can't log in to any account if non-existent or disabled btUsername cookie #113
Description
I made a previous patch for this ( 0c5d173 ) but reverted it ( 9b5268d ) because it broke the sign out system.
Setting cookies in JavaScript was a poor approach anyway. I have discovered that a better place to set cookies is in include_header.php. I've drafted up the following code which I may use in a patch for this. This code by itself doesn't solve the ticket though so I still have to debug some more.
One approach I may also try is getting rid of the $MAIN_ROOT in setcookie(). Setting a cookie path ($MAIN_ROOT in this case) lets you do things like install two copies of BlueThrust under the same domain in different folders and lets the cookies not conflict, but it comes at the cost of complexity.
To be continued.
// If user's username cookie is for a disabled or non-existent user, delete it.
if ( $_COOKIE['btUsername'] ) {
$checkMember = new Member($mysqli);
$checkMember->select($_COOKIE['btUsername']);
$memberInfo = $checkMember->get_info();
$usernameExists = ($memberInfo['username'] ?? '') != "";
if ( !$usernameExists || $memberInfo['disabled']) {
setcookie("btUsername", '', -1, $MAIN_ROOT);
setcookie("btPassword", '', -1, $MAIN_ROOT);
setcookie("btSession", '', -1, $MAIN_ROOT); // may need to fix the cookie path for btSession for this to work, right now btSession doesn't use $MAIN_ROOT
unset($_COOKIE['btUsername']);
unset($_COOKIE['btPassword']);
unset($_COOKIE['btSession']);
}
}