My autologin (remember me) hack has two problems.
1) The cookie's path is root (='/'). This cause a collision of the cookies from two XOOPS sites running on the same hostname.
2) This hack weakens XOOPS from CSRF attack. (Some modules are defenseless from CSRF. They delete or update its records by GET methods easily.)
I -GIJOE- remade the autologin hack for XOOPS 2.0.6 like this:
line 69 of user.php
if ($op == 'logout') {
$message = '';
$HTTP_SESSION_VARS = array();
session_destroy();
if ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') {
setcookie($xoopsConfig['session_name'], '', time()- 3600, '/', '', 0);
}
// clear autologin cookies GIJ
$xoops_cookie_path = defined('XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace( '?http://[^/]+(/.*)$?' , "$1" , XOOPS_URL ) ;
if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path = '/' ;
setcookie('autologin_uname', '', time() - 3600, $xoops_cookie_path, '', 0);
setcookie('autologin_pass', '', time() - 3600, $xoops_cookie_path, '', 0);
setcookie('autologin_uname', '', time() - 3600, '/', '', 0); //
setcookie('autologin_pass', '', time() - 3600, '/', '', 0); // for older autologin hack -should be removed-
// clear entry from online users table
if (is_object($xoopsUser)) {
$online_handler =& xoops_gethandler('online');
$online_handler->destroy($xoopsUser->getVar('uid'));
}
$message = _US_LOGGEDOUT.''._US_THANKYOUFORVISIT;
redirect_header('index.php', 1, $message);
exit();
}
line 88 of include/checklogin.php
// set cookie for autologin GIJ
$xoops_cookie_path = defined('XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace( '?http://[^/]+(/.*)$?' , "$1" , XOOPS_URL ) ;
if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path = '/' ;
if (!empty($HTTP_POST_VARS['rememberme'])) {
$expire = time() + $xoopsConfig['session_expire'] * 60;
setcookie('autologin_uname', $uname, $expire, $xoops_cookie_path, '', 0);
setcookie('autologin_pass', md5($pass), $expire, $xoops_cookie_path, '', 0);
}
line 160 of include/common.php
//autologin GIJ
if(empty($HTTP_SESSION_VARS['xoopsUserId']) && isset($HTTP_COOKIE_VARS['autologin_uname']) && isset($HTTP_COOKIE_VARS['autologin_pass'])) {
// redirect to Root when query string exists (anti-CSRF)
if( ! empty( $HTTP_SERVER_VARS['QUERY_STRING'] ) ) {
redirect_header( XOOPS_URL , 0 , 'Now, logging in automatically' ) ;
exit ;
}
$myts =& MyTextSanitizer::getInstance();
$uname = $myts->stripSlashesGPC($HTTP_COOKIE_VARS['autologin_uname']);
$pass = $myts->stripSlashesGPC($HTTP_COOKIE_VARS['autologin_pass']);
$myts =& MyTextsanitizer::getInstance();
$user =& $member_handler->loginUserMd5(addslashes($uname), addslashes($pass));
$xoops_cookie_path = defined('XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace( '?http://[^/]+(/.*)$?' , "$1" , XOOPS_URL ) ;
if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path = '/' ;
if (false != $user && $user->getVar('level') > 0) {
// update time of last login
$user->setVar('last_login', time());
if (!$member_handler->insertUser($user, true)) {
}
//$HTTP_SESSION_VARS = array();
$HTTP_SESSION_VARS['xoopsUserId'] = $user->getVar('uid');
$HTTP_SESSION_VARS['xoopsUserGroups'] = $user->getGroups();
// update autologin cookies
$expire = time() + $xoopsConfig['session_expire'] * 60 ;
setcookie('autologin_uname', $uname, $expire, $xoops_cookie_path, '', 0);
setcookie('autologin_pass', $pass, $expire, $xoops_cookie_path, '', 0);
} else {
setcookie('autologin_uname', '', time() - 3600, $xoops_cookie_path, '', 0);
setcookie('autologin_pass', '', time() - 3600, $xoops_cookie_path, '', 0);
}
}
another 4 files are the same as older hack.
modules/system/templates/blocks/system_block_login.html
modules/system/blocks/system_blocks.php
modules/system/language/english/blocks.php
modules/system/language/(your language)/blocks.php
I've updated
Xoops Wiki too.
The new hack has not tested sufficiently yet.
Some tests of the charity is waited for.
---------
(28 April updated) fixed which the anti-CSRF code is insufficient
