projects / fa-stable.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fixed session abandoned error in Windows Servers
[fa-stable.git] / includes / session.inc
diff --git a/includes/session.inc b/includes/session.inc
index 81e743c8fbc0757a621139c729837b9c5bfe5b8b..ed5f5c0312e1da7773c34f1676a4407c233898bd 100644 (file)
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -76,7 +76,7 @@ class SessionManager
                $_SESSION['EXPIRES'] = time() + 10;
 
                // Create new session without destroying the old one
-               session_regenerate_id();
+               session_regenerate_id(version_compare(PHP_VERSION, '5.1.0') >= 0 && (substr(strtoupper(PHP_OS),0,3) == "WIN"));
  
                // Grab current session ID and close both sessions to allow other scripts to use them
                $newSession = session_id();
@@ -141,6 +141,58 @@ function login_fail()
        die();
 }
 
+function check_faillog()
+{
+       global $login_delay, $login_faillog, $login_max_attempts;
+
+       $user = $_SESSION["wa_current_user"]->user;
+
+       if (@$login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay))
+               return true;
+
+       return false;
+}
+/*
+       Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file.
+       Login attempts counter is created for every new user IP, which partialy prevent DOS attacks.
+*/
+function write_login_filelog($login, $result)
+{
+       global $login_faillog, $login_max_attempts, $path_to_root;
+
+       $user = $_SESSION["wa_current_user"]->user;
+
+       $ip = $_SERVER['REMOTE_ADDR'];
+
+       if (!isset($login_faillog[$user][$ip]) || $result) // init or reset on successfull login
+               $login_faillog[$user] = array($ip => 0, 'last' => '');
+
+       if (!$result)
+       {
+               if ($login_faillog[$user][$ip] < @$login_max_attempts) {
+
+                       $login_faillog[$user][$ip]++;
+               } else {
+                       $login_faillog[$user][$ip] = 0; // comment out to restart counter only after successfull login.
+                       error_log(sprintf(_("Brute force attack on account '%s' detected. Access for non-logged users temporarily blocked."     ), $login));
+               }
+               $login_faillog[$user]['last'] = time();
+       }
+
+       $msg = "<?php\n";
+       $msg .= "/*\n";
+       $msg .= "Login attempts info.\n";
+       $msg .= "*/\n";
+       $msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
+
+       $filename = $path_to_root."/faillog.php";
+
+       if ((!file_exists($filename) && is_writable($path_to_root)) || is_writable($filename))
+       {
+               file_put_contents($filename, $msg);
+       }
+}
+
 //----------------------------------------------------------------------------------------
 
 function check_page_security($page_security)
@@ -258,6 +310,16 @@ if (!isset($path_to_root))
        $path_to_root = ".";
 }
 
+//----------------------------------------------------------------------------------------
+// set to reasonable values if not set in config file (pre-2.3.12 installations)
+
+if ((!isset($login_delay)) || ($login_delay < 0))
+    $login_delay = 10;
+
+if ((!isset($login_max_attempts)) || ($login_max_attempts < 0))
+    $login_max_attempts = 3; 
+
+
 // Prevent register_globals vulnerability
 if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
        die("Restricted access");
@@ -293,6 +355,7 @@ foreach ($installed_extensions as $ext)
 // ini_set('session.save_path', dirname(__FILE__).'/../tmp/');
 
 ini_set('session.gc_maxlifetime', 36000); // 10hrs
+ini_set('session.cache_limiter', 'private'); // prevent 'page expired' errors
 
 $Session_manager = new SessionManager();
 $Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
@@ -303,6 +366,9 @@ header("Cache-control: private");
 include_once($path_to_root . "/config.php");
 get_text_init();
 
+if ($login_delay > 0)
+       @include_once($path_to_root . "/faillog.php");
+
 // Page Initialisation
 if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language')) 
 {
FrontAccounting stable branch