aboutsummaryrefslogtreecommitdiff
path: root/app/class/Modeluser.php
diff options
context:
space:
mode:
Diffstat (limited to 'app/class/Modeluser.php')
-rw-r--r--app/class/Modeluser.php20
1 files changed, 12 insertions, 8 deletions
diff --git a/app/class/Modeluser.php b/app/class/Modeluser.php
index 3f51920..9ee04ba 100644
--- a/app/class/Modeluser.php
+++ b/app/class/Modeluser.php
@@ -43,15 +43,19 @@ class Modeluser extends Modeldb
return $user;
}
- if(isset($_COOKIE['authtoken'])) {
+ if(isset($_COOKIE['authtoken']) && strpos($_COOKIE['authtoken'], ':')) {
+ list($cookietoken, $cookiemac) = explode(':', $_COOKIE['authtoken']);
$authtokenmanager = new Modelauthtoken();
- $token = $authtokenmanager->getbytoken($_COOKIE['authtoken']);
- if ($token !== false) {
- $user = $this->get($token->user);
- if ($user !== false) {
- $this->writesession($user, $_COOKIE['authtoken']);
+ $dbtoken = $authtokenmanager->getbytoken($cookietoken);
+
+ if ($dbtoken !== false) {
+ if(hash_equals($cookiemac, secrethash($dbtoken->getId()))) {
+ $user = $this->get($dbtoken->user);
+ if ($user !== false) {
+ $this->writesession($user, $_COOKIE['authtoken']);
+ }
+ return $user;
}
- return $user;
}
}
@@ -70,7 +74,7 @@ class Modeluser extends Modeldb
/**
- * @return array list of User objects
+ * @return User[] associative array of User objects `id => User`
*/
public function getlister()
{
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-22 22:57:52 +0000