Make remembered sessions actually save themselves.

Also clean up a notice in index.php

Signed-off-by: Loui Chang <louipc.ist@gmail.com>

3 files changed, 27 insertions, 9 deletions

diff --git a/web/html/index.php b/web/html/index.php
index c7847f25..a712e4d1 100644
--- a/web/html/index.php
+++ b/web/html/index.php
@@ -11,6 +11,7 @@ set_lang();
 check_sid();
 
 html_header( __("Home") );
+
 $dbh = db_connect();
 
 ?>
@@ -56,8 +57,8 @@ echo __(
 </td>
 <td class='boxSoft' valign='top'>
 <?php
-$user = username_from_sid($_COOKIE["AURSID"]);
-if (!empty($user)) {
+if (!empty($_COOKIE["AURSID"])) {
+	$user = username_from_sid($_COOKIE["AURSID"]);
 	user_table($user, $dbh);
 	echo '<br />';
 }
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc
index d0b6b0ac..a8492577 100644
--- a/web/lib/acctfuncs.inc
+++ b/web/lib/acctfuncs.inc
@@ -632,24 +632,32 @@ function try_login() {
 				$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
 				  ." VALUES ( $userID, '" . $new_sid . "', UNIX_TIMESTAMP())";
 				$result = db_query($q, $dbh);
+
 				# Query will fail if $new_sid is not unique
-				#
 				if ($result) {
 					$logged_in = 1;
 					break;
 				}
+
 				$num_tries++;
 		        }
+
 			if ($logged_in) {
 				# set our SID cookie
 
-				if ($_POST['remember_me'] == "on")
+				if ($_POST['remember_me'] == "on") {
 					# Set cookies for 30 days.
 					$cookie_time = time() + (60 * 60 * 24 * 30);
+
+					# Set session for 30 days.
+					$q = "UPDATE Sessions SET LastUpdateTS = $cookie_time ";
+					$q.= "WHERE SessionID = '$new_sid'";
+					db_query($q, $dbh);
+				}
 				else
 					$cookie_time = 0;
+
 				setcookie("AURSID", $new_sid, $cookie_time, "/");
-#				header("Location: /index.php");
 				header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']);
 				$login_error = "";
 
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index d08ff0ca..e43ddf62 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -86,10 +86,12 @@ function check_sid() {
 			$failed = 1;
 		} else {
 			$row = mysql_fetch_row($result);
-			if ($row[0] + $LOGIN_TIMEOUT <= $row[1]) {
+			$last_update = $row[0];
+			if ($last_update + $LOGIN_TIMEOUT <= $row[1]) {
 				$failed = 2;
 			}
 		}
+
 		if ($failed == 1) {
 			# clear out the hacker's cookie, and send them to a naughty page
 			# why do you have to be so harsh on these people!?
@@ -110,10 +112,17 @@ function check_sid() {
 		} else {
 			# still logged in and haven't reached the timeout, go ahead
 			# and update the idle timestamp
+
+			# Only update the timestamp if it is less than the
+			# current time plus $LOGIN_TIMEOUT.
 			#
-			$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
-			$q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'";
-			db_query($q, $dbh);
+			# This keeps 'remembered' sessions from being
+			# overwritten.
+			if ($last_update < time() + $LOGIN_TIMEOUT) {
+				$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
+				$q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'";
+				db_query($q, $dbh);
+			}
 		}
 	}
 	return;