From 16b10f9cddca05aa2c3f63a15238c983b873bf23 Mon Sep 17 00:00:00 2001 From: christopherm Date: Sun, 12 Nov 2006 05:34:09 +0000 Subject: creating a central Session::password_check which will allow for an upgrade from crypted passwords to md5. Fixing session timeout problem for first login. Removing some old cruft (set_cookie and more). Changing central db users_conf to remove dbconnect (which will now be generated) and to add crypted_password (which will eventually be removed). git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@520 4979c152-3d1c-0410-bac9-87ea11338e46 --- LedgerSMB/Session/DB.pm | 66 +++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 59 insertions(+), 7 deletions(-) (limited to 'LedgerSMB/Session') diff --git a/LedgerSMB/Session/DB.pm b/LedgerSMB/Session/DB.pm index 1f215b13..c38d1de1 100755 --- a/LedgerSMB/Session/DB.pm +++ b/LedgerSMB/Session/DB.pm @@ -23,6 +23,9 @@ # create - creates a new session, writes cookie upon success # # destroy - destroys session +# +# password_check - compares the password with the stored cryted password +# (ver. < 1.2) and the md5 one (ver. >= 1.2) #==================================================================== package Session; @@ -112,8 +115,8 @@ sub session_create { $deleteExisting->execute($login, "$myconfig{timeout} seconds") || $form->dberror(__FILE__.':'.__LINE__.': Delete from session: '); - #doing the md5 and random stuff in the db so that LedgerSMB won't - #require new perl modules (Digest::MD5 and a good random generator) + #doing the random stuff in the db so that LedgerSMB won't + #require a good random generator - maybe this should be reviewed, pgsql's isn't great either $fetchSequence->execute() || $form->dberror(__FILE__.':'.__LINE__.': Fetch sequence id: '); my ($newSessionID, $newToken) = $fetchSequence->fetchrow_array; @@ -134,11 +137,6 @@ sub session_create { sub session_destroy { - # Under the current architecture, this function is a bit problematic - # %myconfig is often not defined when this function needs to be called. - # which means that the db connection parameters are not available. - # moving user prefs and the session table into a central db will solve this issue - my ($form) = @_; my $login = $form->{login}; @@ -155,4 +153,58 @@ sub session_destroy { } +sub password_check { + + use Digest::MD5; + + my ($form, $username, $password) = @_; + + # use the central database handle + my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH}; + + my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password + FROM users as u, users_conf as uc + WHERE u.username = ? + AND u.id = uc.id;"); + + $fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : '); + + my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array; + + if ($cryptPassword){ + #First time login from old system, check crypted password + + if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) { + + #password was good, convert to md5 password and null crypted + my $updatePassword = $dbh->prepare("UPDATE users_conf + SET password = md5(?), + crypted_password = null + FROM users + WHERE users_conf.id = users.id + AND users.username = ?;"); + + $updatePassword->execute($password, $username) || $form->dberror(__FILE__.':'.__LINE__.': Converting password : '); + + return 1; + + } else { + return 0; #password failed + } + + }elsif ($md5Password){ + + if ($md5Password ne (Digest::MD5::md5_hex $password) ) { + return 0; + } + else{ + return 1; + } + + } else { + #both the md5Password and cryptPasswords were blank + return 0; + } +} + 1; -- cgit v1.2.3