some http auth fixes
This commit is contained in:
parent
81dde650b6
commit
f557cd78ff
3 changed files with 63 additions and 32 deletions
|
@ -606,6 +606,8 @@
|
|||
db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " .
|
||||
$_SESSION["uid"]);
|
||||
|
||||
initialize_user_prefs($link, $_SESSION["uid"]);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -613,27 +615,6 @@
|
|||
|
||||
}
|
||||
|
||||
function http_authenticate_user($link, $force_logout) {
|
||||
|
||||
if (!$_SERVER['PHP_AUTH_USER'] || $force_logout) {
|
||||
|
||||
if ($force_logout) logout_user();
|
||||
|
||||
header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
|
||||
header('HTTP/1.0 401 Unauthorized');
|
||||
print "<h1>401 Unathorized</h1>";
|
||||
|
||||
exit;
|
||||
|
||||
} else {
|
||||
|
||||
$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
|
||||
$password = db_escape_string($_SERVER['PHP_AUTH_PW']);
|
||||
|
||||
return authenticate_user($link, $login, $password);
|
||||
}
|
||||
}
|
||||
|
||||
function make_password($length = 8) {
|
||||
|
||||
$password = "";
|
||||
|
@ -672,9 +653,6 @@
|
|||
}
|
||||
|
||||
function logout_user() {
|
||||
$_SESSION["uid"] = null;
|
||||
$_SESSION["name"] = null;
|
||||
$_SESSION["access_level"] = null;
|
||||
session_destroy();
|
||||
}
|
||||
|
||||
|
@ -687,8 +665,23 @@
|
|||
exit;
|
||||
}
|
||||
} else {
|
||||
if (!http_authenticate_user($link, false)) {
|
||||
if (!$_SESSION["uid"]) {
|
||||
if (!$_SERVER["PHP_AUTH_USER"]) {
|
||||
|
||||
header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
|
||||
header('HTTP/1.0 401 Unauthorized');
|
||||
exit;
|
||||
|
||||
} else {
|
||||
$auth_result = authenticate_user($link,
|
||||
$_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]);
|
||||
|
||||
if (!$auth_result) {
|
||||
header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
|
||||
header('HTTP/1.0 401 Unauthorized');
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
|
|
26
logout.php
26
logout.php
|
@ -8,7 +8,25 @@
|
|||
|
||||
if (!USE_HTTP_AUTH) {
|
||||
header("Location: login.php");
|
||||
} else {
|
||||
header("Location: tt-rss.php");
|
||||
}
|
||||
?>
|
||||
} else { ?>
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>Tiny Tiny RSS : Logout</title>
|
||||
<link rel="stylesheet" type="text/css" href="tt-rss.css">
|
||||
<body class="logoutBody">
|
||||
<div class="logoutContent">
|
||||
|
||||
<h1>You have been logged out.</h1>
|
||||
|
||||
<p><span class="logoutWarning">Warning:</span>
|
||||
As there is no way to reliably clear HTTP Authentication
|
||||
credentials from your browser, it is recommended for you to close
|
||||
this browser window, otherwise your browser could automatically
|
||||
authenticate again using previously supplied credentials, which
|
||||
is a security risk.</p>
|
||||
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
<? } ?>
|
||||
|
|
20
tt-rss.css
20
tt-rss.css
|
@ -636,3 +636,23 @@ span.insensitive {
|
|||
div.prefGenericAddBox {
|
||||
margin : 5px;
|
||||
}
|
||||
|
||||
body.logoutBody {
|
||||
background-color : #f0f0f0;
|
||||
color : black;
|
||||
}
|
||||
|
||||
span.logoutWarning {
|
||||
color : red;
|
||||
font-weight : bold;
|
||||
}
|
||||
|
||||
div.logoutContent {
|
||||
width : 600px;
|
||||
border : 1px solid #c0c0c0;
|
||||
background-color : white;
|
||||
margin-left : auto;
|
||||
margin-right : auto;
|
||||
margin-top : 20px;
|
||||
padding : 10px;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue