LDAPAccountManager/lam/lib/security.inc

137 lines
3.7 KiB
PHP

<?php
/*
$Id$
This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam)
Copyright (C) 2006 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/**
* This file includes functions to perform several security checks on each page load.
*
* @package lib
* @author Roland Gruber
*/
/** configuration options */
include_once('config.inc');
/**
* Starts a session and checks the environment.
* The script is stopped if one of the checks fail.
*/
function startSecureSession() {
// check if client IP is on the list of valid IPs
checkClientIP();
// start session
if (isset($_SESSION)) unset($_SESSION);
$sessionDir = substr(__FILE__, 0, strlen(__FILE__) - 17) . "/sess";
session_save_path($sessionDir);
@session_start();
// check session id
if (! isset($_SESSION["sec_session_id"]) || ($_SESSION["sec_session_id"] != session_id())) {
// session id is invalid
die();
}
// check if client IP has not changed
if (!isset($_SESSION["sec_client_ip"]) || ($_SESSION["sec_client_ip"] != $_SERVER['REMOTE_ADDR'])) {
// IP is invalid
die();
}
// check if session time has not expired
if (($_SESSION['sec_sessionTime'] + (60 * $_SESSION['cfgMain']->sessionTimeout)) > time()) {
// ok, update time
$_SESSION['sec_sessionTime'] = time();
}
else {
// session expired, logoff user
logoffAndBackToLoginPage();
}
}
/**
* Checks if the client's IP address is on the list of allowed IPs.
* The script is stopped if the host is not valid.
*
*/
function checkClientIP() {
}
/**
* Checks if the user is allowed to access LAM at this time.
* The script is stopped if time is exceeded.
*
* @param unknown_type $dn
*/
function checkUserTime($dn) {
}
/**
* Returns a list of DNs of valid LAM users.
*
* @param string $dn configuration DN
* @return array $dn user list
*/
function getValidUserDNs($dn) {
return array("uid=test,o=test", "uid=test2,o=test");
}
/**
* Logs off the user and displays the login page.
*
*/
function logoffAndBackToLoginPage() {
// delete key and iv in cookie
if (function_exists('mcrypt_create_iv')) {
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/");
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/");
}
// close LDAP connection
@$_SESSION["ldap"]->destroy();
// link back to login page
$paths = array('./', '../', '../../', '../../../');
$page = 'login.php';
for ($i = 0; $i < sizeof($paths); $i++) {
if (file_exists($paths[$i] . $page)) {
$page = $paths[$i] . $page;
break;
}
}
echo $_SESSION['header'];
echo "<title></title>\n";
echo "</head>\n";
echo "<body>\n";
// print JavaScript refresh
echo "<script type=\"text/javascript\">\n";
echo "top.location.href = \"" . $page . "\";\n";
echo "</script>\n";
// print link if refresh does not work
echo "<p>\n";
echo "<a target=\"_top\" href=\"" . $page . "\">" . _("Your session expired, click here to go back to the login page.") . "</a>\n";
echo "</p>\n";
echo "</body>\n";
echo "</html>\n";
// destroy session
session_destroy();
unset($_SESSION);
die();
}
?>