MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
***********************************************************************/
+
+class SessionManager
+{
+ function sessionStart($name, $limit = 0, $path = '/', $domain = null, $secure = null)
+ {
+ // Set the cookie name
+ session_name($name);
+
+ // Set SSL level
+ $https = isset($secure) ? $secure : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
+
+ // Set session cookie options
+ if (version_compare(PHP_VERSION, '5.2', '<')) // avoid failure on older php versions
+ session_set_cookie_params($limit, $path, $domain, $https);
+ else
+ session_set_cookie_params($limit, $path, $domain, $https, true);
+
+ session_start();
+
+ // Make sure the session hasn't expired, and destroy it if it has
+ if ($this->validateSession())
+ {
+ // Check to see if the session is new or a hijacking attempt
+ if(!$this->preventHijacking())
+ {
+ // Reset session data and regenerate id
+ $_SESSION = array();
+ $_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
+ $_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
+ $this->regenerateSession();
+
+ // Give a 5% chance of the session id changing on any request
+ }
+ elseif (rand(1, 100) <= 5)
+ {
+ $this->regenerateSession();
+ }
+ }
+ else
+ {
+ $_SESSION = array();
+ session_destroy();
+ session_start();
+ }
+ }
+
+ function preventHijacking()
+ {
+ if (!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent']))
+ return false;
+
+ if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR'])
+ return false;
+
+ if ( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT'])
+ return false;
+
+ return true;
+ }
+
+ function regenerateSession()
+ {
+ // If this session is obsolete it means there already is a new id
+ if (isset($_SESSION['OBSOLETE']) && ($_SESSION['OBSOLETE'] == true))
+ return;
+
+ // Set current session to expire in 10 seconds
+ $_SESSION['OBSOLETE'] = true;
+ $_SESSION['EXPIRES'] = time() + 10;
+
+ // Create new session without destroying the old one
+ session_regenerate_id();
+ // Grab current session ID and close both sessions to allow other scripts to use them
+ $newSession = session_id();
+ session_write_close();
+ // Set session ID to the new one, and start it back up again
+
+ session_id($newSession);
+ session_start();
+
+ // Now we unset the obsolete and expiration values for the session we want to keep
+ unset($_SESSION['OBSOLETE']);
+ unset($_SESSION['EXPIRES']);
+ }
+
+ function validateSession()
+ {
+ if (isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES']) )
+ return false;
+
+ if (isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time())
+ return false;
+
+ return true;
+ }
+}
+
function output_html($text)
{
global $before_box, $Ajax, $messages;
die();
}
+function check_faillog()
+{
+ global $login_delay, $login_faillog, $login_max_attempts;
+
+ $user = $_SESSION["wa_current_user"]->user;
+
+ if (@$login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay))
+ return true;
+
+ return false;
+}
+/*
+ Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file.
+ Login attempts counter is created for every new user IP, which partialy prevent DOS attacks.
+*/
+function write_login_filelog($login, $result)
+{
+ global $login_faillog, $login_max_attempts, $path_to_root;
+
+ $user = $_SESSION["wa_current_user"]->user;
+
+ $ip = $_SERVER['REMOTE_ADDR'];
+
+ if (!isset($login_faillog[$user][$ip]) || $result) // init or reset on successfull login
+ $login_faillog[$user] = array($ip => 0, 'last' => '');
+
+ if (!$result)
+ {
+ if ($login_faillog[$user][$ip] < @$login_max_attempts) {
+
+ $login_faillog[$user][$ip]++;
+ } else {
+ $login_faillog[$user][$ip] = 0; // comment out to restart counter only after successfull login.
+ error_log(sprintf(_("Brute force attack on account '%s' detected. Access for non-logged users temporarily blocked." ), $login));
+ }
+ $login_faillog[$user]['last'] = time();
+ }
+
+ $msg = "<?php\n";
+ $msg .= "/*\n";
+ $msg .= "Login attempts info.\n";
+ $msg .= "*/\n";
+ $msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
+
+ $filename = $path_to_root."/tmp/faillog.php";
+
+ if ((!file_exists($filename) && is_writable($path_to_root)) || is_writable($filename))
+ {
+ file_put_contents($filename, $msg);
+ }
+}
+
//----------------------------------------------------------------------------------------
function check_page_security($page_security)
if ($msg){
display_error($msg);
- end_page();
+ end_page(@$_REQUEST['popup']);
kill_login();
exit;
}
echo _("The security settings on your account do not permit you to access this function");
echo "</b>";
echo "<br><br><br><br></center>";
- end_page();
+ end_page(@$_REQUEST['popup']);
exit;
}
if (!$_SESSION['SysPrefs']->db_ok
$path_to_root = ".";
}
+//----------------------------------------------------------------------------------------
+// set to reasonable values if not set in config file (pre-2.3.12 installations)
+
+if ((!isset($login_delay)) || ($login_delay < 0))
+ $login_delay = 10;
+
+if ((!isset($login_max_attempts)) || ($login_max_attempts < 0))
+ $login_max_attempts = 3;
+
+
// Prevent register_globals vulnerability
if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
die("Restricted access");
include_once($path_to_root . "/includes/prefs/sysprefs.inc");
include_once($path_to_root . "/includes/hooks.inc");
+//
+// include all extensions hook files.
+//
+foreach ($installed_extensions as $ext)
+{
+ if (file_exists($path_to_root.'/'.$ext['path'].'/hooks.php'))
+ include_once($path_to_root.'/'.$ext['path'].'/hooks.php');
+}
/*
Uncomment the setting below when using FA on shared hosting
to avoid unexpeced session timeouts.
Make sure this directory exists and is writable!
*/
-//ini_set('session.save_path', dirname(__FILE__).'/../tmp/');
+// ini_set('session.save_path', dirname(__FILE__).'/../tmp/');
ini_set('session.gc_maxlifetime', 36000); // 10hrs
-session_name('FA'.md5(dirname(__FILE__)));
-//include_once($path_to_root.'/modules/www_statistics/includes/db_sessions.inc');
-session_start();
+$Session_manager = new SessionManager();
+$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
// this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
header("Cache-control: private");
include_once($path_to_root . "/config.php");
get_text_init();
+if ($login_delay > 0)
+ @include_once($path_to_root . "/tmp/faillog.php");
+
// Page Initialisation
if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language'))
{
login_timeout();
+ if (!$_SESSION["wa_current_user"]->old_db)
+ include_once($path_to_root . '/company/'.user_company().'/installed_extensions.php');
+
+ install_hooks();
+
if (!$_SESSION["wa_current_user"]->logged_in())
{
// Show login screen
$Ajax->activate('_page_body');
exit;
} else {
-
+ if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
+ for ($i = 0; $i < count($db_connections); $i++) {
+ if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
+ $_POST["company_login_name"] = $i;
+ unset($_POST["company_login_nickname"]);
+ break 1; // cannot pass variables to break from PHP v5.4 onwards
+ }
+ }
+ }
$succeed = isset($db_connections[$_POST["company_login_name"]]) &&
$_SESSION["wa_current_user"]->login($_POST["company_login_name"],
- $_POST["user_name_entry_field"], md5($_POST["password"]));
+ $_POST["user_name_entry_field"], $_POST["password"]);
// select full vs fallback ui mode on login
$_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
if (!$succeed)
// Incorrect password
login_fail();
}
+ elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
+ {
+ // in case of GET request redirect to avoid confirmation dialog
+ // after return from menu option
+ header("HTTP/1.1 303 See Other");
+ header("Location: ".$_SESSION['timeout']['uri']);
+ exit();
+ }
$lang = &$_SESSION['language'];
$lang->set_language($_SESSION['language']->code);
}
} else
set_global_connection();
- if (!$_SESSION["wa_current_user"]->old_db)
- include_once($path_to_root . '/company/'.user_company().'/installed_extensions.php');
-
- install_hooks();
-
if (!isset($_SESSION["App"])) {
$_SESSION["App"] = new front_accounting();
$_SESSION["App"]->init();