X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=1b9c5ce2daa48631079f207014ee2882f22f8cb3;hb=aa7eb75a2b21809008113779e9b6c5fa7a869c9b;hp=990a51c01a1403f6d9a333888f2021b1e9078544;hpb=9cec1259fb231d9383beb0a29b261160416ca502;p=fa-stable.git
diff --git a/includes/session.inc b/includes/session.inc
index 990a51c0..1b9c5ce2 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -18,10 +18,14 @@ class SessionManager
session_name($name);
// Set SSL level
- $https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);
+ $https = isset($secure) ? $secure : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
// Set session cookie options
- session_set_cookie_params($limit, $path, $domain, $https, true);
+ if (version_compare(PHP_VERSION, '5.2', '<')) // avoid failure on older php versions
+ session_set_cookie_params($limit, $path, $domain, $https);
+ else
+ session_set_cookie_params($limit, $path, $domain, $https, true);
+
session_start();
// Make sure the session hasn't expired, and destroy it if it has
@@ -75,12 +79,8 @@ class SessionManager
$_SESSION['OBSOLETE'] = true;
$_SESSION['EXPIRES'] = time() + 10;
- // Create new session destroying the old one if posiible
- if (phpversion() >= "5.1.0")
- session_regenerate_id(true);
- else
- session_regenerate_id();
-
+ // Create new session without destroying the old one
+ session_regenerate_id();
// Grab current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();
@@ -144,6 +144,87 @@ function login_fail()
die();
}
+function password_reset_fail()
+{
+ global $path_to_root;
+
+ echo "
" . _("Incorrect Email") . "
";
+ echo "" . _("The email address does not exist in the system.") . "
";
+
+ echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
+ echo "
" . _("Try again") . "";
+ echo "";
+
+ kill_login();
+ die();
+}
+
+function password_reset_success()
+{
+ global $path_to_root;
+
+ echo "
" . _("New password sent") . "
";
+ echo "" . _("A new password has been sent to your mailbox.") . "
";
+
+ echo "
" . _("Login here") . "";
+ echo "";
+
+ kill_login();
+ die();
+}
+
+function check_faillog()
+{
+ global $login_delay, $login_faillog, $login_max_attempts;
+
+ $user = $_SESSION["wa_current_user"]->user;
+
+ if (@$login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay))
+ return true;
+
+ return false;
+}
+/*
+ Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file.
+ Login attempts counter is created for every new user IP, which partialy prevent DOS attacks.
+*/
+function write_login_filelog($login, $result)
+{
+ global $login_faillog, $login_max_attempts, $path_to_root;
+
+ $user = $_SESSION["wa_current_user"]->user;
+
+ $ip = $_SERVER['REMOTE_ADDR'];
+
+ if (!isset($login_faillog[$user][$ip]) || $result) // init or reset on successfull login
+ $login_faillog[$user] = array($ip => 0, 'last' => '');
+
+ if (!$result)
+ {
+ if ($login_faillog[$user][$ip] < @$login_max_attempts) {
+
+ $login_faillog[$user][$ip]++;
+ } else {
+ $login_faillog[$user][$ip] = 0; // comment out to restart counter only after successfull login.
+ error_log(sprintf(_("Brute force attack on account '%s' detected. Access for non-logged users temporarily blocked." ), $login));
+ }
+ $login_faillog[$user]['last'] = time();
+ }
+
+ $msg = "sessionStart('FA'.md5(dirname(__FILE__)));
-//session_name('FA'.md5(dirname(__FILE__)));
-//session_start();
// this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
header("Cache-control: private");
@@ -308,6 +397,9 @@ header("Cache-control: private");
include_once($path_to_root . "/config.php");
get_text_init();
+if ($login_delay > 0)
+ @include_once($path_to_root . "/tmp/faillog.php");
+
// Page Initialisation
if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language'))
{
@@ -349,7 +441,7 @@ html_cleanup($_SERVER);
// logout.php is the only page we should have always
// accessable regardless of access level and current login status.
-if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
+if (!defined('FA_LOGOUT_PHP_FILE')){
login_timeout();
@@ -360,6 +452,33 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
if (!$_SESSION["wa_current_user"]->logged_in())
{
+ if (@$allow_password_reset && !$allow_demo_mode
+ && (isset($_GET['reset']) || isset($_POST['email_entry_field']))) {
+ if (!isset($_POST["email_entry_field"])) {
+ include($path_to_root . "/access/password_reset.php");
+ exit();
+ }
+ else {
+ if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
+ for ($i = 0; $i < count($db_connections); $i++) {
+ if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
+ $_POST["company_login_name"] = $i;
+ unset($_POST["company_login_nickname"]);
+ break 1; // cannot pass variables to break from PHP v5.4 onwards
+ }
+ }
+ }
+ $_succeed = isset($db_connections[$_POST["company_login_name"]]) &&
+ $_SESSION["wa_current_user"]->reset_password($_POST["company_login_name"],
+ $_POST["email_entry_field"]);
+ if ($_succeed)
+ {
+ password_reset_success();
+ }
+
+ password_reset_fail();
+ }
+ }
// Show login screen
if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
{
@@ -373,7 +492,15 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
$Ajax->activate('_page_body');
exit;
} else {
-
+ if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
+ for ($i = 0; $i < count($db_connections); $i++) {
+ if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
+ $_POST["company_login_name"] = $i;
+ unset($_POST["company_login_nickname"]);
+ break 1; // cannot pass variables to break from PHP v5.4 onwards
+ }
+ }
+ }
$succeed = isset($db_connections[$_POST["company_login_name"]]) &&
$_SESSION["wa_current_user"]->login($_POST["company_login_name"],
$_POST["user_name_entry_field"], $_POST["password"]);
@@ -384,6 +511,14 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
// Incorrect password
login_fail();
}
+ elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
+ {
+ // in case of GET request redirect to avoid confirmation dialog
+ // after return from menu option
+ header("HTTP/1.1 303 See Other");
+ header("Location: ".$_SESSION['timeout']['uri']);
+ exit();
+ }
$lang = &$_SESSION['language'];
$lang->set_language($_SESSION['language']->code);
}
@@ -402,4 +537,4 @@ $SysPrefs = &$_SESSION['SysPrefs'];
// We quote all values later with db_escape() before db update.
$_POST = strip_quotes($_POST);
-?>
\ No newline at end of file
+?>