secured session handling
This commit is contained in:
parent
201e4c7c50
commit
90daf93e14
|
@ -44,7 +44,7 @@ function startSecureSession() {
|
||||||
// start session
|
// start session
|
||||||
if (isset($_SESSION)) unset($_SESSION);
|
if (isset($_SESSION)) unset($_SESSION);
|
||||||
if (strtolower(session_module_name()) == 'files') {
|
if (strtolower(session_module_name()) == 'files') {
|
||||||
$sessionDir = substr(__FILE__, 0, strlen(__FILE__) - 17) . "/sess";
|
$sessionDir = dirname(__FILE__) . "/../sess";
|
||||||
session_save_path($sessionDir);
|
session_save_path($sessionDir);
|
||||||
}
|
}
|
||||||
@session_start();
|
@session_start();
|
||||||
|
|
|
@ -37,9 +37,10 @@ include_once('../../lib/status.inc');
|
||||||
|
|
||||||
// start session
|
// start session
|
||||||
if (strtolower(session_module_name()) == 'files') {
|
if (strtolower(session_module_name()) == 'files') {
|
||||||
session_save_path("../../sess");
|
session_save_path(dirname(__FILE__) . '/../../sess');
|
||||||
}
|
}
|
||||||
@session_start();
|
session_start();
|
||||||
|
session_regenerate_id(true);
|
||||||
|
|
||||||
setlanguage();
|
setlanguage();
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
$Id$
|
$Id$
|
||||||
|
|
||||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||||
Copyright (C) 2003 - 2009 Roland Gruber
|
Copyright (C) 2003 - 2010 Roland Gruber
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -53,7 +53,7 @@ if (isset($_POST['passwd'])) $passwd = $_POST['passwd'];
|
||||||
if (!isset($passwd) && !isset($_SESSION['conf_isAuthenticated'])) {
|
if (!isset($passwd) && !isset($_SESSION['conf_isAuthenticated'])) {
|
||||||
$_SESSION['conf_message'] = _("No password was entered!");
|
$_SESSION['conf_message'] = _("No password was entered!");
|
||||||
/** go back to login if password is empty */
|
/** go back to login if password is empty */
|
||||||
require('conflogin.php');
|
metaRefresh('conflogin.php');
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -71,7 +71,7 @@ if ((!isset($_SESSION['conf_isAuthenticated']) || !($_SESSION['conf_isAuthentica
|
||||||
}
|
}
|
||||||
$_SESSION['conf_message'] = _("The password is invalid! Please try again.");
|
$_SESSION['conf_message'] = _("The password is invalid! Please try again.");
|
||||||
/** go back to login if password is invalid */
|
/** go back to login if password is invalid */
|
||||||
require('conflogin.php');
|
metaRefresh('conflogin.php');
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
$_SESSION['conf_isAuthenticated'] = $conf->getName();
|
$_SESSION['conf_isAuthenticated'] = $conf->getName();
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
$Id$
|
$Id$
|
||||||
|
|
||||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||||
Copyright (C) 2003 - 2009 Roland Gruber
|
Copyright (C) 2003 - 2010 Roland Gruber
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -37,9 +37,10 @@ include_once('../../lib/status.inc');
|
||||||
|
|
||||||
// start session
|
// start session
|
||||||
if (strtolower(session_module_name()) == 'files') {
|
if (strtolower(session_module_name()) == 'files') {
|
||||||
session_save_path("../../sess");
|
session_save_path(dirname(__FILE__) . '/../../sess');
|
||||||
}
|
}
|
||||||
@session_start();
|
session_start();
|
||||||
|
session_regenerate_id(true);
|
||||||
|
|
||||||
setlanguage();
|
setlanguage();
|
||||||
|
|
||||||
|
|
|
@ -45,15 +45,50 @@ include_once("../lib/config.inc"); // Include config.inc which provides Config c
|
||||||
|
|
||||||
// set session save path
|
// set session save path
|
||||||
if (strtolower(session_module_name()) == 'files') {
|
if (strtolower(session_module_name()) == 'files') {
|
||||||
session_save_path("../sess");
|
session_save_path(dirname(__FILE__) . '/../sess');
|
||||||
}
|
}
|
||||||
session_start(); // Start LDAP Account Manager session
|
|
||||||
|
// start empty session and change ID for security reasons
|
||||||
|
session_start();
|
||||||
|
session_destroy();
|
||||||
|
session_start();
|
||||||
|
session_regenerate_id(true);
|
||||||
|
|
||||||
// save last selected login profile
|
// save last selected login profile
|
||||||
if(isset($_POST['profile'])) {
|
if(isset($_POST['profile'])) {
|
||||||
setcookie("lam_default_profile", $_POST['profile'], time() + 365*60*60*24);
|
setcookie("lam_default_profile", $_POST['profile'], time() + 365*60*60*24);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// init some session variables
|
||||||
|
$_SESSION['lampath'] = realpath('../') . "/"; // Save full path to lam in session
|
||||||
|
|
||||||
|
$default_Config = new LAMCfgMain();
|
||||||
|
$_SESSION["cfgMain"] = $default_Config;
|
||||||
|
$default_Profile = $default_Config->default;
|
||||||
|
if(isset($_COOKIE["lam_default_profile"])) {
|
||||||
|
$default_Profile = $_COOKIE["lam_default_profile"];
|
||||||
|
}
|
||||||
|
// Reload loginpage after a profile change
|
||||||
|
if(isset($_POST['profileChange'])) {
|
||||||
|
logNewMessage(LOG_DEBUG, "Change server profile to " . $_POST['profile']);
|
||||||
|
$_SESSION['config'] = new LAMConfig($_POST['profile']); // Recreate the config object with the submited
|
||||||
|
}
|
||||||
|
// Load login page
|
||||||
|
else {
|
||||||
|
$_SESSION["config"] = new LAMConfig($default_Profile); // Create new Config object
|
||||||
|
}
|
||||||
|
|
||||||
|
$_SESSION['language'] = $_SESSION["config"]->get_defaultLanguage();
|
||||||
|
if (isset($_POST['language'])) {
|
||||||
|
$_SESSION['language'] = $_POST['language']; // Write selected language in session
|
||||||
|
}
|
||||||
|
$current_language = explode(":",$_SESSION['language']);
|
||||||
|
$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
|
||||||
|
$_SESSION['header'] .= "<html>\n<head>\n";
|
||||||
|
$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n";
|
||||||
|
$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta http-equiv=\"cache-control\" content=\"no-cache\">";
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Displays the login window.
|
* Displays the login window.
|
||||||
*
|
*
|
||||||
|
@ -79,15 +114,6 @@ function display_LoginPage($config_object) {
|
||||||
setcookie("Key", base64_encode($key), 0, "/");
|
setcookie("Key", base64_encode($key), 0, "/");
|
||||||
setcookie("IV", base64_encode($iv), 0, "/");
|
setcookie("IV", base64_encode($iv), 0, "/");
|
||||||
}
|
}
|
||||||
|
|
||||||
$_SESSION['language'] = $config_object->get_defaultLanguage();
|
|
||||||
|
|
||||||
$current_language = explode(":",$_SESSION['language']);
|
|
||||||
$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
|
|
||||||
$_SESSION['header'] .= "<html>\n<head>\n";
|
|
||||||
$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n";
|
|
||||||
$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta http-equiv=\"cache-control\" content=\"no-cache\">";
|
|
||||||
|
|
||||||
// loading available languages from language.conf file
|
// loading available languages from language.conf file
|
||||||
$languagefile = "../config/language";
|
$languagefile = "../config/language";
|
||||||
if(is_file($languagefile) == True)
|
if(is_file($languagefile) == True)
|
||||||
|
@ -347,8 +373,6 @@ function display_LoginPage($config_object) {
|
||||||
|
|
||||||
// checking if the submitted username/password is correct.
|
// checking if the submitted username/password is correct.
|
||||||
if(!empty($_POST['checklogin'])) {
|
if(!empty($_POST['checklogin'])) {
|
||||||
$_SESSION['lampath'] = realpath('../') . "/"; // Save full path to lam in session
|
|
||||||
|
|
||||||
include_once("../lib/ldap.inc"); // Include ldap.php which provides Ldap class
|
include_once("../lib/ldap.inc"); // Include ldap.php which provides Ldap class
|
||||||
|
|
||||||
$_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object
|
$_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object
|
||||||
|
@ -419,12 +443,6 @@ if(!empty($_POST['checklogin'])) {
|
||||||
$result = $_SESSION['ldap']->connect($username,$_POST['passwd']); // Connect to LDAP server for verifing username/password
|
$result = $_SESSION['ldap']->connect($username,$_POST['passwd']); // Connect to LDAP server for verifing username/password
|
||||||
if($result === 0) {// Username/password correct. Do some configuration and load main frame.
|
if($result === 0) {// Username/password correct. Do some configuration and load main frame.
|
||||||
$_SESSION['loggedIn'] = true;
|
$_SESSION['loggedIn'] = true;
|
||||||
$_SESSION['language'] = $_POST['language']; // Write selected language in session
|
|
||||||
$current_language = explode(":",$_SESSION['language']);
|
|
||||||
$_SESSION['header'] = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n\n";
|
|
||||||
$_SESSION['header'] .= "<html>\n<head>\n";
|
|
||||||
$_SESSION['header'] .= "<meta http-equiv=\"content-type\" content=\"text/html; charset=" . $current_language[1] . "\">\n";
|
|
||||||
$_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <meta http-equiv=\"cache-control\" content=\"no-cache\">";
|
|
||||||
// set security settings for session
|
// set security settings for session
|
||||||
$_SESSION['sec_session_id'] = session_id();
|
$_SESSION['sec_session_id'] = session_id();
|
||||||
$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
|
$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
|
||||||
|
@ -440,49 +458,28 @@ if(!empty($_POST['checklogin'])) {
|
||||||
// connection failed
|
// connection failed
|
||||||
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
|
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
|
||||||
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
||||||
display_LoginPage($_SESSION['config']);
|
|
||||||
exit();
|
|
||||||
}
|
}
|
||||||
elseif ($result == 81) {
|
elseif ($result == 81) {
|
||||||
// connection failed
|
// connection failed
|
||||||
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
|
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
|
||||||
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
||||||
display_LoginPage($_SESSION['config']);
|
|
||||||
exit();
|
|
||||||
}
|
}
|
||||||
elseif ($result == 49) {
|
elseif ($result == 49) {
|
||||||
// user name/password invalid. Return to login page.
|
// user name/password invalid. Return to login page.
|
||||||
$error_message = _("Wrong password/user name combination. Please try again.");
|
$error_message = _("Wrong password/user name combination. Please try again.");
|
||||||
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (wrong password).');
|
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (wrong password).');
|
||||||
display_LoginPage($_SESSION['config']);
|
|
||||||
exit();
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
// other errors
|
// other errors
|
||||||
$error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result);
|
$error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result);
|
||||||
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
||||||
|
}
|
||||||
display_LoginPage($_SESSION['config']);
|
display_LoginPage($_SESSION['config']);
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
// Reload loginpage after a profile change
|
|
||||||
elseif(!empty($_POST['profileChange'])) {
|
|
||||||
logNewMessage(LOG_DEBUG, "Change server profile to " . $_POST['profile']);
|
|
||||||
$_SESSION['config'] = new LAMConfig($_POST['profile']); // Recreate the config object with the submited
|
|
||||||
display_LoginPage($_SESSION['config']); // Load login page
|
|
||||||
}
|
|
||||||
// Load login page
|
|
||||||
else {
|
|
||||||
$default_Config = new LAMCfgMain();
|
|
||||||
$default_Profile = $default_Config->default;
|
|
||||||
if(isset($_COOKIE["lam_default_profile"])) {
|
|
||||||
$default_Profile = $_COOKIE["lam_default_profile"];
|
|
||||||
}
|
|
||||||
$_SESSION["config"] = new LAMConfig($default_Profile); // Create new Config object
|
|
||||||
$_SESSION["cfgMain"] = $default_Config; // Create new CfgMain object
|
|
||||||
|
|
||||||
display_LoginPage($_SESSION["config"]); // Load Login page
|
display_LoginPage($_SESSION["config"]);
|
||||||
}
|
|
||||||
?>
|
?>
|
||||||
|
|
Loading…
Reference in New Issue