better error reporting for rememberme cookie handling

rememberme cookies are probably the most complained-about parts of the system. We use "weak", one-use, low-info cookies that don't allow changing settings like passwords or email addresses. This change adds some better error-reporting to the rememberme function. Hopefully we'll find out if there are other rm problem. darcs-hash:20081209170413-84dde-6845ae5524d3ee1d1a491548bb22386f11f0e867.gz
2008-12-09 12:04:13 -05:00 · 2008-12-09 12:04:13 -05:00 · ed440c734e
commit ed440c734e
parent a61c7546c8
1 changed files with 58 additions and 26 deletions
--- a/lib/util.php
+++ b/lib/util.php
@ -620,33 +620,65 @@ function common_rememberme($user=NULL) {
 }

 function common_remembered_user() {
+
 	$user = NULL;
-	# Try to remember
-	$packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : '';
-	if ($packed) {
+
+	$packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : NULL;
+
+	if (!$packed) {
+        return NULL;
+    }
+
    list($id, $code) = explode(':', $packed);
-		if ($id && $code) {
+
+    if (!$id || !$code) {
+        common_warning('Malformed rememberme cookie: ' . $packed);
+        common_forgetme();
+        return NULL;
+    }
+
    $rm = Remember_me::staticGet($code);
-			if ($rm && ($rm->user_id == $id)) {
+
+    if (!$rm) {
+        common_warning('No such remember code: ' . $code);
+        common_forgetme();
+        return NULL;
+    }
+
+    if ($rm->user_id != $id) {
+        common_warning('Rememberme code for wrong user: ' . $rm->user_id . ' != ' . $id);
+        common_forgetme();
+        return NULL;
+    }
+
    $user = User::staticGet($rm->user_id);
-				if ($user) {
+
+    if (!$user) {
+        common_warning('No such user for rememberme: ' . $rm->user_id);
+        common_forgetme();
+        return NULL;
+    }
+
 	# successful!
    $result = $rm->delete();
+
    if (!$result) {
        common_log_db_error($rm, 'DELETE', __FILE__);
-						$user = NULL;
-					} else {
+        common_warning('Could not delete rememberme: ' . $code);
+        common_forgetme();
+        return NULL;
+    }
+
    common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code);
+
    common_set_user($user->nickname);
    common_real_login(false);
+
    # We issue a new cookie, so they can log in
    # automatically again after this session
+
    common_rememberme($user);
-					}
-				}
-			}
-		}
-	}
+
 	return $user;
 }