From 788e94b41f8124a05c6f25bf3084fcdaa36f4d63 Mon Sep 17 00:00:00 2001
From: "bbaetz%student.usyd.edu.au" <>
Date: Mon, 4 Feb 2002 20:23:04 +0000
Subject: Bug 95732 - remove logincookies.cryptpassword, and invalidate cookies
 from the db when required instead. (Also fixes bug 58242 as a side effect)

r=myk, kiko
---
 relogin.cgi | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'relogin.cgi')

diff --git a/relogin.cgi b/relogin.cgi
index 091a96e8d..a0ec4f105 100755
--- a/relogin.cgi
+++ b/relogin.cgi
@@ -29,6 +29,25 @@ use lib qw(.);
 
 require "CGI.pl";
 
+# We don't want to remove a random logincookie from the db, so
+# call quietly_check_login. If we're logged in after this, then
+# the logincookie must be correct
+
+ConnectToDatabase();
+quietly_check_login();
+
+if ($::userid) {
+    # Even though we know the userid must match, we still check it in the
+    # SQL as a sanity check, since there is no locking here, and if
+    # the user logged out from two machines simulataniously, while someone
+    # else logged in and got the same cookie, we could be logging the
+    # other user out here. Yes, this is very very very unlikely, but why
+    # take chances? - bbaetz
+    SendSQL("DELETE FROM logincookies WHERE cookie = " .
+            SqlQuote($::COOKIE{"Bugzilla_logincookie"}) .
+            "AND userid = $::userid");
+}
+
 my $cookiepath = Param("cookiepath");
 print "Set-Cookie: Bugzilla_login= ; path=$cookiepath; expires=Sun, 30-Jun-80 00:00:00 GMT
 Set-Cookie: Bugzilla_logincookie= ; path=$cookiepath; expires=Sun, 30-Jun-80 00:00:00 GMT
-- 
cgit v1.2.3-24-g4f1b