X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=2688a24e94072dee83851ad071ec027e04537b45;hb=0c794db98d716ec8823435d8423c98a12bebba66;hp=85ea33ede9322f455b6b2c29f61020609475c8a1;hpb=7cf8fadfc60a53eee553877754008b9b34d46e74;p=fa-stable.git
diff --git a/includes/session.inc b/includes/session.inc
index 85ea33ed..2688a24e 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -18,29 +18,29 @@ class SessionManager
session_name($name);
// Set SSL level
- $https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);
+ $https = isset($secure) ? $secure : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
// Set session cookie options
session_set_cookie_params($limit, $path, $domain, $https, true);
session_start();
// Make sure the session hasn't expired, and destroy it if it has
- if (self::validateSession())
+ if ($this->validateSession())
{
// Check to see if the session is new or a hijacking attempt
- if(!self::preventHijacking())
+ if(!$this->preventHijacking())
{
// Reset session data and regenerate id
$_SESSION = array();
$_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
- self::regenerateSession();
+ $this->regenerateSession();
// Give a 5% chance of the session id changing on any request
}
elseif (rand(1, 100) <= 5)
{
- self::regenerateSession();
+ $this->regenerateSession();
}
}
else
@@ -76,16 +76,16 @@ class SessionManager
$_SESSION['EXPIRES'] = time() + 10;
// Create new session without destroying the old one
- session_regenerate_id(false);
-
+ session_regenerate_id();
+
// Grab current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();
-
// Set session ID to the new one, and start it back up again
+
session_id($newSession);
session_start();
-
+
// Now we unset the obsolete and expiration values for the session we want to keep
unset($_SESSION['OBSOLETE']);
unset($_SESSION['EXPIRES']);
@@ -140,6 +140,66 @@ function login_fail()
kill_login();
die();
}
+//----------------------------------------------------------------------------------------
+// set to reasonable values if not set in config file (pre-2.3.12 installations)
+
+if (!isset($login_delay))
+{
+ $login_delay = 10;
+ $login_max_attempts = 3;
+}
+
+function check_faillog()
+{
+ global $login_delay, $login_faillog, $login_max_attempts;
+
+ $user = $_SESSION["wa_current_user"]->user;
+
+ if (@$login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay))
+ return true;
+
+ return false;
+}
+/*
+ Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file.
+ Login attempts counter is created for every new user IP, which partialy prevent DOS attacks.
+*/
+function write_login_filelog($login, $result)
+{
+ global $login_faillog, $login_max_attempts, $path_to_root;
+
+ $user = $_SESSION["wa_current_user"]->user;
+
+ $ip = $_SERVER['REMOTE_ADDR'];
+
+ if (!isset($login_faillog[$user][$ip]) || $result) // init or reset on successfull login
+ $login_faillog[$user] = array($ip => 0, 'last' => '');
+
+ if (!$result)
+ {
+ if ($login_faillog[$user][$ip] < @$login_max_attempts) {
+
+ $login_faillog[$user][$ip]++;
+ } else {
+ $login_faillog[$user][$ip] = 0; // comment out to restart counter only after successfull login.
+ error_log(sprintf(_("Brute force attack on account '%s' detected. Access for non-logged users temporarily blocked." ), $login));
+ }
+ $login_faillog[$user]['last'] = time();
+ }
+
+ $msg = "";
echo "
";
- end_page();
+ end_page(@$_REQUEST['popup']);
exit;
}
if (!$_SESSION['SysPrefs']->db_ok
@@ -271,6 +331,7 @@ include_once($path_to_root . "/frontaccounting.php");
include_once($path_to_root . "/admin/db/security_db.inc");
include_once($path_to_root . "/includes/lang/language.php");
include_once($path_to_root . "/config_db.php");
+@include_once($path_to_root . "/faillog.php");
include_once($path_to_root . "/includes/ajax.inc");
include_once($path_to_root . "/includes/ui/ui_msgs.inc");
include_once($path_to_root . "/includes/prefs/sysprefs.inc");
@@ -294,18 +355,9 @@ foreach ($installed_extensions as $ext)
ini_set('session.gc_maxlifetime', 36000); // 10hrs
-SessionManager::sessionStart('FA'.md5(dirname(__FILE__)));
-
-//SessionManager::sessionStart('Blog_myBlog', 0, '/myBlog/', 'www.site.com');
-//SessionManager::sessionStart('Accounts_Bank', 0, '/', 'accounts.bank.com', true);
-/*
-hook_session_start(@$_POST["company_login_name"]);
+$Session_manager = new SessionManager();
+$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
-session_name('FA'.md5(dirname(__FILE__)));
-
-session_start();
-session_regenerate_id(true);
-*/
// this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
header("Cache-control: private");
@@ -377,7 +429,15 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
$Ajax->activate('_page_body');
exit;
} else {
-
+ if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
+ for ($i = 0; $i < count($db_connections); $i++) {
+ if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
+ $_POST["company_login_name"] = $i;
+ unset($_POST["company_login_nickname"]);
+ break 1; // cannot pass variables to break from PHP v5.4 onwards
+ }
+ }
+ }
$succeed = isset($db_connections[$_POST["company_login_name"]]) &&
$_SESSION["wa_current_user"]->login($_POST["company_login_name"],
$_POST["user_name_entry_field"], $_POST["password"]);