Minor bug in Login2()

snoopy_virtual · August 09, 2015, 07:09:53 AM

There is something I don't understand in the file LogInOut.php

Find:


	elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 || $_POST['cookielength'] <= 525600))
		$modSettings['cookieTime'] = (int) $_POST['cookielength'];

Anybody can explain to me why is there an OR instead of an AND?

I mean, shouldn't it be this instead:

Code Select


	elseif (!empty($_POST['cookielength']) && $_POST['cookielength'] >= 1 && $_POST['cookielength'] <= 525600)
		$modSettings['cookieTime'] = (int) $_POST['cookielength'];

It looks like a mistake to me.

Kindred · August 09, 2015, 09:33:37 AM

no... I think that or is correct in this code...

JBlaze · August 09, 2015, 09:50:28 AM

Code Select

	elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 || $_POST['cookielength'] <= 525600))
		$modSettings['cookieTime'] = (int) $_POST['cookielength'];

That statement will always be true, so long as $_POST['cookielength'] is set. The way it reads now, all I can see is

Code Select

	elseif (!empty($_POST['cookielength']))
		$modSettings['cookieTime'] = (int) $_POST['cookielength'];

I think OP has a point, and this needs to be looked at.

Oldiesmann · August 09, 2015, 02:54:03 PM

It's definitely weird...

Code Select

	if (isset($_POST['cookieneverexp']) || (!empty($_POST['cookielength']) && $_POST['cookielength'] == -1))
		$modSettings['cookieTime'] = 3153600;
	elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 || $_POST['cookielength'] <= 525600))
		$modSettings['cookieTime'] = (int) $_POST['cookielength']

I'm not entirely sure what we're trying to accomplish here. If we tell it to keep us logged in permanently or $_POST['cookielength'] is set to -1, we set the cookie time to 3153600 (36.5 days or 1/10th of a year). Otherwise, as long as it's set and not less than 1, any value will be accepted. I'll have to dig into this a bit further and see if I can figure it out before making any code changes.

snoopy_virtual · August 09, 2015, 03:06:39 PM

Quote from: Oldiesmann on August 09, 2015, 02:54:03 PM
... we set the cookie time to 3153600 (36.5 days or 1/10th of a year). ...

Not really.

$modSettings['cookieTime'] and $_POST['cookielength'] is the time we want to stay logged in minutes, not seconds.

live627 · August 09, 2015, 04:45:56 PM

Quote from: snoopy_virtual on August 09, 2015, 07:09:53 AM
I mean, shouldn't it be this instead:

Code Select Expand
elseif (!empty($_POST['cookielength']) && $_POST['cookielength'] >= 1 && $_POST['cookielength'] <= 525600) $modSettings['cookieTime'] = (int) $_POST['cookielength'];

It looks like a mistake to me.

Quite possible. It looks to me like it's supposed to check a range.

JBlaze · August 11, 2015, 02:43:35 AM

Tracked: https://github.com/SimpleMachines/SMF2.1/issues/2969

live627 · August 11, 2015, 03:23:40 AM

Thanks.

Ninja ZX-10RR · August 11, 2015, 12:22:29 PM

What about 2.0.11, if any? Can this be investigated and included?

Kindred · August 11, 2015, 12:58:01 PM

Mayne... we will see when 2,0,11 is even considered

nend · November 25, 2015, 01:22:03 AM

Quote from: Oldiesmann on August 09, 2015, 02:54:03 PM
It's definitely weird...

Code Select Expand
if (isset($_POST['cookieneverexp']) || (!empty($_POST['cookielength']) && $_POST['cookielength'] == -1)) $modSettings['cookieTime'] = 3153600; elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 || $_POST['cookielength'] <= 525600)) $modSettings['cookieTime'] = (int) $_POST['cookielength']

I'm not entirely sure what we're trying to accomplish here. If we tell it to keep us logged in permanently or $_POST['cookielength'] is set to -1, we set the cookie time to 3153600 (36.5 days or 1/10th of a year). Otherwise, as long as it's set and not less than 1, any value will be accepted. I'll have to dig into this a bit further and see if I can figure it out before making any code changes.

Actually a value of 0 would be acceptable. Just break the or into two ifs. The encapsulation with the or means only one has to be true. Should be a and in there unless it is always wanted to return true, I doubt.

Code Select


if (!empty($_POST['cookielength']) && $_POST['cookielength'] >= 1)
	$modSettings['cookieTime'] = (int) $_POST['cookielength'];

if (!empty($_POST['cookielength']) && $_POST['cookielength'] <= 525600)
	$modSettings['cookieTime'] = (int) $_POST['cookielength'];

live627 · November 26, 2015, 03:48:17 PM

Wouldn't thew cookie be unset if it's length be zero?

Also, I addressed this in https://github.com/SimpleMachines/SMF2.1/commit/d40e65dff125e40b3c95b20d479e8d926854903b

nend · November 27, 2015, 08:57:17 AM

I don't see why SMF even gives the user the option to enter a value at login.

I haven't visited a site that allows configuration of the cookie length by time. Most sites give, browsing from public or private computer, options which set the lenght accordingly.

Either way is fine though.

Kindred · November 27, 2015, 09:08:49 AM

and what is "the length accordingly"?

If I am going to be on a public PC for an hour, I'll set my session length... if I am going to be on for 2 hours, I will as well...

Would you force people to expire sessions in the middle of a browse just because you think they should only be online for 30 minutes at a time from a public computer?

I much prefer the SMF way

nend · November 27, 2015, 02:15:24 PM

Quote from: Kindred on November 27, 2015, 09:08:49 AM
and what is "the length accordingly"?

If I am going to be on a public PC for an hour, I'll set my session length... if I am going to be on for 2 hours, I will as well...

Would you force people to expire sessions in the middle of a browse just because you think they should only be online for 30 minutes at a time from a public computer?

I much prefer the SMF way

I don't know what sites you must be visiting but the most common method is to renew the length with activity. Say the renewal is a lease, every time you do some sort of activity your lease is pushed back 10 minutes.

This way you don't have to be worried about being logged off after x amount of time, just as long as your active. Then when you leave the machine your cookie will expire.

Kindred · November 27, 2015, 07:00:45 PM

Meh... I prefer the fixed session length... Besides that pushing the cookie back is more code.

live627 · November 27, 2015, 07:18:16 PM

Quoteand what is "the length accordingly"?

"remember me on this computer"

QuoteI much prefer the SMF way

ironyyyyy

QuoteBesides that pushing the cookie back is more code

I agree that one line of code is a lot of work (sarcasm)

#sessiongate

nend · November 28, 2015, 01:31:45 AM

Quote from: Kindred on November 27, 2015, 07:00:45 PMmore code.

More code!, Did you say, MORE CODE!
CODE, your speaking my language.
CODE, I can deal with.
CODE, easy as 123.
CODE, we can build it yes we can. ♪

More code isn't necessarily bad, it is how it is coded. However in this case we are talking about cookies and maybe at most a few line edits. I am not proposing it as a feature request, meh what do I care, if I need it I can build it.

JBlaze · November 28, 2015, 07:27:33 AM

I prefer sessions only last until either the browser is closed, or a user clicks "logout". But still, to each their own.

News:

Minor bug in Login2()