From 32ed2b361abb0cb00bee6572d022684260f0edd2 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <gohr@cosmocode.de>
Date: Mon, 11 Apr 2011 17:21:36 +0200
Subject: stay logged in when updating your password

This functionality broke in recent updates to the cookie handling. This
patch makes it work again.
Binding to the session is now a functionality of auth_cookiesalt()
---
 inc/auth.php | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index 53376be34..a480a4a8a 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -189,8 +189,7 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
         if ($auth->checkPass($user,$pass)){
             // make logininfo globally available
             $_SERVER['REMOTE_USER'] = $user;
-            $secret = auth_cookiesalt();
-            if(!$sticky) $secret .= session_id; //bind non-sticky to session
+            $secret = auth_cookiesalt(!$sticky); //bind non-sticky to session
             auth_setCookie($user,PMA_blowfish_encrypt($pass,$secret),$sticky);
             return true;
         }else{
@@ -220,8 +219,7 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
                 return true;
             }
             // no we don't trust it yet - recheck pass but silent
-            $secret = auth_cookiesalt();
-            if(!$sticky) $secret .= session_id(); //bind non-sticky to session
+            $secret = auth_cookiesalt(!$sticky); //bind non-sticky to session
             $pass = PMA_blowfish_decrypt($pass,$secret);
             return auth_login($user,$pass,$sticky,true);
         }
@@ -303,10 +301,10 @@ function auth_browseruid(){
  * and stored in this file.
  *
  * @author  Andreas Gohr <andi@splitbrain.org>
- *
+ * @param   bool $addsession if true, the sessionid is added to the salt
  * @return  string
  */
-function auth_cookiesalt(){
+function auth_cookiesalt($addsession=false){
     global $conf;
     $file = $conf['metadir'].'/_htcookiesalt';
     $salt = io_readFile($file);
@@ -314,6 +312,9 @@ function auth_cookiesalt(){
         $salt = uniqid(rand(),true);
         io_saveFile($file,$salt);
     }
+    if($addsession){
+        $salt .= session_id();
+    }
     return $salt;
 }
 
@@ -814,11 +815,11 @@ function updateprofile() {
 
     if ($result = $auth->triggerUserMod('modify', array($_SERVER['REMOTE_USER'], $changes))) {
         // update cookie and session with the changed data
-        $cookie = base64_decode($_COOKIE[DOKU_COOKIE]);
-        list($user,$sticky,$pass) = explode('|',$cookie,3);
-        if ($changes['pass']) $pass = PMA_blowfish_encrypt($changes['pass'],auth_cookiesalt());
-
-        auth_setCookie($_SERVER['REMOTE_USER'],$pass,(bool)$sticky);
+        if ($changes['pass']){
+            list($user,$sticky,$pass) = auth_getCookie();
+            $pass = PMA_blowfish_encrypt($changes['pass'],auth_cookiesalt(!$sticky));
+            auth_setCookie($_SERVER['REMOTE_USER'],$pass,(bool)$sticky);
+        }
         return true;
     }
 }
-- 
cgit v1.2.3