Skip to content

Commit

Permalink
GH-150 Use new session validator code in CheckUserSessionCookie()
Browse files Browse the repository at this point in the history
  • Loading branch information
@mdziekon
mdziekon committed Feb 5, 2021
1 parent 7aa9275 commit d42fc69
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 56 deletions.
114 changes: 59 additions & 55 deletions includes/functions/CheckUserSessionCookie.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@

use UniEngine\Engine\Includes\Helpers\Users;

// TODO: Replace with better method of inclusion
include_once($_EnginePath . 'modules/session/_includes.php');

use UniEngine\Engine\Modules\Session;

// TODO: Do not store this like this, it's ugly...
function setPreviousLastIPValue(&$user) {
global $_InMem_CheckUserSessionCookie_PreviousLastIP;
Expand All @@ -17,71 +22,70 @@ function getPreviousLastIPValue() {

function CheckUserSessionCookie()
{
global $_GameConfig, $_EnginePath, $_Lang, $_DontShowMenus;
global $_Lang, $_DontShowMenus;

$Init['$_DontShowMenus'] = $_DontShowMenus;
$_DontShowMenus = true;

$UserRow = false;

require($_EnginePath.'config.php');
$userRow = false;

$sessionCookieKey = getSessionCookieKey();

if(isset($_COOKIE[$sessionCookieKey]))
{
$TheCookie = explode('/%/', $_COOKIE[$sessionCookieKey]);
$TheCookie[0] = intval($TheCookie[0]);
if($TheCookie[0] <= 0)
{
includeLang('cookies');
message($_Lang['cookies']['Error1'], $_Lang['cookies']['Title']);
}
$Query_GetUser = '';
$Query_GetUser .= "SELECT `user`.*, `stats`.`total_rank`, `stats`.`total_points`, `ally`.`ally_name`, `ally`.`ally_owner`, `ally`.`ally_ranks`, `ally`.`ally_ChatRoom_ID` ";
$Query_GetUser .= "FROM {{table}} AS `user` ";
$Query_GetUser .= "LEFT JOIN `{{prefix}}statpoints` AS `stats` ON `user`.`id` = `stats`.`id_owner` AND `stats`.`stat_type` = '1' ";
$Query_GetUser .= "LEFT JOIN `{{prefix}}alliance` AS `ally` ON `ally`.`id` = `user`.`ally_id` ";
$Query_GetUser .= "WHERE `user`.`id` = {$TheCookie[0]} LIMIT 1;";
$SQLResult_GetUser = doquery($Query_GetUser, 'users');

// Check if User exists
if($SQLResult_GetUser->num_rows != 1)
{
includeLang('cookies');
message($_Lang['cookies']['Error2'], $_Lang['cookies']['Title']);
}
$UserRow = $SQLResult_GetUser->fetch_assoc();
if (Session\Utils\Cookie\hasSessionCookie()) {
$verificationResult = Session\Utils\Cookie\verifySessionCookie([
'userEntityFetcher' => function ($fetcherParams) {
$userId = $fetcherParams['userId'];

// Check if Password is correct
if(!isset($__ServerConnectionSettings['secretword']))
{
$__ServerConnectionSettings['secretword'] = '';
}
if(md5("{$UserRow['password']}--{$__ServerConnectionSettings['secretword']}") !== $TheCookie[2])
{
$Query_GetUser = '';
$Query_GetUser .= "SELECT `user`.*, `stats`.`total_rank`, `stats`.`total_points`, `ally`.`ally_name`, `ally`.`ally_owner`, `ally`.`ally_ranks`, `ally`.`ally_ChatRoom_ID` ";
$Query_GetUser .= "FROM {{table}} AS `user` ";
$Query_GetUser .= "LEFT JOIN `{{prefix}}statpoints` AS `stats` ON `user`.`id` = `stats`.`id_owner` AND `stats`.`stat_type` = '1' ";
$Query_GetUser .= "LEFT JOIN `{{prefix}}alliance` AS `ally` ON `ally`.`id` = `user`.`ally_id` ";
$Query_GetUser .= "WHERE `user`.`id` = {$userId} LIMIT 1;";

return doquery($Query_GetUser, 'users');
},
]);

if (!$verificationResult['isSuccess']) {
includeLang('cookies');
message($_Lang['cookies']['Error3'], $_Lang['cookies']['Title']);

$errorMessage = 'UNKNOWN_ERROR';

switch ($verificationResult['error']['code']) {
case 'INVALID_USER_ID':
$errorMessage = $_Lang['cookies']['Error1'];
break;
case 'USER_NOT_FOUND':
$errorMessage = $_Lang['cookies']['Error2'];
break;
case 'INVALID_PASSWORD':
$errorMessage = $_Lang['cookies']['Error3'];
break;
}

message($errorMessage, $_Lang['cookies']['Title']);
}

setPreviousLastIPValue($UserRow);
$rawCookieValue = $verificationResult['payload']['rawCookieValue'];
$sessionData = $verificationResult['payload']['sessionData'];
$userRow = $verificationResult['payload']['userEntity'];

$NextCookie = implode('/%/', $TheCookie);
if($TheCookie[3] == 1)
{
setPreviousLastIPValue($userRow);

if ($sessionData['isRememberMeActive']) {
$ExpireTime = time() + 31536000;
}
else
{
} else {
$ExpireTime = 0;
}

if(!isset($_COOKIE['var_1124']) || !preg_match('/^[0-9]{1,4}\_[0-9]{1,4}\_[0-9]{1,3}$/D', $_COOKIE['var_1124']))
{
if (
!isset($_COOKIE['var_1124']) ||
!preg_match('/^[0-9]{1,4}\_[0-9]{1,4}\_[0-9]{1,3}$/D', $_COOKIE['var_1124'])
) {
$_COOKIE['var_1124'] = '';
}
else
{
$UserRow['new_screen_settings'] = $_COOKIE['var_1124'];
} else {
$userRow['new_screen_settings'] = $_COOKIE['var_1124'];
}

$Query_UpdateUser = '';
Expand All @@ -91,18 +95,18 @@ function CheckUserSessionCookie()
$Query_UpdateUser .= "`user_lastip` = '" . (Users\Session\getCurrentIP()) . "', ";
$Query_UpdateUser .= "`user_agent` = '" . (getDBLink()->escape_string($_SERVER['HTTP_USER_AGENT'])) . "', ";
$Query_UpdateUser .= "`screen_settings` = '".preg_replace('#[^0-9\_]{1,}#si', '', $_COOKIE['var_1124'])."' ";
$Query_UpdateUser .= "WHERE `id` = {$TheCookie[0]} LIMIT 1;";
$Query_UpdateUser .= "WHERE `id` = {$userRow['id']} LIMIT 1;";
doquery($Query_UpdateUser, 'users');

Tasks_CheckUservar($UserRow);
Tasks_CheckUservar($userRow);

setcookie($sessionCookieKey, FALSE, 0, '/', '.'.GAMEURL_DOMAIN);
setcookie($sessionCookieKey, $NextCookie, $ExpireTime, '/', '', false, true);
setcookie($sessionCookieKey, FALSE, 0, '/', '.' . GAMEURL_DOMAIN);
setcookie($sessionCookieKey, $rawCookieValue, $ExpireTime, '/', '', false, true);
}
unset($__ServerConnectionSettings);

$_DontShowMenus = $Init['$_DontShowMenus'];

return $UserRow;
return $userRow;
}

?>
2 changes: 1 addition & 1 deletion login.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@
includeLang('login');
}

include($_EnginePath . 'modules/session/_includes.php');
include_once($_EnginePath . 'modules/session/_includes.php');

use UniEngine\Engine\Modules\Session;

Expand Down

0 comments on commit d42fc69

Please sign in to comment.