X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=5f9240eb6ad4d6b894bc97d080d775ea2f4caf12;hb=b14f304532b7d124e79ee2a03d60a0850c8a417d;hp=71206521fda2bd2d89471b85e868862fed4b4e99;hpb=e685a94465fe8f26c8ff3789242b43c1c20054cf;p=fa-stable.git diff --git a/includes/session.inc b/includes/session.inc index 71206521..5f9240eb 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -11,6 +11,7 @@ ***********************************************************************/ define('VARLIB_PATH', $path_to_root.'/tmp'); define('VARLOG_PATH', $path_to_root.'/tmp'); +define('SECURE_ONLY', true); // if you really need also http (unsecure) access allowed, you can set this to NULL class SessionManager { @@ -133,15 +134,13 @@ function kill_login() function login_fail() { global $path_to_root; - + header("HTTP/1.1 401 Authorization Required"); echo "


" . _("Incorrect Password") . "

"; echo "" . _("The user and password combination is not valid for the system.") . "

"; - echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system."); echo "
" . _("Try again") . ""; echo "
"; - kill_login(); die(); } @@ -181,6 +180,7 @@ function check_faillog() $user = $_SESSION["wa_current_user"]->user; + $_SESSION["wa_current_user"]->login_attempt++; if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay)) return true; @@ -398,7 +398,7 @@ foreach ($installed_extensions as $ext) ini_set('session.gc_maxlifetime', 36000); // moved from below. $Session_manager = new SessionManager(); -$Session_manager->sessionStart('FA'.md5(dirname(__FILE__))); +$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)), 0, '/', null, SECURE_ONLY); $_SESSION['SysPrefs'] = new sys_prefs(); @@ -414,9 +414,11 @@ if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts < $SysPrefs->login_max_attempts = 3; if ($SysPrefs->go_debug > 0) - error_reporting(-1); + $cur_error_level = -1; else - error_reporting(E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE); + $cur_error_level = E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE; + +error_reporting($cur_error_level); ini_set("display_errors", "On"); if ($SysPrefs->error_logfile != '') { @@ -532,10 +534,10 @@ if (!defined('FA_LOGOUT_PHP_FILE')){ $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s', '', html_specials_encode($_SERVER['REQUEST_URI'])), 'post' => $_POST); - + if (in_ajax()) + $Ajax->popup($path_to_root ."/access/timeout.php"); + else include($path_to_root . "/access/login.php"); - if (in_ajax()) - $Ajax->activate('_page_body'); exit; } else { if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) { @@ -555,7 +557,11 @@ if (!defined('FA_LOGOUT_PHP_FILE')){ if (!$succeed) { // Incorrect password - login_fail(); + if (isset($_SESSION['timeout'])) { + include($path_to_root . "/access/login.php"); + exit; + } else + login_fail(); } elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post']) {