applied the patch that uses redirect.php for login

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@873 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/ChangeLog b/ChangeLog
index 3387a8eda0db2655f301c6cfdaeaacf29c6b011c..52430ef8f758cb30279691bf953fc3dee930bbcb 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 Version 1.0pre1 -- DEVELOPMENT
 ------------------------------
+- For security, login verification happens, then we're redirected to webmail.php
 - Folder sorting now case insensative
 - added config option to set IMAP folder delimiter rather than always detecting it
 - Made session cookie parameter use PHP's settings rather than making assumptions

diff --git a/src/login.php b/src/login.php
index d8d69c14f818ffd1b83d0df72ebc42bc582d24c1..6e2119b18387dc5661d358aecbd22af37d41e4cc 100644 (file)
--- a/src/login.php
+++ b/src/login.php
@@ -41,7 +41,7 @@
    echo $org_name . " - " . _("Login");
    echo "</TITLE></HEAD>\n";
    echo "<BODY TEXT=000000 BGCOLOR=#FFFFFF LINK=0000CC VLINK=0000CC ALINK=0000CC>\n";
-   echo "<FORM ACTION=\"webmail.php\" METHOD=\"POST\" NAME=f>\n";
+   echo "<FORM ACTION=\"redirect.php\" METHOD=\"POST\" NAME=f>\n";
    
    $username_form_name = 'username';
    $password_form_name = 'secretkey';

diff --git a/src/webmail.php b/src/webmail.php
index bb6df91ea1de642c3fe08030ddbf8dba845ab5af..d3d41c47fc54d25635b20a49be8800cf1fadda57 100644 (file)
--- a/src/webmail.php
+++ b/src/webmail.php
@@ -12,17 +12,8 @@
     **
     **/
 
-   // Before starting the session, the base URI must be known.
-   // Assuming that this file is in the src/ subdirectory (or
-   // something).
-   ereg ("(^.*/)[^/]+/[^/]+$", $PHP_SELF, $regs);
-   $base_uri = $regs[1];
-
-   session_set_cookie_params (0, $base_uri);
    session_start();
 
-   session_register ("base_uri");
-
    if (!isset($i18n_php))
       include ("../functions/i18n.php");
 
@@ -32,11 +23,6 @@
       exit;
    }
 
-   // Refresh the language cookie.
-   if (isset($squirrelmail_language)) {
-      setcookie("squirrelmail_language", $squirrelmail_language, time()+2592000);
-   }
-
    include ("../config/config.php");
    include ("../functions/prefs.php");
    include ("../functions/imap.php");
@@ -50,26 +36,6 @@
    if ($force_username_lowercase)
       $username = strtolower($username);
 
-   if (!session_is_registered("user_is_logged_in") || $logged_in != 1) {
-      do_hook ("login_before");
-
-      $onetimepad = OneTimePadCreate(strlen($secretkey));
-      $key = OneTimePadEncrypt(quotemeta($secretkey), $onetimepad);
-      session_register("onetimepad");
-      // verify that username and password are correct
-      $imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
-      sqimap_logout($imapConnection);
-
-      setcookie("username", $username, 0, $base_uri);
-      setcookie("key", $key, 0, $base_uri);
-      setcookie("logged_in", 1, 0, $base_uri);
-   
-      do_hook ("login_verified");
-   }
-
-   session_register ("user_is_logged_in");
-   $user_is_logged_in = true;
-
    include ("../src/load_prefs.php");
 
    // We'll need this to later have a noframes version