diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml
index c99d087b..8a349be0 100644
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
@@ -996,6 +996,13 @@ Have fun!
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
access LAM via an untrusted IP only get blank pages.
+ Session encryption will encrypt sensitive
+ data like passwords in your session files. This is only available when
+ PHP MCrypt is active. This
+ adds extra security but also costs performance. If you manage a large
+ directory you might want to disable this and take other actions to
+ secure your LAM server.
+
@@ -8885,8 +8892,9 @@ objectclass: top
Disable session
encryption
- LAM encrypts sensitive data in your session files. You can
- prevent this by disabling the PHP MCrypt module (if installed).
+ LAM encrypts sensitive data in your session files. You can disable it to reduce CPU
+ load.
diff --git a/lam/docs/manual-sources/images/configGeneral1.png b/lam/docs/manual-sources/images/configGeneral1.png
index 4e3aa8e5..46cf276f 100644
Binary files a/lam/docs/manual-sources/images/configGeneral1.png and b/lam/docs/manual-sources/images/configGeneral1.png differ
diff --git a/lam/help/help.inc b/lam/help/help.inc
index 0d0957b6..a96d14d9 100644
--- a/lam/help/help.inc
+++ b/lam/help/help.inc
@@ -155,6 +155,8 @@ $helpArray = array (
"Text" => _('Please change this setting only if you experience problems in receiving emails from LAM. This defines the line ending of emails.')),
"244" => array ("Headline" => _('PHP error reporting'),
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
+ "245" => array ("Headline" => _('Encrypt session'),
+ "Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
"250" => array ("Headline" => _("Filter"),
"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")),
"260" => array ("Headline" => _("Additional LDAP filter"),
diff --git a/lam/lib/config.inc b/lam/lib/config.inc
index e84ef2ad..ddcefb0e 100644
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@@ -1400,6 +1400,9 @@ class LAMCfgMain {
/** list of hosts which may access LAM */
public $allowedHosts;
+ /** session encryption */
+ public $encryptSession;
+
/** minimum length for passwords */
public $passwordMinLength = 0;
@@ -1437,7 +1440,8 @@ class LAMCfgMain {
private $settings = array("password", "default", "sessionTimeout",
"logLevel", "logDestination", "allowedHosts", "passwordMinLength",
"passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
- "passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting');
+ "passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting',
+ 'encryptSession');
/**
* Loads preferences from config file
@@ -1449,6 +1453,7 @@ class LAMCfgMain {
$this->logLevel = LOG_NOTICE;
$this->logDestination = "SYSLOG";
$this->allowedHosts = "";
+ $this->encryptSession = 'true';
$this->reload();
}
@@ -1516,6 +1521,7 @@ class LAMCfgMain {
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
+ if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession);
if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);
if (!in_array("passwordMinLower", $saved)) array_push($file_array, "\n\n# Password: minimum lowercase characters\n" . "passwordMinLower: " . $this->passwordMinLower);
diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php
index 9441d78b..cf7ae048 100644
--- a/lam/templates/config/mainmanage.php
+++ b/lam/templates/config/mainmanage.php
@@ -104,6 +104,14 @@ if (isset($_POST['submitFormData'])) {
}
else $allowedHosts = "";
$cfg->allowedHosts = $allowedHosts;
+ // set session encryption
+ if (function_exists('mcrypt_create_iv')) {
+ $encryptSession = 'false';
+ if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
+ $encryptSession = 'true';
+ }
+ $cfg->encryptSession = $encryptSession;
+ }
// set log level
$cfg->logLevel = $_POST['logLevel'];
// set log destination
@@ -263,6 +271,10 @@ $securityTable = new htmlTable();
$options = array(5, 10, 20, 30, 60, 90, 120, 240);
$securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
+$encryptSession = ($cfg->encryptSession === 'true');
+$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
+$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
+$securityTable->addElement($encryptSessionBox, true);
// SSL certificate
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));
$sslMethod = _('use system certificates');
diff --git a/lam/templates/login.php b/lam/templates/login.php
index 50fa5c4f..7b7b186e 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -125,14 +125,15 @@ $_SESSION['header'] .= "\n encryptSession == 'true')) {
$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
if (! $key) {
srand((double)microtime()*1234567);
@@ -651,5 +652,5 @@ if(!empty($_POST['checklogin'])) {
}
//displays the login window
-display_LoginPage($_SESSION["config"]);
+display_LoginPage($_SESSION["config"], $_SESSION["cfgMain"]);
?>