Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Shouldn't logging out destroy current session key/hash (nonce)
As we know, every time you log into Textpattern, you will be given new session key (nonce). But shouldn’t that happen also when logging out?
As far as I see it, it shouldn’t cause any new issues, but it will further improve the security of the nonce, and will make the possible leftover cookie completely useless. For example in a case where the browser doesn’t trash the cookie as directed (etc).
Offline
Re: Shouldn't logging out destroy current session key/hash (nonce)
Oh, yeah. I could probably suggest a patch too. Something like this could kinda possibly serve the purpose.
--- development/4.x/textpattern/include/txp_auth.php 2011-06-13 14:07:50.000000000 +0300
+++ development/4.x/textpattern/include/txp_auth.php 2011-06-13 14:22:37.000000000 +0300
@@ -184,13 +184,29 @@
setcookie('txp_login', '', time()-3600);
setcookie('txp_login_public', '', time()-3600, $pub_path);
}
- elseif ($c_userid and strlen($c_hash) == 32) // cookie exists
+
+ if ($c_userid and strlen($c_hash) == 32) // cookie exists
{
$nonce = safe_field('nonce', 'txp_users', "name='".doSlash($c_userid)."' AND last_access > DATE_SUB(NOW(), INTERVAL 30 DAY)");
if ($nonce and $nonce === md5($c_userid.pack('H*', $c_hash)))
{
- // cookie is good, create $txp_user
+ // cookie is good, create $txp_user or log out
+
+ if ($logout)
+ {
+ $c_hash = md5(uniqid(mt_rand(), TRUE));
+ $nonce = md5($name.pack('H*',$c_hash));
+
+ safe_update(
+ 'txp_users',
+ "nonce = '".doSlash($nonce)."'",
+ "name = '".doSlash($c_userid)."'"
+ );
+
+ return '';
+ }
+
$txp_user = $c_userid;
return '';
}Edit. Patch not path stupid auto-correction, lol.
Last edited by Gocom (2011-06-13 11:42:19)
Offline
Re: Shouldn't logging out destroy current session key/hash (nonce)
Thanks, Jukka. Commited in r3571.
Offline