diff options
| author | Joas Schilling <nickvergessen@gmx.de> | 2014-10-16 12:32:48 +0200 |
|---|---|---|
| committer | Joas Schilling <nickvergessen@gmx.de> | 2014-10-16 12:32:48 +0200 |
| commit | e7e016637b8c136dfc31d422a263e808b61271a8 (patch) | |
| tree | 345144a3a766331c5e869994fbba4bac47e9b798 /phpBB/includes | |
| parent | a12a7d0b9058cd3b7ca43bcea3c5a569df7b700b (diff) | |
| download | forums-e7e016637b8c136dfc31d422a263e808b61271a8.tar forums-e7e016637b8c136dfc31d422a263e808b61271a8.tar.gz forums-e7e016637b8c136dfc31d422a263e808b61271a8.tar.bz2 forums-e7e016637b8c136dfc31d422a263e808b61271a8.tar.xz forums-e7e016637b8c136dfc31d422a263e808b61271a8.zip | |
[ticket/13138] Do not use cookie data and autologin while forcing a user_id
PHPBB3-13138
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/session.php | 59 |
1 files changed, 31 insertions, 28 deletions
diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index fe5357f32e..4c13a4f558 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -553,34 +553,7 @@ class session $method = basename(trim($config['auth_method'])); include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); - $method = 'autologin_' . $method; - if (function_exists($method)) - { - $this->data = $method(); - - if (sizeof($this->data)) - { - $this->cookie_data['k'] = ''; - $this->cookie_data['u'] = $this->data['user_id']; - } - } - - // If we're presented with an autologin key we'll join against it. - // Else if we've been passed a user_id we'll grab data based on that - if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && !sizeof($this->data)) - { - $sql = 'SELECT u.* - FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k - WHERE u.user_id = ' . (int) $this->cookie_data['u'] . ' - AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ") - AND k.user_id = u.user_id - AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'"; - $result = $db->sql_query($sql); - $this->data = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - $bot = false; - } - else if ($user_id !== false && !sizeof($this->data)) + if ($user_id !== false && !sizeof($this->data)) { $this->cookie_data['k'] = ''; $this->cookie_data['u'] = $user_id; @@ -594,6 +567,36 @@ class session $db->sql_freeresult($result); $bot = false; } + else if (!$bot) + { + $method = 'autologin_' . $method; + if (function_exists($method)) + { + $this->data = $method(); + + if (sizeof($this->data)) + { + $this->cookie_data['k'] = ''; + $this->cookie_data['u'] = $this->data['user_id']; + } + } + + // If we're presented with an autologin key we'll join against it. + // Else if we've been passed a user_id we'll grab data based on that + if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && !sizeof($this->data)) + { + $sql = 'SELECT u.* + FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k + WHERE u.user_id = ' . (int) $this->cookie_data['u'] . ' + AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ") + AND k.user_id = u.user_id + AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'"; + $result = $db->sql_query($sql); + $this->data = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + $bot = false; + } + } // Bot user, if they have a SID in the Request URI we need to get rid of it // otherwise they'll index this page with the SID, duplicate content oh my! |