badmanners/shimmie2
badmanners/shimmie2
Archived
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[core] have User::by_session() check session ID on the PHP side

Browse source 
Generating the token on the PHP side is more consistent than getting the databases to do it
This commit is contained in:
Shish 2024-06-20 01:07:34 +01:00 committed by Shish
parent 8a3d5b5b11
commit 61f13c6794
1 changed files with 8 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
core/user.php
View file

@ -83,14 +83,15 @@ class User
public static function by_session(string $name, string $session): ?User public static function by_session(string $name, string $session): ?User
{ {
global $cache, $config, $database; global $cache, $config, $database;
$row = $cache->get("user-session:$name-$session"); $user = $cache->get("user-session-obj:$name-$session");
if (is_null($row)) { if (is_null($user)) {
$args = ["name" => $name, "ip" => get_session_ip($config), "sess" => $session]; $user_by_name = User::by_name($name);
$query = "SELECT * FROM users WHERE name = :name AND md5(pass || :ip) = :sess"; if($user_by_name->get_session_id() === $session) {
$row = $database->get_row($query, $args); $user = $user_by_name;
$cache->set("user-session:$name-$session", $row, 600); }
$cache->set("user-session-obj:$name-$session", $user, 600);
} }
return is_null($row) ? null : new User($row); return $user;
} }
public static function by_id(int $id): ?User public static function by_id(int $id): ?User