projects
/
fa-stable.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Added comment to SECURE_ONLY constant.
[fa-stable.git]
/
includes
/
session.inc
diff --git
a/includes/session.inc
b/includes/session.inc
index e2a7fca2f2e65f1bcb11684265e942697bb22e33..5f9240eb6ad4d6b894bc97d080d775ea2f4caf12 100644
(file)
--- a/
includes/session.inc
+++ b/
includes/session.inc
@@
-9,6
+9,9
@@
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
***********************************************************************/
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
***********************************************************************/
+define('VARLIB_PATH', $path_to_root.'/tmp');
+define('VARLOG_PATH', $path_to_root.'/tmp');
+define('SECURE_ONLY', true); // if you really need also http (unsecure) access allowed, you can set this to NULL
class SessionManager
{
class SessionManager
{
@@
-131,15
+134,13
@@
function kill_login()
function login_fail()
{
global $path_to_root;
function login_fail()
{
global $path_to_root;
-
+
header("HTTP/1.1 401 Authorization Required");
echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
header("HTTP/1.1 401 Authorization Required");
echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
-
echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
echo "<br><a href='$path_to_root/index.php'>" . _("Try again") . "</a>";
echo "</center>";
echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
echo "<br><a href='$path_to_root/index.php'>" . _("Try again") . "</a>";
echo "</center>";
-
kill_login();
die();
}
kill_login();
die();
}
@@
-148,12
+149,12
@@
function password_reset_fail()
{
global $path_to_root;
{
global $path_to_root;
- echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
- echo "<b>" . _("The email address does not exist in the system, or is used by more than one user.") . "<b><br><br>";
+
echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
+
echo "<b>" . _("The email address does not exist in the system, or is used by more than one user.") . "<b><br><br>";
- echo _("Plase try again or contact your system administrator to obtain new password.");
- echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
- echo "</center>";
+
echo _("Plase try again or contact your system administrator to obtain new password.");
+
echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
+
echo "</center>";
kill_login();
die();
kill_login();
die();
@@
-163,11
+164,11
@@
function password_reset_success()
{
global $path_to_root;
{
global $path_to_root;
- echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
- echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
+
echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
+
echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
- echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
- echo "</center>";
+
echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
+
echo "</center>";
kill_login();
die();
kill_login();
die();
@@
-179,6
+180,7
@@
function check_faillog()
$user = $_SESSION["wa_current_user"]->user;
$user = $_SESSION["wa_current_user"]->user;
+ $_SESSION["wa_current_user"]->login_attempt++;
if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay))
return true;
if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay))
return true;
@@
-227,9
+229,9
@@
function write_login_filelog($login, $result)
$msg .= "*/\n";
$msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
$msg .= "*/\n";
$msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
- $filename =
$path_to_root."/tmp
/faillog.php";
+ $filename =
VARLIB_PATH."
/faillog.php";
- if ((!file_exists($filename) && is_writable(
$path_to_root.'/tmp'
)) || is_writable($filename))
+ if ((!file_exists($filename) && is_writable(
VARLIB_PATH
)) || is_writable($filename))
{
file_put_contents($filename, $msg);
cache_invalidate($filename);
{
file_put_contents($filename, $msg);
cache_invalidate($filename);
@@
-310,7
+312,7
@@
function set_page_security($value=null, $trans = array(), $gtrans = array())
//
function strip_quotes($data)
{
//
function strip_quotes($data)
{
- if(get_magic_quotes_gpc()) {
+ if(
version_compare(phpversion(), '5.4', '<') &&
get_magic_quotes_gpc()) {
if(is_array($data)) {
foreach($data as $k => $v) {
$data[$k] = strip_quotes($data[$k]);
if(is_array($data)) {
foreach($data as $k => $v) {
$data[$k] = strip_quotes($data[$k]);
@@
-372,6
+374,7
@@
if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
include_once($path_to_root . "/includes/errors.inc");
// colect all error msgs
set_error_handler('error_handler' /*, errtypes */);
include_once($path_to_root . "/includes/errors.inc");
// colect all error msgs
set_error_handler('error_handler' /*, errtypes */);
+set_exception_handler('exception_handler');
include_once($path_to_root . "/includes/current_user.inc");
include_once($path_to_root . "/frontaccounting.php");
include_once($path_to_root . "/includes/current_user.inc");
include_once($path_to_root . "/frontaccounting.php");
@@
-391,8
+394,11
@@
foreach ($installed_extensions as $ext)
if (file_exists($path_to_root.'/'.$ext['path'].'/hooks.php'))
include_once($path_to_root.'/'.$ext['path'].'/hooks.php');
}
if (file_exists($path_to_root.'/'.$ext['path'].'/hooks.php'))
include_once($path_to_root.'/'.$ext['path'].'/hooks.php');
}
+
+ini_set('session.gc_maxlifetime', 36000); // moved from below.
+
$Session_manager = new SessionManager();
$Session_manager = new SessionManager();
-$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
+$Session_manager->sessionStart('FA'.md5(dirname(__FILE__))
, 0, '/', null, SECURE_ONLY
);
$_SESSION['SysPrefs'] = new sys_prefs();
$_SESSION['SysPrefs'] = new sys_prefs();
@@
-408,9
+414,11
@@
if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts <
$SysPrefs->login_max_attempts = 3;
if ($SysPrefs->go_debug > 0)
$SysPrefs->login_max_attempts = 3;
if ($SysPrefs->go_debug > 0)
-
error_reporting(-1)
;
+
$cur_error_level = -1
;
else
else
- error_reporting(E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE);
+ $cur_error_level = E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE;
+
+error_reporting($cur_error_level);
ini_set("display_errors", "On");
if ($SysPrefs->error_logfile != '') {
ini_set("display_errors", "On");
if ($SysPrefs->error_logfile != '') {
@@
-424,9
+432,9
@@
if ($SysPrefs->error_logfile != '') {
to avoid unexpeced session timeouts.
Make sure this directory exists and is writable!
*/
to avoid unexpeced session timeouts.
Make sure this directory exists and is writable!
*/
-// ini_set('session.save_path',
dirname(__FILE__).'/../tmp
/');
+// ini_set('session.save_path',
VARLIB_PATH.'
/');
-ini_set('session.gc_maxlifetime', 36000); // 10hrs
+// ini_set('session.gc_maxlifetime', 36000); // 10hrs - moved to before session_manager
hook_session_start(@$_POST["company_login_name"]);
hook_session_start(@$_POST["company_login_name"]);
@@
-435,8
+443,8
@@
header("Cache-control: private");
get_text_init();
get_text_init();
-if ($SysPrefs->login_delay > 0)
-
@include_once($path_to_root . "/tmp
/faillog.php");
+if ($SysPrefs->login_delay > 0
&& file_exists(VARLIB_PATH."/faillog.php")
)
+
include_once(VARLIB_PATH."
/faillog.php");
// Page Initialisation
if (!isset($_SESSION['wa_current_user']) || !$_SESSION['wa_current_user']->logged_in()
// Page Initialisation
if (!isset($_SESSION['wa_current_user']) || !$_SESSION['wa_current_user']->logged_in()
@@
-485,7
+493,7
@@
if (!defined('FA_LOGOUT_PHP_FILE')){
login_timeout();
login_timeout();
- if (!$_SESSION["wa_current_user"]->old_db)
+ if (!$_SESSION["wa_current_user"]->old_db
&& file_exists($path_to_root . '/company/'.user_company().'/installed_extensions.php')
)
include($path_to_root . '/company/'.user_company().'/installed_extensions.php');
install_hooks();
include($path_to_root . '/company/'.user_company().'/installed_extensions.php');
install_hooks();
@@
-526,10
+534,10
@@
if (!defined('FA_LOGOUT_PHP_FILE')){
$_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
'', html_specials_encode($_SERVER['REQUEST_URI'])),
'post' => $_POST);
$_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
'', html_specials_encode($_SERVER['REQUEST_URI'])),
'post' => $_POST);
-
+ if (in_ajax())
+ $Ajax->popup($path_to_root ."/access/timeout.php");
+ else
include($path_to_root . "/access/login.php");
include($path_to_root . "/access/login.php");
- if (in_ajax())
- $Ajax->activate('_page_body');
exit;
} else {
if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
exit;
} else {
if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
@@
-549,13
+557,17
@@
if (!defined('FA_LOGOUT_PHP_FILE')){
if (!$succeed)
{
// Incorrect password
if (!$succeed)
{
// Incorrect password
- login_fail();
+ if (isset($_SESSION['timeout'])) {
+ include($path_to_root . "/access/login.php");
+ exit;
+ } else
+ login_fail();
}
elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
{
// in case of GET request redirect to avoid confirmation dialog
// after return from menu option
}
elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
{
// in case of GET request redirect to avoid confirmation dialog
// after return from menu option
- header("HTTP/1.1 30
3 See Other
");
+ header("HTTP/1.1 30
7 Temporary Redirect
");
header("Location: ".$_SESSION['timeout']['uri']);
exit();
}
header("Location: ".$_SESSION['timeout']['uri']);
exit();
}