diff options
-rw-r--r-- | engine/lib/sessions.php | 4 | ||||
-rw-r--r-- | engine/lib/users.php | 26 | ||||
-rw-r--r-- | engine/schema/mysql.sql | 1 |
3 files changed, 17 insertions, 14 deletions
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index a47415d64..279beb107 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -80,7 +80,7 @@ // Let admins log in without validating their email, but normal users must have validated their email if ((!$user->admin) && (!$user->validated_email)) return false; - + if ($user->password == generate_user_password($user, $credentials['password'])) { return true; } @@ -102,7 +102,7 @@ function login(ElggUser $user, $persistent = false) {
global $CONFIG;
-
+
$_SESSION['user'] = $user;
$_SESSION['guid'] = $user->getGUID();
$_SESSION['id'] = $_SESSION['guid'];
diff --git a/engine/lib/users.php b/engine/lib/users.php index bbfaa4a1f..70879f9c0 100644 --- a/engine/lib/users.php +++ b/engine/lib/users.php @@ -42,7 +42,8 @@ $this->attributes['type'] = "user";
$this->attributes['name'] = "";
$this->attributes['username'] = "";
- $this->attributes['password'] = "";
+ $this->attributes['password'] = ""; + $this->attributes['salt'] = "";
$this->attributes['email'] = "";
$this->attributes['language'] = "";
$this->attributes['code'] = "";
@@ -157,7 +158,7 @@ return false;
// Now save specific stuff
- return create_user_entity($this->get('guid'), $this->get('name'), $this->get('username'), $this->get('password'), $this->get('email'), $this->get('language'), $this->get('code')); + return create_user_entity($this->get('guid'), $this->get('name'), $this->get('username'), $this->get('password'), $this->get('salt'), $this->get('email'), $this->get('language'), $this->get('code')); }
/**
@@ -353,20 +354,20 @@ * @param string $description
* @param string $url
*/
- function create_user_entity($guid, $name, $username, $password, $email, $language, $code)
+ function create_user_entity($guid, $name, $username, $password, $salt, $email, $language, $code)
{
- global $CONFIG;
+ global $CONFIG; - $guid = (int)$guid;
- $name = sanitise_string($name);
- $username = sanitise_string($username);
- $password = sanitise_string($password);
+ $guid = (int)$guid;
+ $name = sanitise_string($name);
+ $username = sanitise_string($username);
+ $password = sanitise_string($password); + $salt = sanitise_string($salt);
$email = sanitise_string($email);
$language = sanitise_string($language);
$code = sanitise_string($code);
$row = get_entity_as_row($guid);
-
if ($row)
{
// Exists and you have access to it @@ -387,7 +388,7 @@ else { // Update failed, attempt an insert. - $result = insert_data("INSERT into {$CONFIG->dbprefix}users_entity (guid, name, username, password, email, language, code) values ($guid, '$name', '$username', '$password', '$email', '$language', '$code')"); + $result = insert_data("INSERT into {$CONFIG->dbprefix}users_entity (guid, name, username, password, salt, email, language, code) values ($guid, '$name', '$username', '$password', '$salt', '$email', '$language', '$code')"); if ($result!==false) { $entity = get_entity($guid); if (trigger_elgg_event('create',$entity->type,$entity)) { @@ -960,7 +961,7 @@ */ function generate_random_cleartext_password() { - return substr(md5(microtime()), 0, 8); + return substr(md5(microtime() . rand()), 0, 8); } /** @@ -973,7 +974,7 @@ */ function generate_user_password(ElggUser $user, $password) { - return md5($password); + return md5($password . $user->salt); } /**
@@ -1013,6 +1014,7 @@ $user->email = $email;
$user->name = $name;
$user->access_id = 2; + $user->salt = generate_random_cleartext_password(); // Note salt generated before password! $user->password = generate_user_password($user, $password);
$user->save();
diff --git a/engine/schema/mysql.sql b/engine/schema/mysql.sql index 31d981e98..0599495c8 100644 --- a/engine/schema/mysql.sql +++ b/engine/schema/mysql.sql @@ -124,6 +124,7 @@ CREATE TABLE `prefix_users_entity` ( `name` text NOT NULL,
`username` varchar(12) NOT NULL default '',
`password` varchar(32) NOT NULL default '',
+ `salt` varchar(8) NOT NULL default '',
`email` text NOT NULL,
`language` varchar(6) NOT NULL default '',
`code` varchar(32) NOT NULL default '',
|