p>
+			
+		</div>
+	</body>
+	</html>
+<?	} ?>
diff --git a/tt-rss.css b/tt-rss.css
index 20e4d546..aa40c7ea 100644
--- a/tt-rss.css
+++ b/tt-rss.css
@@ -636,3 +636,23 @@ span.insensitive {
 div.prefGenericAddBox {
 	margin : 5px;
 }
+
+body.logoutBody {
+	background-color : #f0f0f0;
+	color : black;
+}
+
+span.logoutWarning {
+	color : red;
+	font-weight : bold;
+}
+
+div.logoutContent {
+	width : 600px;
+	border : 1px solid #c0c0c0;
+	background-color : white;
+	margin-left : auto;
+	margin-right : auto;
+	margin-top : 20px;
+	padding : 10px;
+}
-- 
2.39.2