sessionTimeout)) > time()) { // ok, update time $_SESSION['sec_sessionTime'] = time(); } else { // session expired, logoff user logoffAndBackToLoginPage(); } } /** * Checks if the client's IP address is on the list of allowed IPs. * The script is stopped if the host is not valid. * */ function checkClientIP() { if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain']; else $cfg = new LAMCfgMain(); $allowedHosts = $cfg->allowedHosts; // skip test if no hosts are defined if ($allowedHosts == "") return; $allowedHosts = explode(",", $allowedHosts); $grantAccess = false; for ($i = 0; $i < sizeof($allowedHosts); $i++) { $host = $allowedHosts[$i]; $ipRegex = '^[0-9\\.\\*]+$'; if (!ereg($ipRegex, $host)) continue; $hostRegex = str_replace(".", "\\.", $host); $hostRegex = '^' . str_replace("*", ".*", $hostRegex) . '$'; $clientIP = $_SERVER['REMOTE_ADDR']; if (ereg($hostRegex, $clientIP)) { // client is allowed to access LAM $grantAccess = true; } } // stop script is client may not access LAM if (!$grantAccess) die(); } /** * Logs off the user and displays the login page. * */ function logoffAndBackToLoginPage() { // log message $ldapUser = $_SESSION['ldap']->decrypt_login(); logNewMessage(LOG_WARNING, 'Session of user ' . $ldapUser[0] . ' expired.'); // delete key and iv in cookie if (function_exists('mcrypt_create_iv')) { setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); } // close LDAP connection @$_SESSION["ldap"]->destroy(); // link back to login page $paths = array('./', '../', '../../', '../../../'); $page = 'login.php'; for ($i = 0; $i < sizeof($paths); $i++) { if (file_exists($paths[$i] . $page)) { $page = $paths[$i] . $page; break; } } $page .= "?expired=yes"; echo $_SESSION['header']; echo "\n"; echo "\n"; echo "\n"; // print JavaScript refresh echo "\n"; // print link if refresh does not work echo "

\n"; echo "" . _("Your session expired, click here to go back to the login page.") . "\n"; echo "

\n"; echo "\n"; echo "\n"; // destroy session session_destroy(); unset($_SESSION); die(); } /** * Puts a new message in the log file. * * @param string $level log level (LOG_NOTICE, LOG_WARNING, LOG_ERR) * @param string $message log message */ function logNewMessage($level, $message) { $possibleLevels = array(LOG_NOTICE => 'NOTICE', LOG_WARNING => 'WARNING', LOG_ERR => 'ERROR'); if (!in_array($level, array_keys($possibleLevels))) StatusMessage('ERROR', 'Invalid log level!', $level); if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain']; else $cfg = new LAMCfgMain(); // check if logging is disabled if ($cfg->logDestination == 'NONE') return; // check if log level is high enough elseif ($cfg->logLevel < $level) return; // ok to log, build log message $prefix = "LDAP Account Manager (" . session_id() . ") - " . $possibleLevels[$level] . ": "; $message = $prefix . $message; // Syslog logging if ($cfg->logDestination == 'SYSLOG') { syslog($level, $message); } // log to file else { touch($cfg->logDestination); if (is_writable($cfg->logDestination)) { $file = fopen($cfg->logDestination, 'a'); if ($file) { fwrite($file, $message . "\n"); fclose($file); } } else { StatusMessage('ERROR', 'Unable to write to log file!', $cfg->logDestination); } } } /** * Checks if write access to LDAP is allowed. * * @return boolean true, if allowed */ function checkIfWriteAccessIsAllowed() { if (!isset($_SESSION['config'])) { return false; } if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) { return true; } return false; } /** * Checks if passwords may be changed. * * @return boolean true, if allowed */ function checkIfPasswordChangeIsAllowed() { if (!isset($_SESSION['config'])) { return false; } if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_PASSWORD_CHANGE) { return true; } return false; } ?>