1. 02 Dec, 2003 6 commits
  2. 01 Dec, 2003 2 commits
    • Leigh B. Stoller's avatar
      Allow user to specify email address when logging in. Some minor reorg · 41d37ee8
      Leigh B. Stoller authored
      of the CHECKEMAIL function as a result.
      41d37ee8
    • Leigh B. Stoller's avatar
      Fix glitch with switching between browsers. Stems from the goal of not · 0efa7677
      Leigh B. Stoller authored
      switching the menu when user switches between http and https (since
      the secret cookie is not transferred in http, we have no way of
      actually knowing the user is logged in from the browser). So, add
      another cookie that is a crc32 hash of the real cookie, and trasnfer
      that in http mode. A valid crc32 hash simply indicates that the user
      is almost certainly logged in from the browser (but does not impart
      any privs until we get the real cookie), while the absence of the
      crc32 or a mismatch indicates that user is almost certainly *not*
      logged in from the browser, and so we draw the usual "not logged in"
      page.
      0efa7677
  3. 26 Nov, 2003 8 commits
  4. 25 Nov, 2003 1 commit
  5. 24 Nov, 2003 2 commits
    • Robert Ricci's avatar
      Add some features to help beginexp act as a backend to other web · a0c2268a
      Robert Ricci authored
      forms. Add a view[] array to hide various parts of the form, and
      a view_style to use a predefined set of view[] options. Also, allow
      formfields to be passed in to provide defaults for a user.
      a0c2268a
    • Robert Ricci's avatar
      Added some new display abilities to menu.php3 . · 6682b5d9
      Robert Ricci authored
      PAGEHEADER() now takes a vew array, which can turn on and off display
      of things like the sidebar and banner.
      
      In the future, some of this information will likely be grabbed from
      the user somehow (new and/or plab users may get a different view than
      others).
      
      Also added the functions to draw a 'topbar' of options that goes
      across the top of the page, rather than down the left side. A simple
      topbar for planetlab nodes is included.
      6682b5d9
  6. 18 Nov, 2003 3 commits
  7. 17 Nov, 2003 2 commits
    • Leigh B. Stoller's avatar
      Merge the two state machines (batchstate and state) into a single · 2025e0bd
      Leigh B. Stoller authored
      state machine (state). All of the stuff that was previously handled by
      using batchstate is now embedded into the one state machine. Of
      course, these mostly overlapped, so its not that much of a change,
      except that we also redid the machine, adding more states (for
      example, modify phases are now explicit. To get a picture of the
      actual state machine, on boss:
      
      		stategraph -o newstates EXPTSTATE
      		gv newstates.ps
      
      Things to note:
      
      * The "batchstate" slot of the experiments table is now used solely to
        provide a lock for batch daemon. A secondary change will be to
        change the slot name to something more appropriate, but it can
        happen anytime after this new stuff is installed.
      
      * I have left expt_locked for now, but another later change will be to remove
        expt_locked, and change it to active_busy or some such new state name in
        the state machine. I have removed most uses of expt_locked, except those
        that were necessary until there is a ...
      2025e0bd
    • Leigh B. Stoller's avatar
      Add web login attack detection/prevention. Two changes: · b1de9fb2
      Leigh B. Stoller authored
      * Add slots to users table to track number of failures in the last N
        seconds. If a threshold is passed (currently 4 failures in the last
        minute), the web login is disabled. Note that I do not disable the
        ops shell login at this time. Aging is passive; the values are cleared
        when login is successful, or when more then one minute has passed
        since the last failure. In other words, a burst of failures will
        disable the login, but failures over time are okay.
      
      * Add login_failures table to do exactly the same as above, except it
        is on an IP basis (REMOTE_ADDR in the server). Currently the
        threshold is 8 failures in the last two minutes, at which time all
        logins from that IP are disabled.
      
      In both cases email is sent to tbops (and the user).
      
      The constants are defined at the top of www/tbauth.in, rather then as
      site variables, to avoid pounding the DB when an attack is being
      launched.
      
      To clear a user freeze, go to the user profile page and use the
      "toggle" near the bottom.
      
      To clear an IP freeze: delete from login_failures were IP='1.1.1.1'
      b1de9fb2
  8. 14 Nov, 2003 2 commits
  9. 12 Nov, 2003 1 commit
  10. 11 Nov, 2003 1 commit
  11. 10 Nov, 2003 4 commits
  12. 09 Nov, 2003 1 commit
    • Leigh B. Stoller's avatar
      More security hacking. · 754d8013
      Leigh B. Stoller authored
      * Add TBvalid_uid() function to regex uid's. To be used throughout the
        system. Eventually add routines for checking other things like pids
        and eids, etc.
      
      * Regex the uid value we get from the cookie, and switch to $_COOKIE
        superglobal.
      
      * Strict regex checking in DOLOGIN() of uid.
      
      * Change login.php to use superglobals, and general tightening of
        parameter checking.
      754d8013
  13. 07 Nov, 2003 6 commits
  14. 06 Nov, 2003 1 commit