2008-03-01, 08:14 AM
Since my original thread was moved to a place where I couldn't comment again, I would like to say that this is NOT a bogus bug report. Yes the fix allows to not have either but your v1212 code doesn't allow a person to logout with only the sid in the url which as far as I can tell is still the current standard but looks like a new logoutKey is going to be the new standard for MyBB.
So lets try this again and if you have a problem with my code fix at least leave it open to let me respond.
--------------------------------
file: member.php
line: 950
added: "$mybb->input['logoutKey'] && " to elseif statment
php version: 5.2.4
comments: this came to be after performing the proper upgrade from 1.2.9 to 1.2.12. I ran a "find updated" on the templates and found nothing about logoutKey. I see the board here is using it.
Original Code from v1212:
Code Fix proposal:
So lets try this again and if you have a problem with my code fix at least leave it open to let me respond.
--------------------------------
file: member.php
line: 950
added: "$mybb->input['logoutKey'] && " to elseif statment
php version: 5.2.4
comments: this came to be after performing the proper upgrade from 1.2.9 to 1.2.12. I ran a "find updated" on the templates and found nothing about logoutKey. I see the board here is using it.
Original Code from v1212:
else if($mybb->input['action'] == "logout")
{
$plugins->run_hooks("member_logout_start");
if(!$mybb->user['uid'])
{
redirect("index.php", $lang->redirect_alreadyloggedout);
}
// Check session ID if we have one
if($mybb->input['sid'] && $mybb->input['sid'] != $session->sid)
{
error($lang->error_notloggedout);
}
// Otherwise, check logoutkey
else if($mybb->input['logoutkey'] != $mybb->user['logoutkey'])
{
error($lang->error_notloggedout);
}
my_unsetcookie("mybbuser");
my_unsetcookie("sid");
if($mybb->user['uid'])
{
$time = time();
$lastvisit = array(
"lastactive" => $time-900,
"lastvisit" => $time,
);
$db->update_query(TABLE_PREFIX."users", $lastvisit, "uid='".$mybb->user['uid']."'");
$db->delete_query(TABLE_PREFIX."sessions", "sid='".$session->sid."'");
}
$plugins->run_hooks("member_logout_end");
redirect("index.php", $lang->redirect_loggedout);
}
Code Fix proposal:
else if($mybb->input['action'] == "logout")
{
$plugins->run_hooks("member_logout_start");
if(!$mybb->user['uid'])
{
redirect("index.php", $lang->redirect_alreadyloggedout);
}
// Check session ID or logoutKey if either one exists
if( $mybb->input['sid'] || $mybb->input['logoutKey'] ) {
// Check session ID if we have one
if($mybb->input['sid'] && $mybb->input['sid'] != $session->sid)
{
error($lang->error_notloggedout);
}
// Otherwise, check logoutkey
else if($mybb->input['logoutKey'] && $mybb->input['logoutkey'] != $mybb->user['logoutkey'])
{
error($lang->error_notloggedout);
}
}
// Neither sid nor logoutKey provided
else {
error($lang->error_notloggedout);
}
my_unsetcookie("mybbuser");
my_unsetcookie("sid");
if($mybb->user['uid'])
{
$time = time();
$lastvisit = array(
"lastactive" => $time-900,
"lastvisit" => $time,
);
$db->update_query(TABLE_PREFIX."users", $lastvisit, "uid='".$mybb->user['uid']."'");
$db->delete_query(TABLE_PREFIX."sessions", "sid='".$session->sid."'");
}
$plugins->run_hooks("member_logout_end");
redirect("index.php", $lang->redirect_loggedout);
}