errorReporting == LAMCfgMain::ERROR_REPORTING_DEFAULT)) { ini_set('error_reporting', 'E_ALL & ~E_NOTICE'); } // check session id if (! isset($_SESSION["sec_session_id"]) || ($_SESSION["sec_session_id"] != session_id())) { // session id is invalid logNewMessage(LOG_WARNING, "Invalid session ID, access denied (" . $_SERVER['REMOTE_ADDR'] . ")"); die(); } // check if client IP has not changed if (!isset($_SESSION["sec_client_ip"]) || ($_SESSION["sec_client_ip"] != $_SERVER['REMOTE_ADDR'])) { // IP is invalid logNewMessage(LOG_WARNING, "Client IP changed, access denied (" . $_SERVER['REMOTE_ADDR'] . ")"); die(); } // check if session time has not expired if (($_SESSION['sec_sessionTime'] + (60 * $_SESSION['cfgMain']->sessionTimeout)) > time()) { // ok, update time $_SESSION['sec_sessionTime'] = time(); } elseif ($redirectToLogin) { // session expired, logoff user logoffAndBackToLoginPage(); } else { return false; } setSSLCaCert(); return true; } /** * Checks if the client's IP address is on the list of allowed IPs. * The script is stopped if the host is not valid. * */ function checkClientIP() { if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain']; else $cfg = new LAMCfgMain(); $allowedHosts = $cfg->allowedHosts; $url = getCallingURL(); if ((strpos($url, '/selfService/selfService') !== false) || ((strpos($url, '/misc/ajax.php?') !== false) && strpos($url, 'selfservice=1') !== false)) { // self service pages have separate IP list $allowedHosts = $cfg->allowedHostsSelfService; } // skip test if no hosts are defined if ($allowedHosts == "") return; $allowedHosts = explode(",", $allowedHosts); $grantAccess = false; for ($i = 0; $i < sizeof($allowedHosts); $i++) { $host = $allowedHosts[$i]; $ipRegex = '/^[0-9a-z\\.:\\*]+$/i'; if (!preg_match($ipRegex, $host)) continue; $hostRegex = str_replace(".", "\\.", $host); $hostRegex = '/^' . str_replace("*", ".*", $hostRegex) . '$/'; $clientIP = $_SERVER['REMOTE_ADDR']; if (preg_match($hostRegex, $clientIP)) { // client is allowed to access LAM $grantAccess = true; } } // stop script is client may not access LAM if (!$grantAccess) { logNewMessage(LOG_WARNING, "Invalid client IP, access denied (" . $_SERVER['REMOTE_ADDR'] . ")"); die(); } } /** * Logs off the user and displays the login page. * */ function logoffAndBackToLoginPage() { // log message if (isset($_SESSION['ldap'])) { $ldapUser = $_SESSION['ldap']->decrypt_login(); logNewMessage(LOG_WARNING, 'Session of user ' . $ldapUser[0] . ' expired.'); // close LDAP connection @$_SESSION["ldap"]->destroy(); } elseif (isset($_SESSION['selfService_clientDN']) || (strpos($_SERVER['REQUEST_URI'], '/selfService/') !== false)) { logNewMessage(LOG_WARNING, 'Self service session of DN ' . Ldap::decrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.'); } // delete key and iv in cookie if (function_exists('mcrypt_create_iv')) { setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); } // link back to login page $paths = array('./', '../', '../../', '../../../', '../../../../'); $page = 'login.php'; $pageSuffix = '?expired=yes'; if (isset($_SESSION['selfService_clientDN']) || (strpos($_SERVER['REQUEST_URI'], '/selfService/') !== false)) { $scope = $_GET['scope']; $name = $_GET['name']; if (!preg_match('/^[0-9a-zA-Z _-]+$/', $scope) || !preg_match('/^[0-9a-zA-Z _-]+$/', $name)) { logNewMessage(LOG_ERR, 'GET parameters invalid: ' . $name . ' ' . $scope); die(); } $page = 'selfServiceLogin.php'; $pageSuffix = '?expired=yes&scope=' . $scope . '&name=' . $name; } for ($i = 0; $i < sizeof($paths); $i++) { if (file_exists($paths[$i] . $page)) { $page = $paths[$i] . $page; break; } } $page .= $pageSuffix; echo $_SESSION['header']; echo "
\n"; echo "" . _("Your session expired, click here to go back to the login page.") . "\n"; echo "
\n"; echo "\n"; echo "