MDL-10137 rewritten cookie test on login page, username cookie is not…

… required any more - hopefully this will be more reliable test
deeknow · Oct 10, 2010 · 8a8f1c7 · 8a8f1c7
1 parent 17c70aa
commit 8a8f1c7
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 47 deletions.
diff --git a/auth/shibboleth/index.php b/auth/shibboleth/index.php
@@ -46,8 +46,8 @@
 
             update_user_login_times();
 
-            // Don't show username on login page
-            set_moodle_cookie('nobody');
+            // Don't show previous shibboleth username on login page
+            set_moodle_cookie('');
 
             set_login_session_preferences();
 

diff --git a/auth/shibboleth/index_form.html b/auth/shibboleth/index_form.html
@@ -57,7 +57,6 @@ <h2><?php
           <div class="guestform">
             <input type="hidden" name="username" value="guest" />
             <input type="hidden" name="password" value="guest" />
-            <input type="hidden" name="testcookies" value="1" />
             <input type="submit" value="<?php print_string("loginguest") ?>" />
           </div>
         </form>

diff --git a/auth/shibboleth/login.php b/auth/shibboleth/login.php
@@ -26,10 +26,6 @@
     $loginurl = (!empty($CFG->alternateloginurl)) ? $CFG->alternateloginurl : '';
 
 
-    if (get_moodle_cookie() == '') {
-        set_moodle_cookie('nobody');   // To help search for cookies
-    }
-
     if (!empty($CFG->registerauth) or is_enabled_auth('none') or !empty($CFG->auth_instructions)) {
         $show_instructions = true;
     } else {

diff --git a/blocks/login/block_login.php b/blocks/login/block_login.php
@@ -35,7 +35,7 @@ function get_content () {
         // TODO: now that we have multiauth it is hard to find out if there is a way to change password
         $forgot = $wwwroot . '/login/forgot_password.php';
 
-        $username = get_moodle_cookie() === 'nobody' ? '' : get_moodle_cookie();
+        $username = get_moodle_cookie();
 
         $this->content->footer = '';
         $this->content->text = '';

diff --git a/index.php b/index.php
@@ -63,10 +63,6 @@
         }
     }
 
-    if (get_moodle_cookie() == '') {
-        set_moodle_cookie('nobody');   // To help search for cookies on login page
-    }
-
     if (isloggedin()) {
         add_to_log(SITEID, 'course', 'view', 'view.php?id='.SITEID, SITEID);
     }

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
@@ -3764,7 +3764,7 @@ function complete_user_login($user, $setcookie=true) {
             // do not store last logged in user in cookie
             // auth plugins can temporarily override this from loginpage_hook()
             // do not save $CFG->nolastloggedin in database!
-            set_moodle_cookie('nobody');
+            set_moodle_cookie('');
         }
     }
 

diff --git a/lib/sessionlib.php b/lib/sessionlib.php
@@ -812,38 +812,38 @@ function require_sesskey() {
 }
 
 /**
- * Sets a moodle cookie with a weakly encrypted string
+ * Sets a moodle cookie with a weakly encrypted username
  *
- * @uses $CFG
- * @uses DAYSECS
- * @uses HOURSECS
- * @param string $thing The string to encrypt and place in a cookie
+ * @param string $username to encrypt and place in a cookie, '' means delete current cookie
+ * @return void
  */
-function set_moodle_cookie($thing) {
+function set_moodle_cookie($username) {
     global $CFG;
 
     if (NO_MOODLE_COOKIES) {
         return;
     }
 
-    if ($thing == 'guest') {  // Ignore guest account
+    if ($username === 'guest') {
+        // keep previous cookie in case of guest account login
         return;
     }
 
     $cookiename = 'MOODLEID_'.$CFG->sessioncookie;
 
-    $days = 60;
-    $seconds = DAYSECS*$days;
-
+    // delete old cookie
     setcookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
-    setcookie($cookiename, rc4encrypt($thing), time()+$seconds, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
+
+    if ($username !== '') {
+        // set username cookie for 60 days
+        setcookie($cookiename, rc4encrypt($username), time()+(DAYSECS*60), $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
+    }
 }
 
 /**
- * Gets a moodle cookie with a weakly encrypted string
+ * Gets a moodle cookie with a weakly encrypted username
  *
- * @uses $CFG
- * @return string
+ * @return string username
  */
 function get_moodle_cookie() {
     global $CFG;
@@ -857,8 +857,12 @@ function get_moodle_cookie() {
     if (empty($_COOKIE[$cookiename])) {
         return '';
     } else {
-        $thing = rc4decrypt($_COOKIE[$cookiename]);
-        return ($thing == 'guest') ? '': $thing;  // Ignore guest account
+        $username = rc4decrypt($_COOKIE[$cookiename]);
+        if ($username === 'guest' or $username === 'nobody') {
+            // backwards compatibility - we do not set these cookies any more
+            return '';
+        }
+        return $username;
     }
 }
 

diff --git a/login/index.php b/login/index.php
@@ -28,7 +28,7 @@
 
 redirect_if_major_upgrade_required();
 
-$testcookies = optional_param('testcookies', 0, PARAM_BOOL); // request cookie test
+$testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
 $cancel      = optional_param('cancel', 0, PARAM_BOOL);      // redirect to frontpage, needed for loginhttps
 
 if ($cancel) {
@@ -47,6 +47,23 @@
 $errormsg = '';
 $errorcode = 0;
 
+// login page requested session test
+if ($testsession) {
+    if ($testsession == $USER->id) {
+        if (isset($SESSION->wantsurl)) {
+            $urltogo = $SESSION->wantsurl;
+        } else {
+            $urltogo = $CFG->wwwroot.'/';
+        }
+        unset($SESSION->wantsurl);
+        redirect($urltogo);
+    } else {
+        // TODO: try to find out what is the exact reason why sessions do not work
+        $errormsg = get_string("cookiesnotenabled");
+        $errorcode = 1;
+    }
+}
+
 /// Check for timed out sessions
 if (!empty($SESSION->has_timed_out)) {
     $session_has_timed_out = true;
@@ -94,12 +111,7 @@
 
 /// Check if the user has actually submitted login data to us
 
-if (empty($CFG->usesid) and $testcookies and (get_moodle_cookie() == '')) {    // Login without cookie when test requested
-
-    $errormsg = get_string("cookiesnotenabled");
-    $errorcode = 1;
-
-} else if ($frm and isset($frm->username)) {                             // Login WITH cookies
+if ($frm and isset($frm->username)) {                             // Login WITH cookies
 
     $frm->username = trim(moodle_strtolower($frm->username));
 
@@ -168,7 +180,7 @@
     /// Let's get them all set up.
         add_to_log(SITEID, 'user', 'login', "view.php?id=$USER->id&course=".SITEID,
                    $user->id, 0, $user->id);
-        complete_user_login($user);
+        complete_user_login($user, true); // sets the username cookie
 
     /// Prepare redirection
         if (user_not_fully_set_up($USER)) {
@@ -223,9 +235,9 @@
 
         reset_login_count();
 
-        redirect($urltogo);
-
-        exit;
+        // test the session actually works by redirecting to self
+        $SESSION->wantsurl = $urltogo;
+        redirect(new moodle_url(get_login_url(), array('testsession'=>$USER->id)));
 
     } else {
         if (empty($errormsg)) {
@@ -278,10 +290,6 @@
 
 /// Generate the login page with forms
 
-if (get_moodle_cookie() == '') {
-    set_moodle_cookie('nobody');   // To help search for cookies
-}
-
 if (empty($frm->username) && $authsequence[0] != 'shibboleth') {  // See bug 5184
     if (!empty($_GET["username"])) {
         $frm->username = $_GET["username"];

diff --git a/login/index_form.html b/login/index_form.html
@@ -11,7 +11,7 @@
   if (($CFG->registerauth == 'email') || !empty($CFG->registerauth)) { ?>
       <div class="skiplinks"><a class="skip" href="signup.php"><?php print_string("tocreatenewaccount"); ?></a></div>
 <?php
-  } ?>       
+  } ?>
     <h2><?php print_string("returningtosite") ?></h2>
       <div class="subcontent loginsub">
         <div class="desc">
@@ -42,7 +42,6 @@ <h2><?php print_string("returningtosite") ?></h2>
             <div class="form-input">
               <input type="password" name="password" id="password" size="15" value="" />
               <input type="submit" id="loginbtn" value="<?php print_string("login") ?>" />
-              <input type="hidden" name="testcookies" value="1" />
               <div class="forgetpass"><a href="forgot_password.php"><?php print_string("forgotten") ?></a></div>
             </div>
             <div class="clearer"><!-- --></div>
@@ -59,7 +58,6 @@ <h2><?php print_string("returningtosite") ?></h2>
           <div class="guestform">
             <input type="hidden" name="username" value="guest" />
             <input type="hidden" name="password" value="guest" />
-            <input type="hidden" name="testcookies" value="1" />
             <input type="submit" value="<?php print_string("loginguest") ?>" />
           </div>
         </form>