X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;ds=sidebyside;f=includes%2Fsession.inc;h=cafdc15f3d8838a58e017d09f2eb5452a1d56ef7;hb=2b6719b3bfbbb17196ec03480d4d11c5be6bbab9;hp=ce56380a4b06ec4b2bce8527dc7fd41a2dd139a5;hpb=e2c00ab06dc6a4873fa4d06d2fed657271f6c568;p=fa-stable.git

diff --git a/includes/session.inc b/includes/session.inc
index ce56380a..cafdc15f 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -21,7 +21,11 @@ class SessionManager
 		$https = isset($secure) ? $secure : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
 
 		// Set session cookie options
-		session_set_cookie_params($limit, $path, $domain, $https, true);
+		if (version_compare(PHP_VERSION, '5.2', '<')) // avoid failure on older php versions
+			session_set_cookie_params($limit, $path, $domain, $https);
+		else
+			session_set_cookie_params($limit, $path, $domain, $https, true);
+
 		session_start();
 
 		// Make sure the session hasn't expired, and destroy it if it has
@@ -33,7 +37,7 @@ class SessionManager
 				// Reset session data and regenerate id
 				$_SESSION = array();
 				$_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
-				$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
+				$_SESSION['userAgent'] = @$_SERVER['HTTP_USER_AGENT'];
 				$this->regenerateSession();
 
 			// Give a 5% chance of the session id changing on any request
@@ -59,7 +63,7 @@ class SessionManager
 		if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR'])
 			return false;
 
-		if ( $_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT'])
+		if ( $_SESSION['userAgent'] != @$_SERVER['HTTP_USER_AGENT'])
 			return false;
 
 		return true;
@@ -77,7 +81,6 @@ class SessionManager
 
 		// Create new session without destroying the old one
 		session_regenerate_id();
- 
 		// Grab current session ID and close both sessions to allow other scripts to use them
 		$newSession = session_id();
 		session_write_close();
@@ -141,6 +144,35 @@ function login_fail()
 	die();
 }
 
+function password_reset_fail()
+{
+	global $path_to_root;
+	
+  echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
+  echo "<b>" . _("The email address does not exist in the system, or is used by more than one user.") . "<b><br><br>";
+
+  echo _("Plase try again or contact your system administrator to obtain new password.");
+  echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
+  echo "</center>";
+
+	kill_login();
+	die();
+}
+
+function password_reset_success()
+{
+	global $path_to_root;
+
+  echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
+  echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
+
+  echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
+  echo "</center>";
+	
+	kill_login();
+	die();
+}
+
 function check_faillog()
 {
 	global $login_delay, $login_faillog, $login_max_attempts;
@@ -185,7 +217,7 @@ function write_login_filelog($login, $result)
 	$msg .= "*/\n";
 	$msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
 
-	$filename = $path_to_root."/faillog.php";
+	$filename = $path_to_root."/tmp/faillog.php";
 
 	if ((!file_exists($filename) && is_writable($path_to_root)) || is_writable($filename))
 	{
@@ -284,7 +316,7 @@ function html_cleanup(&$parms)
 		if (is_array($value))
 			html_cleanup($parms[$name]);
 		else
-			$parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
+			$parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? 'ISO-8859-1' : $_SESSION['language']->encoding);
 	}
 	reset($parms); // needed for direct key() usage later throughout the sources
 }
@@ -355,7 +387,6 @@ foreach ($installed_extensions as $ext)
 // ini_set('session.save_path', dirname(__FILE__).'/../tmp/');
 
 ini_set('session.gc_maxlifetime', 36000); // 10hrs
-ini_set('session.cache_limiter', 'private'); // prevent 'page expired' errors
 
 $Session_manager = new SessionManager();
 $Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
@@ -367,7 +398,7 @@ include_once($path_to_root . "/config.php");
 get_text_init();
 
 if ($login_delay > 0)
-	@include_once($path_to_root . "/faillog.php");
+	@include_once($path_to_root . "/tmp/faillog.php");
 
 // Page Initialisation
 if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language')) 
@@ -410,7 +441,7 @@ html_cleanup($_SERVER);
 
 // logout.php is the only page we should have always 
 // accessable regardless of access level and current login status.
-if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
+if (!defined('FA_LOGOUT_PHP_FILE')){
 
 	login_timeout();
 
@@ -421,12 +452,40 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 
 	if (!$_SESSION["wa_current_user"]->logged_in())
 	{
+      if (@$allow_password_reset && !$allow_demo_mode
+        && (isset($_GET['reset']) || isset($_POST['email_entry_field']))) {
+		  if (!isset($_POST["email_entry_field"])) {
+        include($path_to_root . "/access/password_reset.php");
+        exit();
+      }
+      else {
+        if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
+          for ($i = 0; $i < count($db_connections); $i++) {
+            if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
+              $_POST["company_login_name"] = $i;
+              unset($_POST["company_login_nickname"]);
+              break 1; // cannot pass variables to break from PHP v5.4 onwards
+            }
+          }
+        }
+        $_succeed = isset($db_connections[$_POST["company_login_name"]]) &&
+          $_SESSION["wa_current_user"]->reset_password($_POST["company_login_name"],
+          $_POST["email_entry_field"]);
+        if ($_succeed)
+        {
+          password_reset_success();
+        }
+
+        password_reset_fail();
+      }
+    }
 		// Show login screen
 		if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
 		{
 			// strip ajax marker from uri, to force synchronous page reload
 			$_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
-					'', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding)), 
+					'', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2'
+						 ? 'ISO-8859-1' : $_SESSION['language']->encoding)), 
 				'post' => $_POST);
 
 			include($path_to_root . "/access/login.php");
@@ -453,6 +512,14 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 			// Incorrect password
 				login_fail();
 			}
+			elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
+			{
+				// in case of GET request redirect to avoid confirmation dialog 
+				// after return from menu option
+				header("HTTP/1.1 303 See Other");
+				header("Location: ".$_SESSION['timeout']['uri']);
+				exit();
+			}
 			$lang = &$_SESSION['language'];
 			$lang->set_language($_SESSION['language']->code);
 		}
@@ -471,4 +538,4 @@ $SysPrefs = &$_SESSION['SysPrefs'];
 // We quote all values later with db_escape() before db update.
 $_POST = strip_quotes($_POST);
 
-?>
\ No newline at end of file
+?>