login system tweaks

backend.php

@@ -16,8 +16,6 @@
 	
 	error_reporting(DEFAULT_ERROR_LEVEL); */
 
-	$op = $_REQUEST["op"];
-
 	define('SCHEMA_VERSION', 13);
 
 	require_once "sanity_check.php";
@@ -27,6 +25,25 @@
 	require_once "db-prefs.php";
 	require_once "functions.php";
 
+	$script_started = getmicrotime();
+
+	$link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);	
+
+	if (!$link) {
+		if (DB_TYPE == "mysql") {
+			print mysql_error();
+		}
+		// PG seems to display its own errors just fine by default.		
+		return;
+	}
+
+	if (DB_TYPE == "pgsql") {
+		pg_query("set client_encoding = 'UTF-8'");
+		pg_set_client_encoding("UNICODE");
+	}
+
+	$op = $_REQUEST["op"];
+
 	$print_exec_time = false;
 
 	if ((!$op || $op == "rpc" || $op == "rss" || $op == "digestSend" ||
@@ -41,7 +58,8 @@
 		print_error_xml(7); exit;
 	}
 
-	if (!$_SESSION["uid"] && $op != "globalUpdateFeeds" && $op != "rss" && $op != "getUnread") {
+	if (!($_SESSION["uid"] && validate_session($link)) && $op != "globalUpdateFeeds" 
+			&& $op != "rss" && $op != "getUnread") {
 
 		if ($op == "rpc") {
 			print_error_xml(6); die;
@@ -95,22 +113,6 @@
 	require_once "modules/pref-users.php";
 	require_once "modules/pref-feed-browser.php"; 
 
-	$script_started = getmicrotime();
-
-	$link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME);	
-
-	if (!$link) {
-		if (DB_TYPE == "mysql") {
-			print mysql_error();
-		}
-		// PG seems to display its own errors just fine by default.		
-		return;
-	}
-
-	if (DB_TYPE == "pgsql") {
-		pg_query("set client_encoding = 'UTF-8'");
-		pg_set_client_encoding("UNICODE");
-	}
 
 	if (!sanity_check($link)) { return; }
 

functions.php

@@ -1163,6 +1163,7 @@
 		if (SESSION_CHECK_ADDRESS && $_SESSION["uid"]) {
 			if ($_SESSION["ip_address"]) {
 				if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
+					$_SESSION["login_error_msg"] = "Session failed to validate (incorrect IP)";
 					return false;
 				}
 			}
@@ -1191,20 +1192,22 @@
 				}
 			}
 
-			if ($_COOKIE[get_session_cookie_name()]) {
+/*			if ($_COOKIE[get_session_cookie_name()]) {
 				require_once "sessions.php";
-			}
+} */
+
+			$login_action = $_POST["login_action"];
 
-			if (!validate_session($link)) {
+/*			if (!validate_session($link) && $login_action != "do_login") {
 				logout_user();
 				render_login_form($link);
 				exit;
-			}
+} */
 
-			$login_action = $_POST["login_action"];
+			$session_started = false;
 
 			# try to authenticate user if called from login form			
-			if ($login_action == "do_login" && !$_SESSION["uid"]) {
+			if ($login_action == "do_login") {
 				$login = $_POST["login"];
 				$password = $_POST["password"];
 				$remember_me = $_POST["remember_me"];
@@ -1217,7 +1220,7 @@
 
 				require_once "sessions.php";
 
-				session_regenerate_id();
+				$session_started = true;
 
 				if (authenticate_user($link, $login, $password)) {
 					$_POST["password"] = "";
@@ -1236,10 +1239,16 @@
 					exit;
 
 					return;
+				} else {
+					$_SESSION["login_error_msg"] = "Incorrect username or password";
 				}
 			}
 
-			if (!$_SESSION["uid"]) {
+			if (!$session_started) {
+				require_once "sessions.php";
+			}
+
+			if (!$_SESSION["uid"] || !validate_session($link)) {
 				render_login_form($link);
 				exit;
 			}

login_form.php

@@ -41,8 +41,9 @@ window.onload = init;
 	</td>
 </tr><tr>
 	<td align="center" valign="middle" class="loginMiddle" height="100%">
-		<?php if ($error_msg) { ?>
-			<div class="loginError"><?php echo $error_msg ?></div>
+		<?php if ($_SESSION['login_error_msg']) { ?>
+			<div class="loginError"><?php echo $_SESSION['login_error_msg'] ?></div>
+			<?php $_SESSION['login_error_msg'] = ""; ?>
 		<?php } ?>
 		<table>
 			<tr><td align="right">Login:</td>