Merge pull request #575 from FreshPorts/574-logincookie-expiration

574 logincookie expiration

classes/user.php

@@ -18,7 +18,6 @@ class User {
 	var $id;
 	var $name;
 	var $password;
-	var $cookie;
 	var $firstlogin;
 	var $lastlogin;
 	var $email;
@@ -72,9 +71,12 @@ function Fetch($ID) {
 
 
 	function FetchByCookie($Cookie) {
+		# might want to make this a stored procedure
 		$sql = "-- " . __FILE__ . '::' . __FUNCTION__ . "\n" . 'SELECT users.*
-		          FROM users
-				 WHERE cookie = $1';
+		          FROM users join user_cookie on users.id = user_cookie.user_id
+				 WHERE user_cookie.cookie = $1';
+
+		$sql = "-- " . __FILE__ . '::' . __FUNCTION__ . "\n" . 'select * from user_fetch_by_cookie($1)';
 
 		$this->LocalResult = pg_query_params($this->dbh, $sql, array($Cookie));
 		if ($this->LocalResult) {
@@ -108,7 +110,6 @@ function PopulateValues($myrow) {
 		$this->id                       = $myrow['id'];
 		$this->name                     = $myrow['name'];
 		$this->password                 = isset($myrow['password']) ? $myrow['password'] : null;
-		$this->cookie                   = $myrow['cookie'];
 		$this->firstlogin               = $myrow['firstlogin'];
 		$this->lastlogin                = $myrow['lastlogin'];
 		$this->email                    = $myrow['email'];

include/constants.php

@@ -38,7 +38,8 @@
 $UserStatusUnconfirmed = "U";
 
 
-if (!defined('USER_COOKIE_NAME')) define('USER_COOKIE_NAME', "visitor");
+if (!defined('USER_COOKIE_NAME'   )) define('USER_COOKIE_NAME', "visitor");
+if (!defined('USER_COOKIE_EXPIRES')) define('USER_COOKIE_EXPIRES', 60 * 60 * 24 * 120); # 120 days
 
 #
 # SEQUENCES

include/freshports.php

@@ -2763,3 +2763,24 @@ function FirstDateOfCurrentQuarter() {
 
 	return date("Y-m-d", strtotime(date("Y") . '-' . $yearQuarter . '-01'));
 }
+
+function freshports_UserSetCookie($Cookie, $Expires = null) {
+	# set the cookie to the supplied expiry date
+	# initially set during login
+	# then reset/extended each time the cookie is used.
+
+	if (Is_Null($Expires)) {
+		$Expires = time() + USER_COOKIE_EXPIRES;
+	}
+
+	SetCookie(USER_COOKIE_NAME, $Cookie, array(
+		'expires'  => $Expires,
+		'path'     => '/',
+		'secure'   => (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'),
+		'httponly' => TRUE,
+		// it's probably common for users to navigate from other sites like portscout
+		// we want them to still be logged in if that's the case
+		'samesite' => 'Lax',
+	));
+
+}

include/getvalues.php

@@ -13,10 +13,10 @@
 
 $Debug = 0;
 
-$FormatDateDefault	= "%W, %b %e";
-$FormatTimeDefault	= "%H:%i";
-$DaysMarkedAsNewDefault	= 10;
-$DefaultPageSize	= 50;
+$FormatDateDefault       = "%W, %b %e";
+$FormatTimeDefault       = "%H:%i";
+$DaysMarkedAsNewDefault  = 10;
+$DefaultPageSize         = 50;
 
 
 // there are only a few places we want to show the last change.
@@ -27,42 +27,44 @@
 $MaxArticles = 40;
 $DaysNew     = 10;
 
-$MaxNumberOfPorts	= 10;	# max number of commits to show on index.php
+$MaxNumberOfPorts       = 10;	# max number of commits to show on index.php
 $MaxNumberOfPortsLong   = 100;	# max number of commits to show on commits.php
 $ShowShortDescription	= "Y";
-$ShowMaintainedBy	= "Y";
-$ShowLastChange		= "Y";
-$ShowDescriptionLink	= "Y";
-$ShowChangesLink	= "Y";
-$ShowDownloadPortLink	= "Y";
-$ShowPackageLink	= "Y";
-$ShowHomepageLink	= "Y";
-$FormatDate		= $FormatDateDefault;
-$FormatTime		= $FormatTimeDefault;
-$DaysMarkedAsNew	= $DaysMarkedAsNewDefault;
-$EmailBounceCount	= 0;
-$CVSTimeAdjustment	= -10800;	# this is number of seconds the web server is relative to the cvs server.
+$ShowMaintainedBy       = "Y";
+$ShowLastChange         = "Y";
+$ShowDescriptionLink    = "Y";
+$ShowChangesLink        = "Y";
+$ShowDownloadPortLink   = "Y";
+$ShowPackageLink        = "Y";
+$ShowHomepageLink       = "Y";
+$FormatDate             = $FormatDateDefault;
+$FormatTime             = $FormatTimeDefault;
+$DaysMarkedAsNew        = $DaysMarkedAsNewDefault;
+$EmailBounceCount       = 0;
+$CVSTimeAdjustment      = -10800;	# this is number of seconds the web server is relative to the cvs server.
 									# a value of -10800 means the web server is three hours east of the cvs server.
 									# we can override that for a particular user.
 
-$LocalTimeAdjustment	= 0;		# This can be used to display the time the webpage was loaded.
-$NumberOfDays		= 9;
-$WatchListAsk		= 1;
+$LocalTimeAdjustment    = 0;		# This can be used to display the time the webpage was loaded.
+$NumberOfDays           = 9;
+$WatchListAsk           = 1;
 
 #
 # flags for showing various port parts.
 #
-$ShowEverything		= 0;
-$ShowPortCreationDate	= 0;
+$ShowEverything         = 0;
+$ShowPortCreationDate   = 0;
 
-$User->name	= '';
-$User->id	= 0;
+$User->name = '';
+$User->id   = 0;
 
-// This is used to determine whether or not the cach can be used.
+// This is used to determine if the cache can be used.
 $DefaultMaxArticles = $MaxArticles;
 
 if (IsSet($_COOKIE[USER_COOKIE_NAME])) {
 	$visitor = $_COOKIE[USER_COOKIE_NAME];
+	# see a cookie? extend the cookie lifetime
+	freshports_UserSetCookie($visitor);
 }
 if (!empty($visitor)) {
 

www/bouncing.php

@@ -21,7 +21,7 @@
 	$visitor	= $_COOKIE[USER_COOKIE_NAME];
 
 if ($submit) {
-   $sql = "update users set emailbouncecount = 0 where cookie = $1";
+   $sql = "select * from user_clear_bouncecount($1)";
    if ($Debug) {
       echo $sql;
    }

www/customize.php

@@ -97,11 +97,7 @@
 
 	if ($OK) {
 		// get the existing email in case we need to reset the bounce count
-		$sql = "select email from users where cookie = '$visitor'";
-		$result = pg_query($db, $sql);
-		if ($result) {
-			$myrow = pg_fetch_array ($result, 0);
-
+		if (IsSet($User)) {
 			$sql = "
 UPDATE users
    SET email            = '$email',
@@ -110,7 +106,7 @@
        set_focus_search = $set_focus_search";
 
 			// if they are changing the email, reset the bouncecount.
-			if ($myrow["email"] != $email) {
+			if ($User->email != $email) {
 				$sql .= ", emailbouncecount = 0 ";
 			}
 
@@ -119,13 +115,13 @@
 				$sql .= ", gen_salt('" . PW_HASH_METHOD . "', " . PW_HASH_COST ."))";
 			}
 
-			$sql .= " where cookie = '$visitor'";
+			$sql .= " where users.id = (select user_id from user_cookie where cookie = $1)";
 
 			if ($Debug) {
 				echo '<pre>' . htmlentities($sql) . '</pre>';
 			}
 
-			$result = pg_query($db, $sql);
+			$result = pg_query_params($db, $sql, array($visitor));
 			if ($result) {
 				$AccountModified = 1;
 			}

www/delete-account.php

@@ -44,7 +44,6 @@
 		$result = pg_exec($db, "BEGIN");
 
 		// Delete from the user table. The database will take care of the rest
-#		$sql = "DELETE FROM users WHERE cookie = '$visitor'";
 		$sql = "SELECT DeleteUser($1)";
 		$result = pg_query_params($db, $sql, array($User->id));
 		if ($result) {

www/login.php

@@ -86,19 +86,14 @@
 	         $Cookie = $user->createUserToken();
 	         # we should use $user to save this...
 
-	         $sql = "UPDATE users SET cookie = $1 WHERE id = $2";
+	         $expires = time() + USER_COOKIE_EXPIRES;
+	         $dt = new DateTime("@$expires"); // convert UNIX timestamp to PHP DateTime
+	         $expires_dt = $dt->format('Y-m-d H:i:s');  // output = 2012-08-15 00:00:00
+	         $sql = 'SELECT * FROM user_set_cookie($1, $2, $3)';
 	         # if we were doing this in a user object, we could retry when there was a cookie collision and we get a unique index error
-	         $result = pg_query_params($db, $sql, array($Cookie, $row['id'])) or die('query failed ' . pg_last_error($db));
-
-	         SetCookie(USER_COOKIE_NAME, $Cookie, array(
-	           'expires'  => time() + 60*60*24*120,
-	           'path'     => '/',
-	           'secure'   => (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'),
-	           'httponly' => TRUE,
-	           // it's probably common for users to navigate from other sites like portscout
-	           // we want them to still be logged in if that's the case
-	           'samesite' => 'Lax',
-	           ));
+	         $result = pg_query_params($db, $sql, array($row['id'], $Cookie, $expires_dt)) or die('query failed ' . pg_last_error($db));
+
+	         freshports_UserSetCookie($Cookie, $expires);
 
 	         header("Location: /");
 	         //    Make sure that code below does not get executed when we redirect.

www/logout.php

@@ -17,7 +17,7 @@
 	if (IsSet($_COOKIE[USER_COOKIE_NAME])) {
 		$visitor = $_COOKIE[USER_COOKIE_NAME];
 
-		$sql = "UPDATE users SET cookie = 'nocookie' WHERE cookie = $1";
+		$sql = "select * from user_logout($1)";
 		#echo $sql;
 		$result = pg_query_params($db, $sql, array($_COOKIE[USER_COOKIE_NAME]));
 	}

www/new-user.php

@@ -129,15 +129,15 @@
 			$UserID = freshports_GetNextValue($Sequence_User_ID, $db);
 			if (IsSet($UserID)) {
 				$sql = "insert into " .
-					"users (id, name, cookie, email, watch_notice_id, emailsitenotices_yn, type, ip_address, number_of_days, password_hash) " .
-					"values ($1, $2, $3, $4, $5::integer, $6, $7, $8, $9::integer, crypt($10, gen_salt($11, $12::integer)))";
+					"users (id, name, email, watch_notice_id, emailsitenotices_yn, type, ip_address, number_of_days, password_hash) " .
+					"values ($1, $2, $3, $4::integer, $5, $6, $7, $8::integer, crypt($9, gen_salt($10, $11::integer)))";
 
 				syslog(LOG_ERR, "FreshPorts new user: '$UserID', '$UserLogin', '$email', " . $_SERVER["REMOTE_ADDR"]);
 
 				$errors .= "<br>sql=" . $sql;
 
 				$result = pg_query_params($db, $sql, array(
-					$UserID, $UserLogin, 'nocookie', $email, 1, 'N', 'U', $_SERVER["REMOTE_ADDR"],
+					$UserID, $UserLogin, $email, 1, 'N', 'U', $_SERVER["REMOTE_ADDR"],
 					$numberofdays, $Password1, PW_HASH_METHOD, PW_HASH_COST
 				));