[Openfirst-cvscommit] base/config auth.php,1.8,1.9

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/openfirst/base/config
In directory sc8-pr-cvs1:/tmp/cvs-serv9923/config

Modified Files:
	auth.php 
Log Message:
Fixed serious authentication bug. On systems where RAND_MAX is less than 500000 (used in the original script), for example, Windows, the generated Authcode was always the same for every user. The code has been fixed to generate more unique IDs. The remote host name is added to the end to ensure a unique ID.

Index: auth.php
===================================================================
RCS file: /cvsroot/openfirst/base/config/auth.php,v
retrieving revision 1.8
retrieving revision 1.9
diff -C2 -d -r1.8 -r1.9
*** auth.php	15 Oct 2003 00:52:52 -0000	1.8
--- auth.php	4 Nov 2003 22:52:50 -0000	1.9
***************
*** 102,106 ****
            if(cryptpassword($_POST["password"], $encryption, $user->password) == $user->password) {
              session_register("authcode");
!             $_SESSION["authcode"] = rand(1,50000000);
              $aquery = ofirst_dbquery("UPDATE ofirst_members SET authcode='" . $_SESSION["authcode"] . "' WHERE user='" . $_POST["login"] . "';");
            } else {
--- 102,107 ----
            if(cryptpassword($_POST["password"], $encryption, $user->password) == $user->password) {
              session_register("authcode");
!             mt_srand(microtime() * 1000000);
!             $_SESSION["authcode"] = (microtime()|mt_rand(1,mt_getrandmax())).substr($_SERVER["REMOTE_HOST"],0,40);
              $aquery = ofirst_dbquery("UPDATE ofirst_members SET authcode='" . $_SESSION["authcode"] . "' WHERE user='" . $_POST["login"] . "';");
            } else {
***************
*** 118,122 ****
          if(cryptpassword($_POST["password"], $encryption, $user->password) == $user->password) {
            session_register("authcode");
!           $_SESSION["authcode"] = rand(1,50000000);
            $aquery = ofirst_dbquery("UPDATE ofirst_members SET authcode='" . $_SESSION["authcode"] . "' WHERE user='" . $_POST["login"] . "';");
          } else {
--- 119,124 ----
          if(cryptpassword($_POST["password"], $encryption, $user->password) == $user->password) {
            session_register("authcode");
!           mt_srand(microtime() * 1000000);
!           $_SESSION["authcode"] = (microtime()|mt_rand(1,mt_getrandmax())).substr($_SERVER["REMOTE_HOST"],0,40);
            $aquery = ofirst_dbquery("UPDATE ofirst_members SET authcode='" . $_SESSION["authcode"] . "' WHERE user='" . $_POST["login"] . "';");
          } else {