Revision | 85b519a91ce9ddf9750570990f136ec08f3c3ed6 (tree) |
---|---|
Zeit | 2019-08-16 01:25:44 |
Autor | umorigu <umorigu@gmai...> |
Commiter | umorigu |
BugTrack/2492 Fix FORM_AUTH behavior - Input credential 3 times
* Bug: Check unauthrized session without new username/password
* Improve Frontpage URL for url_after_login (Remove '?' char for top)
@@ -367,7 +367,11 @@ function basic_auth($page, $auth_enabled, $exit_on_fail, $auth_pages, $title_can | ||
367 | 367 | header('WWW-Authenticate: Basic realm="' . $_msg_auth . '"'); |
368 | 368 | header('HTTP/1.0 401 Unauthorized'); |
369 | 369 | } elseif (AUTH_TYPE_FORM === $auth_type) { |
370 | - $url_after_login = get_base_uri() . '?' . $g_query_string; | |
370 | + if (is_null($g_query_string)) { | |
371 | + $url_after_login = get_base_uri(); | |
372 | + } else { | |
373 | + $url_after_login = get_base_uri() . '?' . $g_query_string; | |
374 | + } | |
371 | 375 | $loginurl = get_base_uri() . '?plugin=loginform' |
372 | 376 | . '&page=' . rawurlencode($page) |
373 | 377 | . '&url_after_login=' . rawurlencode($url_after_login); |
@@ -375,7 +379,11 @@ function basic_auth($page, $auth_enabled, $exit_on_fail, $auth_pages, $title_can | ||
375 | 379 | header('Location: ' . $loginurl); |
376 | 380 | } elseif (AUTH_TYPE_EXTERNAL === $auth_type || |
377 | 381 | AUTH_TYPE_SAML === $auth_type) { |
378 | - $url_after_login = get_base_uri(PKWK_URI_ABSOLUTE) . '?' . $g_query_string; | |
382 | + if (is_null($g_query_string)) { | |
383 | + $url_after_login = get_base_uri(PKWK_URI_ABSOLUTE); | |
384 | + } else { | |
385 | + $url_after_login = get_base_uri(PKWK_URI_ABSOLUTE) . '?' . $g_query_string; | |
386 | + } | |
379 | 387 | $loginurl = get_auth_external_login_url($page, $url_after_login); |
380 | 388 | header('HTTP/1.0 302 Found'); |
381 | 389 | header('Location: ' . $loginurl); |
@@ -36,7 +36,7 @@ function plugin_loginform_action() | ||
36 | 36 | if ($username && $password && form_auth($username, $password)) { |
37 | 37 | // Sign in successfully completed |
38 | 38 | form_auth_redirect($url_after_login, $page_after_login); |
39 | - return; | |
39 | + exit; // or 'return FALSE;' - Don't double check for FORM_AUTH | |
40 | 40 | } |
41 | 41 | if ($pcmd === 'logout') { |
42 | 42 | // logout |