From 16b10f9cddca05aa2c3f63a15238c983b873bf23 Mon Sep 17 00:00:00 2001
From: christopherm <christopherm@4979c152-3d1c-0410-bac9-87ea11338e46>
Date: Sun, 12 Nov 2006 05:34:09 +0000
Subject: creating a central Session::password_check which will allow for an
upgrade from crypted passwords to md5. Fixing session timeout problem for
first login. Removing some old cruft (set_cookie and more). Changing central
db users_conf to remove dbconnect (which will now be generated) and to add
crypted_password (which will eventually be removed).
git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@520 4979c152-3d1c-0410-bac9-87ea11338e46
---
LedgerSMB/Session/DB.pm | 66 +++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 59 insertions(+), 7 deletions(-)
(limited to 'LedgerSMB/Session')
diff --git a/LedgerSMB/Session/DB.pm b/LedgerSMB/Session/DB.pm
index 1f215b13..c38d1de1 100755
--- a/LedgerSMB/Session/DB.pm
+++ b/LedgerSMB/Session/DB.pm
@@ -23,6 +23,9 @@
# create - creates a new session, writes cookie upon success
#
# destroy - destroys session
+#
+# password_check - compares the password with the stored cryted password
+# (ver. < 1.2) and the md5 one (ver. >= 1.2)
#====================================================================
package Session;
@@ -112,8 +115,8 @@ sub session_create {
$deleteExisting->execute($login, "$myconfig{timeout} seconds") || $form->dberror(__FILE__.':'.__LINE__.': Delete from session: ');
- #doing the md5 and random stuff in the db so that LedgerSMB won't
- #require new perl modules (Digest::MD5 and a good random generator)
+ #doing the random stuff in the db so that LedgerSMB won't
+ #require a good random generator - maybe this should be reviewed, pgsql's isn't great either
$fetchSequence->execute() || $form->dberror(__FILE__.':'.__LINE__.': Fetch sequence id: ');
my ($newSessionID, $newToken) = $fetchSequence->fetchrow_array;
@@ -134,11 +137,6 @@ sub session_create {
sub session_destroy {
- # Under the current architecture, this function is a bit problematic
- # %myconfig is often not defined when this function needs to be called.
- # which means that the db connection parameters are not available.
- # moving user prefs and the session table into a central db will solve this issue
-
my ($form) = @_;
my $login = $form->{login};
@@ -155,4 +153,58 @@ sub session_destroy {
}
+sub password_check {
+
+ use Digest::MD5;
+
+ my ($form, $username, $password) = @_;
+
+ # use the central database handle
+ my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
+
+ my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password
+ FROM users as u, users_conf as uc
+ WHERE u.username = ?
+ AND u.id = uc.id;");
+
+ $fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : ');
+
+ my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
+
+ if ($cryptPassword){
+ #First time login from old system, check crypted password
+
+ if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) {
+
+ #password was good, convert to md5 password and null crypted
+ my $updatePassword = $dbh->prepare("UPDATE users_conf
+ SET password = md5(?),
+ crypted_password = null
+ FROM users
+ WHERE users_conf.id = users.id
+ AND users.username = ?;");
+
+ $updatePassword->execute($password, $username) || $form->dberror(__FILE__.':'.__LINE__.': Converting password : ');
+
+ return 1;
+
+ } else {
+ return 0; #password failed
+ }
+
+ }elsif ($md5Password){
+
+ if ($md5Password ne (Digest::MD5::md5_hex $password) ) {
+ return 0;
+ }
+ else{
+ return 1;
+ }
+
+ } else {
+ #both the md5Password and cryptPasswords were blank
+ return 0;
+ }
+}
+
1;
--
cgit v1.2.3