secured session handling

This commit is contained in:
Roland Gruber 2010-02-06 11:50:26 +00:00
parent 201e4c7c50
commit 90daf93e14
5 changed files with 52 additions and 53 deletions

View File

@ -44,7 +44,7 @@ function startSecureSession() {
// start session // start session
if (isset($_SESSION)) unset($_SESSION); if (isset($_SESSION)) unset($_SESSION);
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
$sessionDir = substr(__FILE__, 0, strlen(__FILE__) - 17) . "/sess"; $sessionDir = dirname(__FILE__) . "/../sess";
session_save_path($sessionDir); session_save_path($sessionDir);
} }
@session_start(); @session_start();

View File

@ -37,9 +37,10 @@ include_once('../../lib/status.inc');
// start session // start session
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path(dirname(__FILE__) . '/../../sess');
} }
@session_start(); session_start();
session_regenerate_id(true);
setlanguage(); setlanguage();

View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2009 Roland Gruber Copyright (C) 2003 - 2010 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -53,7 +53,7 @@ if (isset($_POST['passwd'])) $passwd = $_POST['passwd'];
if (!isset($passwd) && !isset($_SESSION['conf_isAuthenticated'])) { if (!isset($passwd) && !isset($_SESSION['conf_isAuthenticated'])) {
$_SESSION['conf_message'] = _("No password was entered!"); $_SESSION['conf_message'] = _("No password was entered!");
/** go back to login if password is empty */ /** go back to login if password is empty */
require('conflogin.php'); metaRefresh('conflogin.php');
exit; exit;
} }
@ -71,7 +71,7 @@ if ((!isset($_SESSION['conf_isAuthenticated']) || !($_SESSION['conf_isAuthentica
} }
$_SESSION['conf_message'] = _("The password is invalid! Please try again."); $_SESSION['conf_message'] = _("The password is invalid! Please try again.");
/** go back to login if password is invalid */ /** go back to login if password is invalid */
require('conflogin.php'); metaRefresh('conflogin.php');
exit; exit;
} }
$_SESSION['conf_isAuthenticated'] = $conf->getName(); $_SESSION['conf_isAuthenticated'] = $conf->getName();

View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2009 Roland Gruber Copyright (C) 2003 - 2010 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -37,9 +37,10 @@ include_once('../../lib/status.inc');
// start session // start session
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path(dirname(__FILE__) . '/../../sess');
} }
@session_start(); session_start();
session_regenerate_id(true);
setlanguage(); setlanguage();

View File

@ -45,15 +45,50 @@ include_once("../lib/config.inc"); // Include config.inc which provides Config c
// set session save path // set session save path
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../sess"); session_save_path(dirname(__FILE__) . '/../sess');
} }
session_start(); // Start LDAP Account Manager session
// start empty session and change ID for security reasons
session_start();
session_destroy();
session_start();
session_regenerate_id(true);
// save last selected login profile // save last selected login profile
if(isset($_POST['profile'])) { if(isset($_POST['profile'])) {
setcookie("lam_default_profile", $_POST['profile'], time() + 365*60*60*24); setcookie("lam_default_profile", $_POST['profile'], time() + 365*60*60*24);
} }
// init some session variables
$_SESSION['lampath'] = realpath('../') . "/"; // Save full path to lam in session
$default_Config = new LAMCfgMain();
$_SESSION["cfgMain"] = $default_Config;
$default_Profile = $default_Config->default;
if(isset($_COOKIE["lam_default_profile"])) {
$default_Profile = $_COOKIE["lam_default_profile"];
}
// Reload loginpage after a profile change
if(isset($_POST['profileChange'])) {
logNewMessage(LOG_DEBUG, "Change server profile to " . $_POST['profile']);
$_SESSION['config'] = new LAMConfig($_POST['profile']); // Recreate the config object with the submited
}
// Load login page
else {
$_SESSION["config"] = new LAMConfig($default_Profile); // Create new Config object
}
$_SESSION['language'] = $_SESSION["config"]->get_defaultLanguage();
if (isset($_POST['language'])) {
$_SESSION['language'] = $_POST['language']; // Write selected language in session
}
$current_language = explode(":",$_SESSION['language']);
$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
$_SESSION['header'] .= "<html>\n<head>\n";
$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n";
$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta http-equiv=\"cache-control\" content=\"no-cache\">";
/** /**
* Displays the login window. * Displays the login window.
* *
@ -79,15 +114,6 @@ function display_LoginPage($config_object) {
setcookie("Key", base64_encode($key), 0, "/"); setcookie("Key", base64_encode($key), 0, "/");
setcookie("IV", base64_encode($iv), 0, "/"); setcookie("IV", base64_encode($iv), 0, "/");
} }
$_SESSION['language'] = $config_object->get_defaultLanguage();
$current_language = explode(":",$_SESSION['language']);
$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
$_SESSION['header'] .= "<html>\n<head>\n";
$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n";
$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta http-equiv=\"cache-control\" content=\"no-cache\">";
// loading available languages from language.conf file // loading available languages from language.conf file
$languagefile = "../config/language"; $languagefile = "../config/language";
if(is_file($languagefile) == True) if(is_file($languagefile) == True)
@ -347,8 +373,6 @@ function display_LoginPage($config_object) {
// checking if the submitted username/password is correct. // checking if the submitted username/password is correct.
if(!empty($_POST['checklogin'])) { if(!empty($_POST['checklogin'])) {
$_SESSION['lampath'] = realpath('../') . "/"; // Save full path to lam in session
include_once("../lib/ldap.inc"); // Include ldap.php which provides Ldap class include_once("../lib/ldap.inc"); // Include ldap.php which provides Ldap class
$_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object $_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object
@ -419,12 +443,6 @@ if(!empty($_POST['checklogin'])) {
$result = $_SESSION['ldap']->connect($username,$_POST['passwd']); // Connect to LDAP server for verifing username/password $result = $_SESSION['ldap']->connect($username,$_POST['passwd']); // Connect to LDAP server for verifing username/password
if($result === 0) {// Username/password correct. Do some configuration and load main frame. if($result === 0) {// Username/password correct. Do some configuration and load main frame.
$_SESSION['loggedIn'] = true; $_SESSION['loggedIn'] = true;
$_SESSION['language'] = $_POST['language']; // Write selected language in session
$current_language = explode(":",$_SESSION['language']);
$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
$_SESSION['header'] .= "<html>\n<head>\n";
$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n";
$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta http-equiv=\"cache-control\" content=\"no-cache\">";
// set security settings for session // set security settings for session
$_SESSION['sec_session_id'] = session_id(); $_SESSION['sec_session_id'] = session_id();
$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR']; $_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
@ -440,49 +458,28 @@ if(!empty($_POST['checklogin'])) {
// connection failed // connection failed
$error_message = _("Cannot connect to specified LDAP server. Please try again."); $error_message = _("Cannot connect to specified LDAP server. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
display_LoginPage($_SESSION['config']);
exit();
} }
elseif ($result == 81) { elseif ($result == 81) {
// connection failed // connection failed
$error_message = _("Cannot connect to specified LDAP server. Please try again."); $error_message = _("Cannot connect to specified LDAP server. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
display_LoginPage($_SESSION['config']);
exit();
} }
elseif ($result == 49) { elseif ($result == 49) {
// user name/password invalid. Return to login page. // user name/password invalid. Return to login page.
$error_message = _("Wrong password/user name combination. Please try again."); $error_message = _("Wrong password/user name combination. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (wrong password).'); logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (wrong password).');
display_LoginPage($_SESSION['config']);
exit();
} }
else { else {
// other errors // other errors
$error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result); $error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result);
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
}
display_LoginPage($_SESSION['config']); display_LoginPage($_SESSION['config']);
exit(); exit();
} }
} }
} }
}
// Reload loginpage after a profile change
elseif(!empty($_POST['profileChange'])) {
logNewMessage(LOG_DEBUG, "Change server profile to " . $_POST['profile']);
$_SESSION['config'] = new LAMConfig($_POST['profile']); // Recreate the config object with the submited
display_LoginPage($_SESSION['config']); // Load login page
}
// Load login page
else {
$default_Config = new LAMCfgMain();
$default_Profile = $default_Config->default;
if(isset($_COOKIE["lam_default_profile"])) {
$default_Profile = $_COOKIE["lam_default_profile"];
}
$_SESSION["config"] = new LAMConfig($default_Profile); // Create new Config object
$_SESSION["cfgMain"] = $default_Config; // Create new CfgMain object
display_LoginPage($_SESSION["config"]); // Load Login page display_LoginPage($_SESSION["config"]);
}
?> ?>