includes/sessions.php
2009-05-22 Dan Sped up AJAX de-auth a little; added a little extra info to login_success JSON responses
2009-05-15 Dan Fixed undefined indices for user_extra in various places
2009-05-05 Dan Made some more changes to the way namespaces are handled, for optimization purposes. This is a bit of a structural reorganization: $paths->pages is obsoleted in its entirety; calculating page existence and metadata is now the job of the Namespace_* backend class. There are many things in PageProcessor that should be reorganized, and page actions in general should really be rethought. This is probably the beginning of a long process that will be taking place over the course of the betas.
2009-04-19 Dan Upgrader: UX: Added welcome page, different between Caoineag and Banshee
2009-04-15 Dan New, beautiful, rethought Admin:Home. No, really, you'll like it.
2009-04-11 Dan session: login_process_userdata_json hook should work with more than one installed auth plugin now
2009-04-05 Dan Session: additional metadata passed back from auth plugins is passed through to client for optional further parsing
2009-03-14 Dan Added support for alternate port numbers on database servers. Also in install-cli, merged in new sysreqs functionality.
2009-02-26 Dan Added possibility for auth plugins, which can log a user in using non-standard authentication methods.
2009-02-16 Dan Major redesign of rendering pipeline that separates pages saved with MCE from pages saved with the plaintext editor (full description in long commit message)
2009-01-26 Dan Replaced integer checks that used preg_match() to use ctype_digit() instead
2009-01-16 Dan Deprecated old grab_password_hash() functions in session
2009-01-12 Dan Added support for live re-auth and de-auth; fully AJAX, no page reload required, plus plugin-usable API.
2009-01-04 Dan Upgrades should work now.
2009-01-04 Dan Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6.
2008-12-21 Dan Corrected a few issues with languages and client-side code
2008-12-21 Dan Fixed a couple PostgreSQL bugs.
2008-12-21 Dan Fixed timezone preference setting not fully implemented; added ability for users to select their own rank from a list of possible ranks based on group membership and user level
2008-11-21 Dan Added dependency checking in ACL tracer
2008-11-09 Dan Merging with upstream
2008-11-03 Dan Fixed error-out when DiffieHellman not supported and respawn requested (part of OS X QA process)
2008-11-09 Dan Added config option to grant userpage rights to new users (defaults to on, as it was hardcoded on before)
2008-11-09 Dan Fixed DiffieHellman being included twice when not supported and login fails
2008-09-21 Dan Added initial support for DST. Rules are defined in constants.php and are extensible.
2008-08-20 Dan Made upgrades from 1.1.4 -> 1.1.5 work if keyhash is not present
2008-08-13 Dan Made login forms that use $session->aes_javascript() use new whiteOutForm() function
2008-08-12 Dan Added customizable parameters for session length and the long-missing "remember me" option (or rather, the ability to turn it off and make sessions temporary)
2008-08-12 Dan Rebranded as 1.1.5 (Caoineag alpha 5) and fixed a couple bugs related to CDN support in template_nodb and installerUI. Updated readme.
2008-07-12 Dan Added Gravatar support in UserManager in admin panel
2008-07-10 Dan Fixed undefined group_rank_id in sessions
2008-07-07 Dan Moved all account deactivation notice presentation code to its own method in sessions
2008-07-03 Dan As promised, dropped in the new librijndael. Benchmarks say about 3 times faster, but more performance testing will be done.
2008-07-03 Dan More optimization work. Moved special page init functions to common instead of common_post hook. Allowed paths to cache page metadata on filesystem. Phased out the redundancy in $paths->pages that paired a number with every urlname as foreach loops are allowed now (and have been for some time). Fixed missing includes for several functions. Rewrote str_replace_once to be a lot more efficient.
2008-07-02 Dan Another sweep from the optimization monster.
2008-06-30 Dan Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
2008-06-30 Dan Several optimization changes including getting rid of a few eval()s. Added placeholder functions for the theme manager, which should be working now
2008-06-26 Dan Made encryption work in form-based logon again; modified load_component() to fetch compressed versions when possible
2008-06-26 Dan Fixed missing table_prefix in generate_rank_sql()
2008-06-19 Dan Fixed SQL syntax error thrown during rank data fetch
2008-06-16 Dan Fixed undefined index left over from scope system rewrite a few days ago
2008-06-15 Dan Renamed some functions (that were new in this release anyway) due to compatibility broken with PunBB bridge
2008-06-15 Dan Got ACL scope logic working again and began enforcing it. Breaking API change: assigning page title with $template->tpl_strings['PAGE_NAME'] will no longer work, use $template->assign_vars(). Workaround may be added later. Test for assign_vars method if compatibility needed. Added namespace processor API (non-breaking change). Several other things tweaked around as well.
2008-06-15 Dan Fixed some plugin compatibility issues seen in Nuggie
2008-06-10 Dan A bit of UX improvement to upgrade UI; updated readme for 1.1.4
2008-06-07 Dan Modified $template->init_vars() to pivot to local page metadata and permissions from a PageProcessor object instead of global data from $paths and permissions from $session to allow redirects to affect on-page controls as well as the actual content (only partially complete, protection and several other elements still need to be localized)
2008-05-25 Dan More work done on effective permissions API, namely reporting of page group and usergroup names
2008-05-16 Dan Added user preference for disabling visual effects in Javascript applets; added re-import button to installed plugins
2008-05-12 Dan Revamped some ACL code and added effective permissions calculation code into session manager
2008-05-06 Dan Added ETag support and increased caching settings to try and speed the system up. Result of a YSlow audit.
2008-05-05 Dan Massive commit with various changes. Added user ranks system (no admin interface yet) and ability for users to have custom user titles. Made cron framework accept fractions of hours through floating-point intervals. Modifed ACL editor to use miniPrompt framework for close confirmation box. Made avatar system use a special page as opposed to fetching the files directly for caching reasons.
2008-04-14 Dan Rebrand as 1.1.4 (Caoineag alpha 4)
2008-04-09 Dan Merging nighthawk and scribus branches
2008-04-09 Dan Implemented the password-reset redirect _properly_ instead of the hackish direct header() call in sessions.php
2008-04-06 Dan SECURITY: Disabled caching of decrypted DiffieHellman login requests
2008-03-27 Dan Made some improvements to ACL system including: warning on setting Deny for Everyone on the entire site, added ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL, and changed behavior as noted in the docs so that Deny for Everyone is no longer able to be overridden
2008-03-18 Dan Fixed some stray version numbers (again!); added support for Diffie-Hellman logins in the normal login form (not AJAX) - even works in IE
2008-03-16 Dan Added support for embedding language data into plugins; updated all version numbers on plugin files
2008-03-15 Dan Fixed some bugs with PostgreSQL and added a word_lcase column to the search_index table because collation is not working under MySQL. TODO: Trigger search index rebuild on upgrade to 1.1.4.
2008-03-08 Dan Fixed undefined variable ($row['is_regex'] instead of $is_regex) in sessions.php
2008-03-07 Dan [Security] made session manager have some degree of IP validation for session keys and upgrades
2008-03-07 Dan Fixed session validation bug in upgrade script; fixed non-object reference in template_nodb
2008-03-07 Dan Added a cron task to sessions.php that deletes old admin keys once a week
2008-03-03 Dan Implemented password reset (albeit hackishly) into the new login API; added dummy window.console object to hopefully reduce errors when Firebug isn't around; fixed the longstanding ACL dismiss/close button bug; fixed a couple undefined variables in mailer; fixed PHP error on attempted opening of /dev/(u)random in rijndael.php; clarified documentation for PageProcessor::update_page(); fixed some logic problems in theme ACL code; disabled CAPTCHA debug
2008-03-02 Dan Implemented all security features on theme disabling and ACLs; added clean_key mode to login API to clean unused encryption keys
2008-03-01 Dan Fixed improper serializing of IP that could allow reusing of key from multiple IP addresses.
2008-02-24 Dan Merging in changes from Nighthawk
2008-02-22 Dan Merging fixes and updates from stable branch
2008-01-01 Dan Integrating patch for PHP 6.0-dev compatibility
2008-02-20 Dan Added support for Diffie-Hellman key exchange during login. w00t!
2008-02-18 Dan Fixed typo in ban logic
2008-02-11 Dan Rebrand as 1.1.2; made upgrade framework functional
2008-02-09 Dan Added some basic timezone support; DST support is still to come.
2008-02-07 Dan Fixed some captcha bugs and made all captcha fields case-insensitive
2008-02-06 Dan Implemented a new CAPTCHA API; the frontend ($session->{make,get}_captcha) is API-compatible but the backend (the captcha class) is deprecated.
2008-01-30 Dan Localization is FINISHED, DAMN IT HELLAH YEAH! OVER WITH! Man, it feels to get that off my chest. Release is in under 48 hours, folks. And we're ready for it.
2008-01-29 Dan Rebranded source code as 1.1.1; added TinyMCE ACL rule as per Vadi's request: http://forum.enanocms.org/viewtopic.php?f=7&t=54
2008-01-28 Dan Got Enano to load even if there are no plugins; added caching for decrypted session keys to significantly improve performance (in theory at least)
2008-01-26 Dan Removed stray debugging info from ACL editor success notification; added ability for guests to set language on URI (?lang=eng); added html_in_pages ACL type and separated from php_in_pages so HTML can be embedded but not PHP; rewote portions of the path manager to better abstract URL input; added Zend Framework into list of BSD-licensed libraries; localized some remaining strings; got the migration script working, but just barely; fixed display bug in Special:Contributions; localized Main Page button in admin panel
2008-01-25 Dan [minor] Trying to be a little more careful with values from users_extra in validate_session()
2008-01-25 Dan A number of scattered changes. Profiler added and only enabled in debug mode (currently on), but awfully useful for fixing performance in the future. Started work on Admin:LangManager
2008-01-23 Dan Improved compatibility with PostgreSQL and fixed a number of installer bugs; fixed missing "meta" category declaration in language files
2008-01-22 Dan Localized registration errors and activation/COPPA e-mails
2008-01-21 Dan Implemented IP logging for comments and registration
2008-01-03 Dan WiP commit for admin panel localization. All modules up to Admin:UserManager (working down the list) are localized except Admin:ThemeManager, which is due for a rewrite
2007-12-28 Dan Merging in the last couple of revisions from stable
2007-12-23 Dan Corrected licensing issue on YoungPup's DOM-Drag (it is now public domain -> GPLv2+ for Enano); fixed wrongful access denial under specific circumstances (fetch_page_acl() on nonexistent page + wiki mode)
2007-12-28 Dan Replaced TinyMCE 2.x with 3.0 beta 3. Supports everything but IE. Also rewrote the editor interface completely from the ground up.
2007-12-20 Dan Redid merge, the previous one had a few problems
2007-12-19 Dan Many changes. Installer with PostgreSQL is broken badly and will be for some time.
2007-12-15 Dan SURPRISE! Preliminary PostgreSQL support added. The required schema file is not present in this commit and will be included at a later date. No installer support is implemented. Also in this commit: several fixes including <!-- SYSMSG ... --> was broken in template compiler; set fixed width on included images to prevent the thumbnail box from getting huge; added a much more friendly interface to AJAX responses that are invalid JSON
2007-12-13 Dan Rebrand as 1.0.3 (Dyrad)
2007-12-07 Dan Merging in changes from stable
2007-12-03 Dan Deprecated debugConsole and removed all calls to it. Added a lot of comments to common.php. Added support for "anonymous pages" that are created when the Enano API is loaded from an external script. Fixed missing border-bottom on Type 2 sidebar blocks in Oxygen.
2007-12-02 Dan Merging in the newly stable Coblynau
2007-11-25 Dan Fixed highlighting in search results; changed search algorithm to give more score for terms found in page title; hopefully (hackishly) fixed login_key_cache getting too long
2007-11-24 Dan Fixed a few major bugs with the upgrade script and the config file not getting loaded properly due to IN_ENANO_INSTALL
2007-11-24 Dan Fixed a number of issues with SQL query readability and some undefined index-ish errors; consequently the SQL report feature was added
2007-11-19 Dan Merging in fixes and updates from stable
2007-11-18 Dan Major fixes to the ban system - large IP match lists don't slow down the server miserably anymore.
2007-11-18 Dan Hopefully managed to put enough hacks in there to make renaming the config file the last step, so if it fails, it can be done manually
2007-11-18 Dan Merging in fixes from stable
2007-11-18 Dan Major improvements in the security of the CAPTCHA system (no SQL injection or anything like that); fixed denied form submission due to _af_acting on form object wrongly switched to true
2007-11-17 Dan Fixed: secure-cookie option is no longer set if $_SERVER['HTTPS'] is set but == "off"
2007-11-15 Dan Merging in all changes from revision 185 (90b7a52bea45)
2007-11-09 Dan Merge in some minor fixes from stable
2007-11-09 Dan Cleaned up some HTML in the installer; corrected some phpDoc syntax errors
2007-11-03 Dan Merging in fixes and updates from 90b7a52bea45
2007-11-03 Dan Merging in fixes from rev. 207
2007-11-03 Dan Localized a good part, if not all, of the registration page and a couple other things.
2007-10-28 Dan Login page mostly localized
2007-10-24 Dan Merging in fixes from stable
2007-10-26 Dan You know what folks, a lot of Mercurial merges failed, and I just now figured out why. So now all changes from stable are permanently synced in.
2007-10-23 Dan Slight HTTPS compatibility improvements
2007-10-21 Dan Merging in changes from db8a849ad4c9
2007-10-21 Dan Merging in changes from stable
2007-10-15 Dan SECURITY: Fix failure to log login failure on no row match
2007-10-08 Dan Fixed the security hole (really, I'm a moron - used $failed > $threshold instead of $failed >= $threashold) and patched up some...erm... math issues
2007-10-08 Dan Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
2007-10-08 Dan [F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period.
2007-10-07 Dan Merging in latest changes from stable
2007-10-07 Dan SECURITY: remove debug message in session manager; implemented alternate MediaWiki syntax for template embedding; added Adobe Spry for "shake" effect on unsuccessful login
2007-10-07 Dan Rebrand as 1.1.1; everything should now be bumped to "unstable" status
2007-10-01 Dan Feature add: new page group type: regular expression match (PCRE)
2007-09-24 Dan Rebrand as 1.0.2 (Coblynau); internal links are now parsed by RenderMan::parse_internal_links()
2007-09-18 Dan Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
2007-09-18 Dan Fully implemented password complexity enforcement; added encryption for passwords on registration form; some baby steps taken towards supporting international usernames - this is not working very well, we might need a hackish fix; TODO: implement password strength meter into installer UI and get international usernames 100% working
2007-09-13 Dan Fix: activation e-mails were signed by Anonymous :-)
2007-09-08 Dan Vastly improved UX for a login to an inactive account
2007-07-21 Dan Made the move to Loch Ness, and got some basic page grouping functionality working. TODO: fix some UI issues in Javascript ACL editor and change non-JS ACL editor to work with page groups too
2007-07-21 Dan Fixed a few presentation bugs in installer, made installer more "legally binding", and fixed global permissions inheritance in $session->fetch_page_acl() 1.0
2007-07-10 Dan Vastly improved compatibility with older versions of IE, particularly 5.0, through the use of a kill switch that turns off all AJAX functions
2007-07-05 Dan I dunno how many times I'm gonna have to fix the "problem seems to be the hex conversion" bug, but this is at least the fourth try.
2007-07-01 Dan Finished everything on the TODO list (yay!); several CSS cleanups; tons more changes in this commit - see the patch for details
2007-06-28 Dan Finished Special:Preferences/Profile page! Only the wikitext parser cleanup left, yay!
2007-06-28 Dan COPPA support added
2007-06-26 Dan Updated all version numbers back to Banshee; a few preliminary steps towards full UTF-8 support in page URLs
2007-06-23 Dan Upgrades (RC2->RC3) should now work
2007-06-23 Dan Emergency version change to 1.0rc3 to fix XSS vulnerabilities
2007-06-22 Dan Installer actually works now on dev servers; minor language change in template.php; code cleanliness fix in sessions.php
2007-06-13 dan Adding /includes
less more (0) tip