X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=06aceccea2cf5620fe3f65cb8a8ec51092b9a935;hb=da7df35c61205d0b1af47d286be591b8a3194b0c;hp=ae77e1ba8df920d6db5cf3b99b325966e1d043e6;hpb=f8f29c33f36dda542da9ad33fdfcf6849fcd9a1d;p=fa-stable.git diff --git a/includes/session.inc b/includes/session.inc index ae77e1ba..06acecce 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -9,6 +9,105 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the License here . ***********************************************************************/ +define('VARLIB_PATH', $path_to_root.'/tmp'); +define('VARLOG_PATH', $path_to_root.'/tmp'); + +class SessionManager +{ + function sessionStart($name, $limit = 0, $path = '/', $domain = null, $secure = null) + { + // Set the cookie name + session_name($name); + + // Set SSL level + $https = isset($secure) ? $secure : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'); + + // Set session cookie options + if (version_compare(PHP_VERSION, '5.2', '<')) // avoid failure on older php versions + session_set_cookie_params($limit, $path, $domain, $https); + else + session_set_cookie_params($limit, $path, $domain, $https, true); + + session_start(); + + // Make sure the session hasn't expired, and destroy it if it has + if ($this->validateSession()) + { + // Check to see if the session is new or a hijacking attempt + if(!$this->preventHijacking()) + { + // Reset session data and regenerate id + $_SESSION = array(); + $_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR']; + $_SESSION['userAgent'] = @$_SERVER['HTTP_USER_AGENT']; + $this->regenerateSession(); + + // Give a 5% chance of the session id changing on any request + } + elseif (rand(1, 100) <= 5) + { + $this->regenerateSession(); + } + } + else + { + $_SESSION = array(); + session_destroy(); + session_start(); + } + } + + function preventHijacking() + { + if (!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent'])) + return false; + + if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) + return false; + + if ( $_SESSION['userAgent'] != @$_SERVER['HTTP_USER_AGENT']) + return false; + + return true; + } + + function regenerateSession() + { + // If this session is obsolete it means there already is a new id + if (isset($_SESSION['OBSOLETE']) && ($_SESSION['OBSOLETE'] == true)) + return; + + // Set current session to expire in 10 seconds + $_SESSION['OBSOLETE'] = true; + $_SESSION['EXPIRES'] = time() + 10; + + // Create new session without destroying the old one + session_regenerate_id(); + // Grab current session ID and close both sessions to allow other scripts to use them + $newSession = session_id(); + session_write_close(); + // Set session ID to the new one, and start it back up again + + session_id($newSession); + session_start(); + + // Now we unset the obsolete and expiration values for the session we want to keep + unset($_SESSION['OBSOLETE']); + unset($_SESSION['EXPIRES']); + } + + function validateSession() + { + if (isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES']) ) + return false; + + if (isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time()) + return false; + + return true; + } +} + function output_html($text) { global $before_box, $Ajax, $messages; @@ -47,6 +146,98 @@ function login_fail() die(); } +function password_reset_fail() +{ + global $path_to_root; + + echo "


" . _("Incorrect Email") . "

"; + echo "" . _("The email address does not exist in the system, or is used by more than one user.") . "

"; + + echo _("Plase try again or contact your system administrator to obtain new password."); + echo "
" . _("Try again") . ""; + echo "
"; + + kill_login(); + die(); +} + +function password_reset_success() +{ + global $path_to_root; + + echo "


" . _("New password sent") . "

"; + echo "" . _("A new password has been sent to your mailbox.") . "

"; + + echo "
" . _("Login here") . ""; + echo "
"; + + kill_login(); + die(); +} + +function check_faillog() +{ + global $SysPrefs, $login_faillog; + + $user = $_SESSION["wa_current_user"]->user; + + if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay)) + return true; + + return false; +} + +/* + Ensure file is re-read on next request if php caching is active +*/ +function cache_invalidate($filename) +{ + if (function_exists('opcache_invalidate')) // OpCode extension + opcache_invalidate($filename); +} + +/* + Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file. + Login attempts counter is created for every new user IP, which partialy prevent DOS attacks. +*/ +function write_login_filelog($login, $result) +{ + global $login_faillog, $SysPrefs, $path_to_root; + + $user = $_SESSION["wa_current_user"]->user; + + $ip = $_SERVER['REMOTE_ADDR']; + + if (!isset($login_faillog[$user][$ip]) || $result) // init or reset on successfull login + $login_faillog[$user] = array($ip => 0, 'last' => ''); + + if (!$result) + { + if ($login_faillog[$user][$ip] < @$SysPrefs->login_max_attempts) { + + $login_faillog[$user][$ip]++; + } else { + $login_faillog[$user][$ip] = 0; // comment out to restart counter only after successfull login. + error_log(sprintf(_("Brute force attack on account '%s' detected. Access for non-logged users temporarily blocked." ), $login)); + } + $login_faillog[$user]['last'] = time(); + } + + $msg = "" . _("Please contact your system administrator.") : _("Please remove \$security_groups and \$security_headings arrays from config.php file!"); - } elseif (!$_SESSION['SysPrefs']->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) { + } elseif (!$SysPrefs->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) + { $msg = _('Access to application has been blocked until database upgrade is completed by system administrator.'); } if ($msg){ display_error($msg); - end_page(); + end_page(@$_REQUEST['popup']); kill_login(); exit; } @@ -80,10 +272,10 @@ function check_page_security($page_security) echo _("The security settings on your account do not permit you to access this function"); echo ""; echo "



"; - end_page(); + end_page(@$_REQUEST['popup']); exit; } - if (!$_SESSION['SysPrefs']->db_ok + if (!$SysPrefs->db_ok && !in_array($page_security, array('SA_SOFTWAREUPGRADE', 'SA_OPEN', 'SA_BACKUP'))) { display_error(_('System is blocked after source upgrade until database is updated on System/Software Upgrade page')); @@ -131,14 +323,25 @@ function strip_quotes($data) return $data; } +/* + htmlspecialchars does not support certain encodings. + ISO-8859-2 fortunately has the same special characters positions as + ISO-8859-1, so fix is easy. If any other unsupported encoding is used, + add workaround here. +*/ +function html_specials_encode($str) +{ + return htmlspecialchars($str, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? + 'ISO-8859-1' : $_SESSION['language']->encoding); +} + function html_cleanup(&$parms) { foreach($parms as $name => $value) { -// $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding); if (is_array($value)) html_cleanup($parms[$name]); else - $parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding); + $parms[$name] = html_specials_encode($value); } reset($parms); // needed for direct key() usage later throughout the sources } @@ -171,11 +374,12 @@ if (isset($_GET['path_to_root']) || isset($_POST['path_to_root'])) include_once($path_to_root . "/includes/errors.inc"); // colect all error msgs set_error_handler('error_handler' /*, errtypes */); +set_exception_handler('exception_handler'); include_once($path_to_root . "/includes/current_user.inc"); include_once($path_to_root . "/frontaccounting.php"); include_once($path_to_root . "/admin/db/security_db.inc"); -include_once($path_to_root . "/includes/lang/language.php"); +include_once($path_to_root . "/includes/lang/language.inc"); include_once($path_to_root . "/config_db.php"); include_once($path_to_root . "/includes/ajax.inc"); include_once($path_to_root . "/includes/ui/ui_msgs.inc"); @@ -191,31 +395,58 @@ foreach ($installed_extensions as $ext) include_once($path_to_root.'/'.$ext['path'].'/hooks.php'); } +ini_set('session.gc_maxlifetime', 36000); // moved from below. + +$Session_manager = new SessionManager(); +$Session_manager->sessionStart('FA'.md5(dirname(__FILE__))); + +$_SESSION['SysPrefs'] = new sys_prefs(); + +$SysPrefs = &$_SESSION['SysPrefs']; + +//---------------------------------------------------------------------------------------- +// set to reasonable values if not set in config file (pre-2.3.12 installations) + +if ((!isset($SysPrefs->login_delay)) || ($SysPrefs->login_delay < 0)) + $SysPrefs->login_delay = 10; + +if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts < 0)) + $SysPrefs->login_max_attempts = 3; + +if ($SysPrefs->go_debug > 0) + error_reporting(-1); +else + error_reporting(E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE); +ini_set("display_errors", "On"); + +if ($SysPrefs->error_logfile != '') { + ini_set("error_log", $SysPrefs->error_logfile); + ini_set("ignore_repeated_errors", "On"); + ini_set("log_errors", "On"); +} /* Uncomment the setting below when using FA on shared hosting to avoid unexpeced session timeouts. Make sure this directory exists and is writable! */ -//ini_set('session.save_path', dirname(__FILE__).'/../tmp/'); +// ini_set('session.save_path', VARLIB_PATH.'/'); -ini_set('session.gc_maxlifetime', 36000); // 10hrs +// ini_set('session.gc_maxlifetime', 36000); // 10hrs - moved to before session_manager hook_session_start(@$_POST["company_login_name"]); -session_name('FA'.md5(dirname(__FILE__))); - -session_start(); -session_regenerate_id(); - // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks header("Cache-control: private"); -include_once($path_to_root . "/config.php"); get_text_init(); +if ($SysPrefs->login_delay > 0 && file_exists(VARLIB_PATH."/faillog.php")) + include_once(VARLIB_PATH."/faillog.php"); + // Page Initialisation -if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language')) +if (!isset($_SESSION['wa_current_user']) || !$_SESSION['wa_current_user']->logged_in() + || !isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language')) { $l = array_search_value($dflt_lang, $installed_languages, 'code'); $_SESSION['language'] = new language($l['name'], $l['code'], $l['encoding'], @@ -228,6 +459,7 @@ $_SESSION['language']->set_language($_SESSION['language']->code); include_once($path_to_root . "/includes/access_levels.inc"); include_once($path_to_root . "/version.php"); include_once($path_to_root . "/includes/main.inc"); +include_once($path_to_root . "/includes/app_entries.inc"); // Ajax communication object $Ajax = new Ajax(); @@ -255,20 +487,50 @@ html_cleanup($_SERVER); // logout.php is the only page we should have always // accessable regardless of access level and current login status. -if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){ +if (!defined('FA_LOGOUT_PHP_FILE')){ login_timeout(); + if (!$_SESSION["wa_current_user"]->old_db && file_exists($path_to_root . '/company/'.user_company().'/installed_extensions.php')) + include($path_to_root . '/company/'.user_company().'/installed_extensions.php'); + install_hooks(); if (!$_SESSION["wa_current_user"]->logged_in()) { + if (@$SysPrefs->allow_password_reset && !$SysPrefs->allow_demo_mode + && (isset($_GET['reset']) || isset($_POST['email_entry_field']))) { + if (!isset($_POST["email_entry_field"])) { + include($path_to_root . "/access/password_reset.php"); + exit(); + } + else { + if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) { + for ($i = 0; $i < count($db_connections); $i++) { + if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) { + $_POST["company_login_name"] = $i; + unset($_POST["company_login_nickname"]); + break 1; // cannot pass variables to break from PHP v5.4 onwards + } + } + } + $_succeed = isset($db_connections[$_POST["company_login_name"]]) && + $_SESSION["wa_current_user"]->reset_password($_POST["company_login_name"], + $_POST["email_entry_field"]); + if ($_succeed) + { + password_reset_success(); + } + + password_reset_fail(); + } + } // Show login screen if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "") { // strip ajax marker from uri, to force synchronous page reload $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s', - '', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding)), + '', html_specials_encode($_SERVER['REQUEST_URI'])), 'post' => $_POST); include($path_to_root . "/access/login.php"); @@ -276,7 +538,15 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){ $Ajax->activate('_page_body'); exit; } else { - + if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) { + for ($i = 0; $i < count($db_connections); $i++) { + if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) { + $_POST["company_login_name"] = $i; + unset($_POST["company_login_nickname"]); + break 1; // cannot pass variables to break from PHP v5.4 onwards + } + } + } $succeed = isset($db_connections[$_POST["company_login_name"]]) && $_SESSION["wa_current_user"]->login($_POST["company_login_name"], $_POST["user_name_entry_field"], $_POST["password"]); @@ -287,25 +557,32 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){ // Incorrect password login_fail(); } + elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post']) + { + // in case of GET request redirect to avoid confirmation dialog + // after return from menu option + header("HTTP/1.1 303 See Other"); + header("Location: ".$_SESSION['timeout']['uri']); + exit(); + } $lang = &$_SESSION['language']; $lang->set_language($_SESSION['language']->code); } } else + { set_global_connection(); - if (!$_SESSION["wa_current_user"]->old_db) - include_once($path_to_root . '/company/'.user_company().'/installed_extensions.php'); + if (db_fixed()) + db_set_encoding($_SESSION['language']->encoding); + $SysPrefs->refresh(); + } if (!isset($_SESSION["App"])) { $_SESSION["App"] = new front_accounting(); $_SESSION["App"]->init(); } } -$SysPrefs = &$_SESSION['SysPrefs']; - // POST vars cleanup needed for direct reuse. // We quote all values later with db_escape() before db update. $_POST = strip_quotes($_POST); - -?> \ No newline at end of file