Changes related to deleting auto login keys on password change

git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@5442 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-06-25 04:24:31 +02:00 · 2006-01-11 21:09:47 +00:00
parent 8976799a6a
commit 6dbe925952
3 changed files with 67 additions and 0 deletions
--- a/phpBB/admin/admin_users.php
+++ b/phpBB/admin/admin_users.php
@ -696,6 +696,13 @@ if ( $mode == 'edit' || $mode == 'save' && ( isset($HTTP_POST_VARS['username'])
 						message_die(GENERAL_ERROR, 'Error removing user session', '', __LINE__, __FILE__, $sql);
 					}
 				}
+
+				// We remove all stored login keys since the password has been updated
+				// and change the current one (if applicable)
+				if ( !empty($passwd_sql) )
+				{
+					session_reset_keys($user_id, $user_ip);
+				}
 				
 				$message .= $lang['Admin_user_updated'];
 			}
--- a/phpBB/includes/sessions.php
+++ b/phpBB/includes/sessions.php
@ -496,6 +496,59 @@ function session_clean($session_id)
 	return true;
 }

+/**
+* Reset all login keys for the specified user
+* Called on password changes
+*/
+function session_reset_keys($user_id, $user_ip)
+{
+	global $db, $userdata;
+
+	$key_sql = ($user_id == $userdata['user_id'] && !empty($userdata['session_key'])) ? "AND key_id != '" . md5($userdata['session_key']) . "'" : '';
+
+	$sql = 'DELETE FROM ' . SESSIONS_KEYS_TABLE . '
+		WHERE user_id = ' . (int) $user_id . "
+			$key_sql";
+	$db->sql_query($sql);
+
+	if ( !$db->sql_query($sql) )
+	{
+		message_die(CRITICAL_ERROR, 'Error removing auto-login keys', '', __LINE__, __FILE__, $sql);
+	}
+
+	if ( !empty($key_sql) )
+	{
+		list($sec, $usec) = explode(' ', microtime());
+		mt_srand(hexdec(substr($userdata['session_id'], 0, 8)) + (float) $sec + ((float) $usec * 1000000));
+		$auto_login_key = uniqid(mt_rand(), true);
+
+		$current_time = time();
+		
+		$sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . "
+			SET last_ip = '$user_ip', key_id = '" . md5($auto_login_key) . "', last_login = $current_time
+			WHERE key_id = '" . md5($userdata['session_key']) . "'";
+		
+		if ( !$db->sql_query($sql) )
+		{
+			message_die(CRITICAL_ERROR, 'Error updating session key', '', __LINE__, __FILE__, $sql);
+		}
+
+		// And now rebuild the cookie
+		$sessiondata['userid'] = $user_id;
+		$sessiondata['autologinid'] = $autologin_id;
+		$cookiename = $board_config['cookie_name'];
+		$cookiepath = $board_config['cookie_path'];
+		$cookiedomain = $board_config['cookie_domain'];
+		$cookiesecure = $board_config['cookie_secure'];
+
+		setcookie($cookiename . '_data', serialize($sessiondata), $current_time + 31536000, $cookiepath, $cookiedomain, $cookiesecure);
+		
+		$userdata['session_key'] = $auto_login_key;
+		unset($sessiondata);
+		unset($auto_login_key);
+	}
+}
+
 //
 // Append $SID to a url. Borrowed from phplib and modified. This is an
 // extra routine utilised by the session code above and acts as a wrapper
--- a/phpBB/includes/usercp_register.php
+++ b/phpBB/includes/usercp_register.php
@ -527,6 +527,13 @@ if ( isset($HTTP_POST_VARS['submit']) )
 				message_die(GENERAL_ERROR, 'Could not update users table', '', __LINE__, __FILE__, $sql);
 			}

+			// We remove all stored login keys since the password has been updated
+			// and change the current one (if applicable)
+			if ( !empty($passwd_sql) )
+			{
+				session_reset_keys($user_id, $user_ip);
+			}
+
 			if ( !$user_active )
 			{
 				//