wip fixes

diff --git a/cgi-auth-hybrid.pm b/cgi-auth-hybrid.pm
index fff16b737068e3be88dd30fea4015fe64d7ed761..7866bdc92ab54e2f4c31d7dc6a4aa93f219fcb68 100644 (file)
--- a/cgi-auth-hybrid.pm
+++ b/cgi-auth-hybrid.pm
@@ -40,6 +40,7 @@ use DBI;
 use CGI qw/escapeHTML/;
 use Locale::gettext;
 use URI;
+use IO::File;
 use Data::Dumper;
 
 #---------- public utilities ----------
@@ -107,7 +108,7 @@ sub gen_plain_login_form ($$) {
     my ($c,$r, $params) = @_;
     my @form;
     push @form, ('<form method="POST" action="'.
-                escapeHTML($r->_ch('get_url')).'>'.
+                escapeHTML($r->_ch('get_url')).'">'.
                 '<table>');
     my $sz = 'size="'.$r->{S}{form_entry_size}.'"';
     foreach my $up (@{ $r->{S}{username_param_names}}) {
@@ -331,7 +332,7 @@ print STDERR "CC $r $c $cookv $cookt\n";
 #    y, yN     value corresponds to logged-in user
 #    n, nN     value not in our db
 #    x, xN     t or y
-#    -         no value supplied
+#    -         no value supplied (represented in code as $cookt='')
 # if N differs the case applies only when the two values differ
 # (eg,   a1 y2   does not apply when the logged-in value is supplied twice)
 
@@ -410,8 +411,9 @@ print STDERR "CC $r $c $cookv $cookt\n";
     #                           revoke y2
     #                           treat as   -/n n POST
     #
-    #  -/n n   GET   n        cross-site link but user not logged in
+    #  -/n -/n GET   n        cross-site link but user not logged in
     #                           show login form with redirect to orig params
+    #                           generate fresh cookie
     #
     #  -/n n   GET    rmu     user not logged in
     #                           fail
@@ -422,6 +424,8 @@ print STDERR "CC $r $c $cookv $cookt\n";
     #  -/n n   POST   r u     user not logged in
     #                           fail
 
+#fixme make parameter values hash of cookie values
+
 sub _check_divert_core ($) {
     my ($r) = @_;
 
@@ -432,6 +436,8 @@ sub _check_divert_core ($) {
     my ($cookt,$cooku) = $r->_db_lookup($cookv);
     my $parmt = $r->_db_lookup($parmv);
 
+    print STDERR "_c_d_c cookt=$cookt parmt=$parmt\n";
+
     if ($r->_ch('is_logout')) {
        $r->_must_be_post();
        die unless $parmt;
@@ -492,15 +498,17 @@ sub _check_divert_core ($) {
     if ($cookt ne 'y') {
        die unless !$cookt || $cookt eq 'n';
        die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
+       my $newv = $r->_fresh_cookie();
        if ($meth eq 'GET') {
            return ({ Kind => 'LOGIN-INCOMINGLINK',
                      Message => "You need to log in again.",
-                     CookieVal => $parmv,
+                     CookieVal => $newv,
                      Params => $r->_chain_params() });
        } else {
+           $r->_db_revoke($parmv);
            return ({ Kind => 'LOGIN-FRESH',
                       Message => "You need to log in again.",
-                      CookieVal => $parmv,
+                      CookieVal => $newv,
                       Params => { } });
        }
     }
@@ -683,11 +691,13 @@ sub _random ($$) {
     $!=0;
     read($rsf,$bin,$bytes) == $bytes or die "$rsp $!";
     close $rsf;
-    return unpack "H*", $bin;
+    my $out = unpack "H*", $bin;
+    print STDERR "_random out $out\n";
 }
 
 sub _fresh_cookie ($) {
     my ($r) = @_;
+    print STDERR "_fresh_cookie\n";
     my $bytes = ($r->{S}{associdlen} + 7) >> 3;
     return $r->_random($bytes);
 }