rainbownapkin/fore.st
1
0
Fork 0
Code Issues 13 Pull requests Projects Releases Packages Wiki Activity Actions

Implement new session system

Browse source 
I replaced the old login system with a more secure one.
Instead of storing cookies containing the username and plaintext password, the password
is submitted once to obtain a session hash, which is valid for a given length of time.
Registering and logging in is now done via an iframe, which prevents custom javascript from having access to the password field.
Site admins need to run the following SQL before updating, or else all of your logins/registrations will fail:

ALTER TABLE `registrations` ADD `session_hash` VARCHAR( 64 ) NOT NULL ,
ADD `expire` BIGINT NOT NULL
This commit is contained in:
calzoneman 2013-04-25 22:50:12 -05:00
parent db2e5e20b9
commit 3a7acd0526
10 changed files with 312 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

7
www/assets/js/callbacks.js
View file

@ -143,10 +143,9 @@ function initCallbacks() {
$("#loginform").css("display", "none");
$("#logoutform").css("display", "");
$("#loggedin").css("display", "");
if(pw != "") {
createCookie("sync_uname", uname, 1);
createCookie("sync_pw", pw, 1);
}
session = data.session;
createCookie("sync_uname", uname, 7);
createCookie("sync_session", session, 7);
}
});