some http auth fixes

19 years ago · f557cd78ff
parent 81dde650b6
commit f557cd78ff
3 changed files with 63 additions and 32 deletions
--- a/functions.php
+++ b/functions.php
@ -606,6 +606,8 @@
 			db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " . 
 				$_SESSION["uid"]);

+			initialize_user_prefs($link, $_SESSION["uid"]);
+
 			return true;
 		}

@ -613,27 +615,6 @@

 	}

-	function http_authenticate_user($link, $force_logout) {
-
-		if (!$_SERVER['PHP_AUTH_USER'] || $force_logout) {
-
-			if ($force_logout) logout_user();
-
-			header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
-			header('HTTP/1.0 401 Unauthorized');
-			print "<h1>401 Unathorized</h1>";
-			
-			exit;
-			
-		} else {
-
-			$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
-			$password = db_escape_string($_SERVER['PHP_AUTH_PW']);
-
-			return authenticate_user($link, $login, $password);
-		}
-	}
-
 	function make_password($length = 8) {

 		$password = "";
@ -672,10 +653,7 @@
 		}

 	function logout_user() {
-		$_SESSION["uid"] = null;
-		$_SESSION["name"] = null;
-		$_SESSION["access_level"] = null;
-		session_destroy();
+		session_destroy();		
 	}

 	function login_sequence($link) {
@ -687,9 +665,24 @@
 					exit;
 				}
 			} else {
-				if (!http_authenticate_user($link, false)) {
-					exit;
-				}
+				if (!$_SESSION["uid"]) {
+					if (!$_SERVER["PHP_AUTH_USER"]) {
+
+						header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
+						header('HTTP/1.0 401 Unauthorized');
+						exit;
+						
+					} else {
+						$auth_result = authenticate_user($link, 
+							$_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]);
+
+						if (!$auth_result) {
+							header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
+							header('HTTP/1.0 401 Unauthorized');
+							exit;
+						}
+					}
+				}				
 			}
 		} else {
 			$_SESSION["uid"] = 1;
--- a/logout.php
+++ b/logout.php
@ -8,7 +8,25 @@

 	if (!USE_HTTP_AUTH) {
 		header("Location: login.php");
-	} else {
-		header("Location: tt-rss.php");
-	}
-?>
+	} else { ?>
+	
+	<html>
+		<head>
+			<title>Tiny Tiny RSS : Logout</title>
+			<link rel="stylesheet" type="text/css" href="tt-rss.css">
+	<body class="logoutBody">
+		<div class="logoutContent">	
+		
+			<h1>You have been logged out.</h1>
+
+			<p><span class="logoutWarning">Warning:</span>
+			As there is no way to reliably clear HTTP Authentication 
+			credentials from your browser, it is recommended for you to close
+			this browser window, otherwise your browser could automatically
+			authenticate again using previously supplied credentials, which
+			is a security risk.</p>
+			
+		</div>
+	</body>
+	</html>
+<?	} ?>
--- a/tt-rss.css
+++ b/tt-rss.css
@ -636,3 +636,23 @@ span.insensitive {
 div.prefGenericAddBox {
 	margin : 5px;
 }
+
+body.logoutBody {
+	background-color : #f0f0f0;
+	color : black;
+}
+
+span.logoutWarning {
+	color : red;
+	font-weight : bold;
+}
+
+div.logoutContent {
+	width : 600px;
+	border : 1px solid #c0c0c0;
+	background-color : white;
+	margin-left : auto;
+	margin-right : auto;
+	margin-top : 20px;
+	padding : 10px;
+}