X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=37591d3489e8bdbceffdb78b28eece26c6053966;hb=4274e2d6ed6f5ee12bdf8425138ccdca1b92a95b;hp=85ea33ede9322f455b6b2c29f61020609475c8a1;hpb=7cf8fadfc60a53eee553877754008b9b34d46e74;p=fa-stable.git

diff --git a/includes/session.inc b/includes/session.inc
index 85ea33ed..37591d34 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -18,29 +18,29 @@ class SessionManager
 		session_name($name);
 
 		// Set SSL level
-		$https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);
+		$https = isset($secure) ? $secure : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
 
 		// Set session cookie options
 		session_set_cookie_params($limit, $path, $domain, $https, true);
 		session_start();
 
 		// Make sure the session hasn't expired, and destroy it if it has
-		if (self::validateSession())
+		if ($this->validateSession())
 		{
 			// Check to see if the session is new or a hijacking attempt
-			if(!self::preventHijacking())
+			if(!$this->preventHijacking())
 			{
 				// Reset session data and regenerate id
 				$_SESSION = array();
 				$_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
 				$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
-				self::regenerateSession();
+				$this->regenerateSession();
 
 			// Give a 5% chance of the session id changing on any request
 			}
 			elseif (rand(1, 100) <= 5)
 			{
-				self::regenerateSession();
+				$this->regenerateSession();
 			}
 		}
 		else
@@ -76,16 +76,15 @@ class SessionManager
 		$_SESSION['EXPIRES'] = time() + 10;
 
 		// Create new session without destroying the old one
-		session_regenerate_id(false);
-
+		session_regenerate_id();
 		// Grab current session ID and close both sessions to allow other scripts to use them
 		$newSession = session_id();
 		session_write_close();
-
 		// Set session ID to the new one, and start it back up again
+
 		session_id($newSession);
 		session_start();
-
+		
 		// Now we unset the obsolete and expiration values for the session we want to keep
 		unset($_SESSION['OBSOLETE']);
 		unset($_SESSION['EXPIRES']);
@@ -141,6 +140,58 @@ function login_fail()
 	die();
 }
 
+function check_faillog()
+{
+	global $login_delay, $login_faillog, $login_max_attempts;
+
+	$user = $_SESSION["wa_current_user"]->user;
+
+	if (@$login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay))
+		return true;
+
+	return false;
+}
+/*
+	Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file.
+	Login attempts counter is created for every new user IP, which partialy prevent DOS attacks.
+*/
+function write_login_filelog($login, $result)
+{
+	global $login_faillog, $login_max_attempts, $path_to_root;
+
+	$user = $_SESSION["wa_current_user"]->user;
+
+	$ip = $_SERVER['REMOTE_ADDR'];
+
+	if (!isset($login_faillog[$user][$ip]) || $result) // init or reset on successfull login
+		$login_faillog[$user] = array($ip => 0, 'last' => '');
+
+ 	if (!$result)
+	{
+		if ($login_faillog[$user][$ip] < @$login_max_attempts) {
+
+ 			$login_faillog[$user][$ip]++;
+ 		} else {
+ 			$login_faillog[$user][$ip] = 0; // comment out to restart counter only after successfull login.
+	 		error_log(sprintf(_("Brute force attack on account '%s' detected. Access for non-logged users temporarily blocked."	), $login));
+	 	}
+ 		$login_faillog[$user]['last'] = time();
+	}
+
+	$msg = "<?php\n";
+	$msg .= "/*\n";
+	$msg .= "Login attempts info.\n";
+	$msg .= "*/\n";
+	$msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
+
+	$filename = $path_to_root."/faillog.php";
+
+	if ((!file_exists($filename) && is_writable($path_to_root)) || is_writable($filename))
+	{
+		file_put_contents($filename, $msg);
+	}
+}
+
 //----------------------------------------------------------------------------------------
 
 function check_page_security($page_security)
@@ -162,7 +213,7 @@ function check_page_security($page_security)
 	
 	if ($msg){
 		display_error($msg);
-		end_page();
+		end_page(@$_REQUEST['popup']);
 		kill_login();
 		exit;
 	}
@@ -174,7 +225,7 @@ function check_page_security($page_security)
 		echo _("The security settings on your account do not permit you to access this function");
 		echo "</b>";
 		echo "<br><br><br><br></center>";
-		end_page();
+		end_page(@$_REQUEST['popup']);
 		exit;
 	}
 	if (!$_SESSION['SysPrefs']->db_ok 
@@ -258,6 +309,16 @@ if (!isset($path_to_root))
 	$path_to_root = ".";
 }
 
+//----------------------------------------------------------------------------------------
+// set to reasonable values if not set in config file (pre-2.3.12 installations)
+
+if ((!isset($login_delay)) || ($login_delay < 0))
+    $login_delay = 10;
+
+if ((!isset($login_max_attempts)) || ($login_max_attempts < 0))
+    $login_max_attempts = 3; 
+
+
 // Prevent register_globals vulnerability
 if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
 	die("Restricted access");
@@ -294,24 +355,18 @@ foreach ($installed_extensions as $ext)
 
 ini_set('session.gc_maxlifetime', 36000); // 10hrs
 
-SessionManager::sessionStart('FA'.md5(dirname(__FILE__)));
-
-//SessionManager::sessionStart('Blog_myBlog', 0, '/myBlog/', 'www.site.com');
-//SessionManager::sessionStart('Accounts_Bank', 0, '/', 'accounts.bank.com', true);
-/*
-hook_session_start(@$_POST["company_login_name"]);
+$Session_manager = new SessionManager();
+$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
 
-session_name('FA'.md5(dirname(__FILE__)));
-
-session_start();
-session_regenerate_id(true);
-*/
 // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
 header("Cache-control: private");
 
 include_once($path_to_root . "/config.php");
 get_text_init();
 
+if ($login_delay > 0)
+	@include_once($path_to_root . "/faillog.php");
+
 // Page Initialisation
 if (!isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language')) 
 {
@@ -377,7 +432,15 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 				$Ajax->activate('_page_body');
 			exit;
 		} else {
-
+			if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
+				for ($i = 0; $i < count($db_connections); $i++) {
+					if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
+						$_POST["company_login_name"] = $i;
+						unset($_POST["company_login_nickname"]);
+						break 1; // cannot pass variables to break from PHP v5.4 onwards
+					}
+				}
+			}
 			$succeed = isset($db_connections[$_POST["company_login_name"]]) &&
 				$_SESSION["wa_current_user"]->login($_POST["company_login_name"],
 				$_POST["user_name_entry_field"], $_POST["password"]);
@@ -388,6 +451,14 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 			// Incorrect password
 				login_fail();
 			}
+			elseif(!$_SESSION['timeout']['post'])
+			{
+				// in case of GET request redirect to avoid confirmation dialog 
+				// after return from menu option
+				header("HTTP 1.1 303 See Other");
+				header("Location: ".$_SESSION['timeout']['uri']);
+				exit();
+			}
 			$lang = &$_SESSION['language'];
 			$lang->set_language($_SESSION['language']->code);
 		}