implemented session timeout

lam/help/help.inc

@@ -122,12 +122,14 @@ $helpArray = array (
 					"Text" => _("This changes the password of the selected profile.")),
 				"234" => array ("ext" => "FALSE", "Headline" => _("Profile management") . " - " . _("Change default profile"),
 					"Text" => _("This changes the profile which is selected by default at login.")),
-				"235" => array ("ext" => "FALSE", "Headline" => _("Profile management") . " - " . _("Change master password"),
+				"235" => array ("ext" => "FALSE", "Headline" => _("Change master password"),
 					"Text" => _("If you want to change your master configuration password, please enter it here.")),
-				"236" => array ("ext" => "FALSE", "Headline" => _("Profile management") . " - " . _("Master password"),
+				"236" => array ("ext" => "FALSE", "Headline" => _("Master password"),
 					"Text" => _("Please enter the master configuration password. This is NOT your LDAP password. It is stored in your config.cfg file. If this is the first time you log in, enter \"lam\".")),
 				"237" => array ("ext" => "FALSE", "Headline" => _("Configuration wizard") . " - " . _("Base module"),
 					"Text" => _("Every account type needs exactly one base module. This module provides a structural object class.")),
+				"238" => array ("ext" => "FALSE", "Headline" => _("Session timeout"),
+					"Text" => _("This is the time (in minutes) of inactivity after which a user is automatically logged off.")),
 				"250" => array ("ext" => "FALSE", "Headline" => _("Account lists - Filters"),
 					"Text" => _("Here you can input small filter expressions (e.g. 'value' or 'v*'). LAM will filter case-insensitive.")),
 				// 300 - 399

lam/lib/config.inc

@@ -718,11 +718,15 @@ class CfgMain {
 
 	/** Password to change config.cfg */
 	var $password;
+	
+	/** Time of inactivity before session times out (minutes) */
+	var $sessionTimeout;
 
 	/**
 	* Loads preferences from config file
 	*/
 	function CfgMain() {
+		$this->sessionTimeout = 30;
 		$this->reload();
 	}
 
@@ -742,11 +746,15 @@ class CfgMain {
 				if (($line == "")||($line[0] == "#")) continue; // ignore comments
 				// search keywords
 				if (substr($line, 0, 10) == "password: ") {
-					$this->password = substr($line, 10, strlen($line)-10);
+					$this->password = substr($line, 10, strlen($line) - 10);
 					continue;
 				}
 				if (substr($line, 0, 9) == "default: ") {
-					$this->default = substr($line, 9, strlen($line)-9);
+					$this->default = substr($line, 9, strlen($line) - 9);
+					continue;
+				}
+				if (substr($line, 0, 16) == "sessionTimeout: ") {
+					$this->sessionTimeout = intval(substr($line, 16, strlen($line) - 16));
 					continue;
 				}
 			}
@@ -784,11 +792,17 @@ class CfgMain {
 					$save_default = True;
 					continue;
 				}
+				if (substr($file_array[$i], 0, 16) == "sessionTimeout: ") {
+					$file_array[$i] = "sessionTimeout: " . $this->sessionTimeout . "\n";
+					$save_sessionTimeout = True;
+					continue;
+				}
 			}
 		}
 		// check if we have to add new entries (e.g. if user upgraded LAM and has an old config file)
 		if (!$save_password == True) array_push($file_array, "\n\n# password to add/delete/rename configuration profiles\n" . "password: " . $this->password);
 		if (!$save_default == True) array_push($file_array, "\n\n# default profile, without \".conf\"\n" . "default: " . $this->default);
+		if (!$save_sessionTimeout == True) array_push($file_array, "\n\n# session timeout in minutes\n" . "sessionTimeout: " . $this->sessionTimeout);
 		$file = @fopen($conffile, "w");
 		if ($file) {
 			for ($i = 0; $i < sizeof($file_array); $i++) fputs($file, $file_array[$i]);

lam/lib/security.inc

@@ -28,11 +28,16 @@ $Id$
 * @author Roland Gruber
 */
 
+/** configuration options */
+include_once('config.inc');
+
 /**
  * Starts a session and checks the environment.
  * The script is stopped if one of the checks fail.
  */
 function startSecureSession() {
+	// check if client IP is on the list of valid IPs
+	checkClientIP();
 	// start session
 	if (isset($_SESSION)) unset($_SESSION);
 	$sessionDir = substr(__FILE__, 0, strlen(__FILE__) - 17) . "/sess";
@@ -48,10 +53,15 @@ function startSecureSession() {
 		// IP is invalid
 		die();
 	}
-	// check if client IP is on the list of valid IPs
-	checkClientIP();
 	// check if session time has not expired
-	// TODO
+	if (($_SESSION['sec_sessionTime'] + (60 * $_SESSION['cfgMain']->sessionTimeout)) > time()) {
+		// ok, update time
+		$_SESSION['sec_sessionTime'] = time();
+	}
+	else {
+		// session expired, logoff user
+		logoffAndBackToLoginPage();
+	}
 }
 
 /**
@@ -83,4 +93,45 @@ function getValidUserDNs($dn) {
 	return array("uid=test,o=test", "uid=test2,o=test");
 }
 
+/**
+ * Logs off the user and displays the login page.
+ *
+ */
+function logoffAndBackToLoginPage() {
+	// delete key and iv in cookie
+	if (function_exists('mcrypt_create_iv')) {
+		setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/");
+		setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/");
+	}
+	// close LDAP connection
+	@$_SESSION["ldap"]->destroy();
+	// link back to login page
+	$paths = array('./', '../', '../../', '../../../');
+	$page = 'login.php';
+	for ($i = 0; $i < sizeof($paths); $i++) {
+		if (file_exists($paths[$i] . $page)) {
+			$page = $paths[$i] . $page;
+			break;
+		}
+	}
+	echo $_SESSION['header'];
+	echo "<title></title>\n";
+	echo "</head>\n";
+	echo "<body>\n";
+	// print JavaScript refresh
+	echo "<script type=\"text/javascript\">\n";
+	echo "top.location.href = \"" . $page . "\";\n";
+	echo "</script>\n";
+	// print link if refresh does not work
+	echo "<p>\n";
+	echo "<a target=\"_top\" href=\"" . $page . "\">" . _("Your session expired, click here to go back to the login page.") . "</a>\n";
+	echo "</p>\n";
+	echo "</body>\n";
+	echo "</html>\n";
+	// destroy session
+	session_destroy();
+	unset($_SESSION);
+	die();
+}
+
 ?>

lam/templates/config/mainmanage.php

@@ -70,30 +70,30 @@ echo $_SESSION['header'];
 
 // check if submit button was pressed
 if ($_POST['submit']) {
+	$errors = array();
 	// set master password
 	if (isset($_POST['masterpassword']) && ($_POST['masterpassword'] != "")) {
 		if ($_POST['masterpassword'] && $_POST['masterpassword2'] && ($_POST['masterpassword'] == $_POST['masterpassword2'])) {
 			$cfg->password = $_POST['masterpassword'];
-			$cfg->save();
 			$msg = _("New master password set successfully.");
 			unset($_SESSION["mainconf_password"]);
 		}
-		else $error = _("Master passwords are different or empty!");
+		else $errors[] = _("Master passwords are different or empty!");
+	}
+	// set session timeout
+	$cfg->sessionTimeout = $_POST['sessionTimeout'];
+	// save settings
+	$cfg->save();
+	// print messages
+	if (sizeof($errors) > 0) {
+		for ($i = 0; $i < sizeof($errors); $i++) StatusMessage("ERROR", $errors[$i]);
 	}
 	else {
-		$msg = _("No changes were made.");
+		StatusMessage("INFO", _("Your settings were successfully saved."));
+		// back to login page
+		echo "<p><a href=\"../login.php\">" . _("Back to login") . "</a></p>";
+		exit();
 	}
-	// print messages
-	if ($error || $msg) {
-		if ($error) StatusMessage("ERROR", "", $error);
-		if ($msg) {
-			StatusMessage("INFO", "", $msg);
-			// back to login page
-			echo "<p><a href=\"../login.php\">" . _("Back to login") . "</a></p>";
-			exit();
-		}
-	}
-	else exit;
 }
 ?>
 
@@ -102,6 +102,40 @@ if ($_POST['submit']) {
 		<form action="mainmanage.php" method="post">
 		<table border="0">
 		<tr><td>
+		<fieldset>
+			<legend><b> <?php echo _("Security settings"); ?> </b></legend>
+			<p>
+			<table cellspacing="0" border="0">
+				<!-- session timeout -->
+				<tr>
+					<td align="right">
+						<?php echo _("Session timeout"); ?>
+						<SELECT name="sessionTimeout">
+						<?php
+						$options = array(5, 10, 20, 30, 60);
+						for ($i = 0; $i < sizeof($options); $i++) {
+							if ($cfg->sessionTimeout == $options[$i]) {
+								echo "<option selected>" . $cfg->sessionTimeout . "</option>";
+							}
+							else {
+								echo "<option>" . $options[$i] . "</option>";
+							}
+						}
+						?>
+						</SELECT>
+					</td>
+					<td>&nbsp;
+					<?PHP
+						// help link
+						echo "<a href=\"../help.php?HelpNumber=238\" target=\"lamhelp\">";
+						echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" . _('Help') . "\">";
+						echo "</a>\n";
+					?>
+					</td>
+				</tr>
+			</table>
+		</fieldset>
+		<BR>
 		<fieldset>
 			<legend><b> <?php echo _("Change master password"); ?> </b></legend>
 			<p>
@@ -110,7 +144,7 @@ if ($_POST['submit']) {
 				<tr>
 					<td align="right">
 						<FONT color="Red"><B>
-						<?php echo _("New master password") . ":"; ?>
+						<?php echo _("New master password"); ?>
 						</B></FONT>
 						<input type="password" name="masterpassword">
 					</td>
@@ -126,7 +160,7 @@ if ($_POST['submit']) {
 				<tr>
 					<td align="right">
 						<FONT color="Red"><B>
-						<?php echo _("Reenter new master password") . ":"; ?>
+						<?php echo _("Reenter new master password"); ?>
 						</B></FONT>
 						<input type="password" name="masterpassword2">
 					</td>

lam/templates/login.php

@@ -367,6 +367,7 @@ if(!empty($_POST['checklogin']))
 			// set security settings for session
 			$_SESSION['sec_session_id'] = session_id();
 			$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
+			$_SESSION['sec_sessionTime'] = time();
 			// Load main frame
 			include("./main.php");
 		}
@@ -407,6 +408,7 @@ else
 	$default_Config = new CfgMain();
 	$default_Profile = $default_Config->default;
 	$_SESSION["config"] = new Config($default_Profile); // Create new Config object
+	$_SESSION["cfgMain"] = $default_Config; // Create new CfgMain object
 
 	display_LoginPage($_SESSION["config"]); // Load Login page
 }