make session encryption optional
This commit is contained in:
Roland Gruber
parent
14a619989e
commit
750a118884
|
|
@ -996,6 +996,13 @@ Have fun!
|
|||
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
|
||||
access LAM via an untrusted IP only get blank pages.</para>
|
||||
|
||||
<para id="sessionEncryption">Session encryption will encrypt sensitive
|
||||
data like passwords in your session files. This is only available when
|
||||
PHP <ulink url="http://php.net/mcrypt">MCrypt</ulink> is active. This
|
||||
adds extra security but also costs performance. If you manage a large
|
||||
directory you might want to disable this and take other actions to
|
||||
secure your LAM server.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
|
|
@ -8885,8 +8892,9 @@ objectclass: top
|
|||
<para><emphasis role="bold">Disable session
|
||||
encryption</emphasis></para>
|
||||
|
||||
<para>LAM encrypts sensitive data in your session files. You can
|
||||
prevent this by disabling the PHP MCrypt module (if installed).</para>
|
||||
<para>LAM encrypts sensitive data in your session files. You can <link
|
||||
linkend="sessionEncryption">disable</link> it to reduce CPU
|
||||
load.</para>
|
||||
</section>
|
||||
</section>
|
||||
</appendix>
|
||||
|
|
|
|||
Binary file not shown.
|
Before Width: | Height: | Size: 15 KiB After Width: | Height: | Size: 18 KiB |
|
|
@ -155,6 +155,8 @@ $helpArray = array (
|
|||
"Text" => _('Please change this setting only if you experience problems in receiving emails from LAM. This defines the line ending of emails.')),
|
||||
"244" => array ("Headline" => _('PHP error reporting'),
|
||||
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
|
||||
"245" => array ("Headline" => _('Encrypt session'),
|
||||
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
|
||||
"250" => array ("Headline" => _("Filter"),
|
||||
"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")),
|
||||
"260" => array ("Headline" => _("Additional LDAP filter"),
|
||||
|
|
|
|||
|
|
@ -1400,6 +1400,9 @@ class LAMCfgMain {
|
|||
/** list of hosts which may access LAM */
|
||||
public $allowedHosts;
|
||||
|
||||
/** session encryption */
|
||||
public $encryptSession;
|
||||
|
||||
/** minimum length for passwords */
|
||||
public $passwordMinLength = 0;
|
||||
|
||||
|
|
@ -1437,7 +1440,8 @@ class LAMCfgMain {
|
|||
private $settings = array("password", "default", "sessionTimeout",
|
||||
"logLevel", "logDestination", "allowedHosts", "passwordMinLength",
|
||||
"passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
|
||||
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting');
|
||||
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting',
|
||||
'encryptSession');
|
||||
|
||||
/**
|
||||
* Loads preferences from config file
|
||||
|
|
@ -1449,6 +1453,7 @@ class LAMCfgMain {
|
|||
$this->logLevel = LOG_NOTICE;
|
||||
$this->logDestination = "SYSLOG";
|
||||
$this->allowedHosts = "";
|
||||
$this->encryptSession = 'true';
|
||||
$this->reload();
|
||||
}
|
||||
|
||||
|
|
@ -1516,6 +1521,7 @@ class LAMCfgMain {
|
|||
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
|
||||
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
|
||||
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
|
||||
if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession);
|
||||
if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
|
||||
if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);
|
||||
if (!in_array("passwordMinLower", $saved)) array_push($file_array, "\n\n# Password: minimum lowercase characters\n" . "passwordMinLower: " . $this->passwordMinLower);
|
||||
|
|
|
|||
|
|
@ -104,6 +104,14 @@ if (isset($_POST['submitFormData'])) {
|
|||
}
|
||||
else $allowedHosts = "";
|
||||
$cfg->allowedHosts = $allowedHosts;
|
||||
// set session encryption
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
$encryptSession = 'false';
|
||||
if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
|
||||
$encryptSession = 'true';
|
||||
}
|
||||
$cfg->encryptSession = $encryptSession;
|
||||
}
|
||||
// set log level
|
||||
$cfg->logLevel = $_POST['logLevel'];
|
||||
// set log destination
|
||||
|
|
@ -263,6 +271,10 @@ $securityTable = new htmlTable();
|
|||
$options = array(5, 10, 20, 30, 60, 90, 120, 240);
|
||||
$securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
|
||||
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
|
||||
$encryptSession = ($cfg->encryptSession === 'true');
|
||||
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
|
||||
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
|
||||
$securityTable->addElement($encryptSessionBox, true);
|
||||
// SSL certificate
|
||||
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));
|
||||
$sslMethod = _('use system certificates');
|
||||
|
|
|
|||
|
|
@ -125,14 +125,15 @@ $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <me
|
|||
/**
|
||||
* Displays the login window.
|
||||
*
|
||||
* @param object $config_object current active configuration
|
||||
* @param LAMConfig $config_object current active configuration
|
||||
* @param LAMCfgMain $cfgMain main configuration
|
||||
*/
|
||||
function display_LoginPage($config_object) {
|
||||
function display_LoginPage($config_object, $cfgMain) {
|
||||
logNewMessage(LOG_DEBUG, "Display login page");
|
||||
global $error_message;
|
||||
// generate 256 bit key and initialization vector for user/passwd-encryption
|
||||
// check if we can use /dev/urandom otherwise use rand()
|
||||
if(function_exists('mcrypt_create_iv')) {
|
||||
if(function_exists('mcrypt_create_iv') && ($cfgMain->encryptSession == 'true')) {
|
||||
$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
|
||||
if (! $key) {
|
||||
srand((double)microtime()*1234567);
|
||||
|
|
@ -651,5 +652,5 @@ if(!empty($_POST['checklogin'])) {
|
|||
}
|
||||
|
||||
//displays the login window
|
||||
display_LoginPage($_SESSION["config"]);
|
||||
display_LoginPage($_SESSION["config"], $_SESSION["cfgMain"]);
|
||||
?>
|
||||
|
|
|
|||
Loading…
Reference in New Issue