make session encryption optional
This commit is contained in:
parent
14a619989e
commit
750a118884
|
@ -996,6 +996,13 @@ Have fun!
|
||||||
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
|
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
|
||||||
access LAM via an untrusted IP only get blank pages.</para>
|
access LAM via an untrusted IP only get blank pages.</para>
|
||||||
|
|
||||||
|
<para id="sessionEncryption">Session encryption will encrypt sensitive
|
||||||
|
data like passwords in your session files. This is only available when
|
||||||
|
PHP <ulink url="http://php.net/mcrypt">MCrypt</ulink> is active. This
|
||||||
|
adds extra security but also costs performance. If you manage a large
|
||||||
|
directory you might want to disable this and take other actions to
|
||||||
|
secure your LAM server.</para>
|
||||||
|
|
||||||
<screenshot>
|
<screenshot>
|
||||||
<mediaobject>
|
<mediaobject>
|
||||||
<imageobject>
|
<imageobject>
|
||||||
|
@ -8885,8 +8892,9 @@ objectclass: top
|
||||||
<para><emphasis role="bold">Disable session
|
<para><emphasis role="bold">Disable session
|
||||||
encryption</emphasis></para>
|
encryption</emphasis></para>
|
||||||
|
|
||||||
<para>LAM encrypts sensitive data in your session files. You can
|
<para>LAM encrypts sensitive data in your session files. You can <link
|
||||||
prevent this by disabling the PHP MCrypt module (if installed).</para>
|
linkend="sessionEncryption">disable</link> it to reduce CPU
|
||||||
|
load.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
</appendix>
|
</appendix>
|
||||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 15 KiB After Width: | Height: | Size: 18 KiB |
|
@ -155,6 +155,8 @@ $helpArray = array (
|
||||||
"Text" => _('Please change this setting only if you experience problems in receiving emails from LAM. This defines the line ending of emails.')),
|
"Text" => _('Please change this setting only if you experience problems in receiving emails from LAM. This defines the line ending of emails.')),
|
||||||
"244" => array ("Headline" => _('PHP error reporting'),
|
"244" => array ("Headline" => _('PHP error reporting'),
|
||||||
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
|
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
|
||||||
|
"245" => array ("Headline" => _('Encrypt session'),
|
||||||
|
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
|
||||||
"250" => array ("Headline" => _("Filter"),
|
"250" => array ("Headline" => _("Filter"),
|
||||||
"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")),
|
"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")),
|
||||||
"260" => array ("Headline" => _("Additional LDAP filter"),
|
"260" => array ("Headline" => _("Additional LDAP filter"),
|
||||||
|
|
|
@ -1400,6 +1400,9 @@ class LAMCfgMain {
|
||||||
/** list of hosts which may access LAM */
|
/** list of hosts which may access LAM */
|
||||||
public $allowedHosts;
|
public $allowedHosts;
|
||||||
|
|
||||||
|
/** session encryption */
|
||||||
|
public $encryptSession;
|
||||||
|
|
||||||
/** minimum length for passwords */
|
/** minimum length for passwords */
|
||||||
public $passwordMinLength = 0;
|
public $passwordMinLength = 0;
|
||||||
|
|
||||||
|
@ -1437,7 +1440,8 @@ class LAMCfgMain {
|
||||||
private $settings = array("password", "default", "sessionTimeout",
|
private $settings = array("password", "default", "sessionTimeout",
|
||||||
"logLevel", "logDestination", "allowedHosts", "passwordMinLength",
|
"logLevel", "logDestination", "allowedHosts", "passwordMinLength",
|
||||||
"passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
|
"passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
|
||||||
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting');
|
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting',
|
||||||
|
'encryptSession');
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Loads preferences from config file
|
* Loads preferences from config file
|
||||||
|
@ -1449,6 +1453,7 @@ class LAMCfgMain {
|
||||||
$this->logLevel = LOG_NOTICE;
|
$this->logLevel = LOG_NOTICE;
|
||||||
$this->logDestination = "SYSLOG";
|
$this->logDestination = "SYSLOG";
|
||||||
$this->allowedHosts = "";
|
$this->allowedHosts = "";
|
||||||
|
$this->encryptSession = 'true';
|
||||||
$this->reload();
|
$this->reload();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1516,6 +1521,7 @@ class LAMCfgMain {
|
||||||
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
|
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
|
||||||
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
|
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
|
||||||
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
|
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
|
||||||
|
if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession);
|
||||||
if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
|
if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
|
||||||
if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);
|
if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);
|
||||||
if (!in_array("passwordMinLower", $saved)) array_push($file_array, "\n\n# Password: minimum lowercase characters\n" . "passwordMinLower: " . $this->passwordMinLower);
|
if (!in_array("passwordMinLower", $saved)) array_push($file_array, "\n\n# Password: minimum lowercase characters\n" . "passwordMinLower: " . $this->passwordMinLower);
|
||||||
|
|
|
@ -104,6 +104,14 @@ if (isset($_POST['submitFormData'])) {
|
||||||
}
|
}
|
||||||
else $allowedHosts = "";
|
else $allowedHosts = "";
|
||||||
$cfg->allowedHosts = $allowedHosts;
|
$cfg->allowedHosts = $allowedHosts;
|
||||||
|
// set session encryption
|
||||||
|
if (function_exists('mcrypt_create_iv')) {
|
||||||
|
$encryptSession = 'false';
|
||||||
|
if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
|
||||||
|
$encryptSession = 'true';
|
||||||
|
}
|
||||||
|
$cfg->encryptSession = $encryptSession;
|
||||||
|
}
|
||||||
// set log level
|
// set log level
|
||||||
$cfg->logLevel = $_POST['logLevel'];
|
$cfg->logLevel = $_POST['logLevel'];
|
||||||
// set log destination
|
// set log destination
|
||||||
|
@ -263,6 +271,10 @@ $securityTable = new htmlTable();
|
||||||
$options = array(5, 10, 20, 30, 60, 90, 120, 240);
|
$options = array(5, 10, 20, 30, 60, 90, 120, 240);
|
||||||
$securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
|
$securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
|
||||||
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
|
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
|
||||||
|
$encryptSession = ($cfg->encryptSession === 'true');
|
||||||
|
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
|
||||||
|
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
|
||||||
|
$securityTable->addElement($encryptSessionBox, true);
|
||||||
// SSL certificate
|
// SSL certificate
|
||||||
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));
|
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));
|
||||||
$sslMethod = _('use system certificates');
|
$sslMethod = _('use system certificates');
|
||||||
|
|
|
@ -125,14 +125,15 @@ $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <me
|
||||||
/**
|
/**
|
||||||
* Displays the login window.
|
* Displays the login window.
|
||||||
*
|
*
|
||||||
* @param object $config_object current active configuration
|
* @param LAMConfig $config_object current active configuration
|
||||||
|
* @param LAMCfgMain $cfgMain main configuration
|
||||||
*/
|
*/
|
||||||
function display_LoginPage($config_object) {
|
function display_LoginPage($config_object, $cfgMain) {
|
||||||
logNewMessage(LOG_DEBUG, "Display login page");
|
logNewMessage(LOG_DEBUG, "Display login page");
|
||||||
global $error_message;
|
global $error_message;
|
||||||
// generate 256 bit key and initialization vector for user/passwd-encryption
|
// generate 256 bit key and initialization vector for user/passwd-encryption
|
||||||
// check if we can use /dev/urandom otherwise use rand()
|
// check if we can use /dev/urandom otherwise use rand()
|
||||||
if(function_exists('mcrypt_create_iv')) {
|
if(function_exists('mcrypt_create_iv') && ($cfgMain->encryptSession == 'true')) {
|
||||||
$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
|
$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
|
||||||
if (! $key) {
|
if (! $key) {
|
||||||
srand((double)microtime()*1234567);
|
srand((double)microtime()*1234567);
|
||||||
|
@ -651,5 +652,5 @@ if(!empty($_POST['checklogin'])) {
|
||||||
}
|
}
|
||||||
|
|
||||||
//displays the login window
|
//displays the login window
|
||||||
display_LoginPage($_SESSION["config"]);
|
display_LoginPage($_SESSION["config"], $_SESSION["cfgMain"]);
|
||||||
?>
|
?>
|
||||||
|
|
Loading…
Reference in New Issue