X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=5f9240eb6ad4d6b894bc97d080d775ea2f4caf12;hb=b14f304532b7d124e79ee2a03d60a0850c8a417d;hp=e2a7fca2f2e65f1bcb11684265e942697bb22e33;hpb=9145a040396e901eda3fa154dcfaaa66004e568c;p=fa-stable.git

diff --git a/includes/session.inc b/includes/session.inc
index e2a7fca2..5f9240eb 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -9,6 +9,9 @@
 	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 	See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
+define('VARLIB_PATH', $path_to_root.'/tmp');
+define('VARLOG_PATH', $path_to_root.'/tmp');
+define('SECURE_ONLY', true); // if you really need also http (unsecure) access allowed, you can set this to NULL
 
 class SessionManager
 {
@@ -131,15 +134,13 @@ function kill_login()
 function login_fail()
 {
 	global $path_to_root;
-	
+
 	header("HTTP/1.1 401 Authorization Required");
 	echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
 	echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
-
 	echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
 	echo "<br><a href='$path_to_root/index.php'>" . _("Try again") . "</a>";
 	echo "</center>";
-
 	kill_login();
 	die();
 }
@@ -148,12 +149,12 @@ function password_reset_fail()
 {
 	global $path_to_root;
 	
-  echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
-  echo "<b>" . _("The email address does not exist in the system, or is used by more than one user.") . "<b><br><br>";
+  	echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
+  	echo "<b>" . _("The email address does not exist in the system, or is used by more than one user.") . "<b><br><br>";
 
-  echo _("Plase try again or contact your system administrator to obtain new password.");
-  echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
-  echo "</center>";
+  	echo _("Plase try again or contact your system administrator to obtain new password.");
+  	echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
+  	echo "</center>";
 
 	kill_login();
 	die();
@@ -163,11 +164,11 @@ function password_reset_success()
 {
 	global $path_to_root;
 
-  echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
-  echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
+  	echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
+  	echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
 
-  echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
-  echo "</center>";
+  	echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
+  	echo "</center>";
 	
 	kill_login();
 	die();
@@ -179,6 +180,7 @@ function check_faillog()
 
 	$user = $_SESSION["wa_current_user"]->user;
 
+	$_SESSION["wa_current_user"]->login_attempt++;
 	if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay))
 		return true;
 
@@ -227,9 +229,9 @@ function write_login_filelog($login, $result)
 	$msg .= "*/\n";
 	$msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
 
-	$filename = $path_to_root."/tmp/faillog.php";
+	$filename = VARLIB_PATH."/faillog.php";
 
-	if ((!file_exists($filename) && is_writable($path_to_root.'/tmp')) || is_writable($filename))
+	if ((!file_exists($filename) && is_writable(VARLIB_PATH)) || is_writable($filename))
 	{
 		file_put_contents($filename, $msg);
 		cache_invalidate($filename);
@@ -310,7 +312,7 @@ function set_page_security($value=null, $trans = array(), $gtrans = array())
 //
 function strip_quotes($data)
 {
-	if(get_magic_quotes_gpc()) {
+	if(version_compare(phpversion(), '5.4', '<') && get_magic_quotes_gpc()) {
 		if(is_array($data)) {
 			foreach($data as $k => $v) {
 				$data[$k] = strip_quotes($data[$k]);
@@ -372,6 +374,7 @@ if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
 include_once($path_to_root . "/includes/errors.inc");
 // colect all error msgs
 set_error_handler('error_handler' /*, errtypes */);
+set_exception_handler('exception_handler');
 
 include_once($path_to_root . "/includes/current_user.inc");
 include_once($path_to_root . "/frontaccounting.php");
@@ -391,8 +394,11 @@ foreach ($installed_extensions as $ext)
 	if (file_exists($path_to_root.'/'.$ext['path'].'/hooks.php'))
 		include_once($path_to_root.'/'.$ext['path'].'/hooks.php');
 }
+
+ini_set('session.gc_maxlifetime', 36000); // moved from below.
+
 $Session_manager = new SessionManager();
-$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
+$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)), 0, '/', null, SECURE_ONLY);
 
 $_SESSION['SysPrefs'] = new sys_prefs();
 
@@ -408,9 +414,11 @@ if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts <
     $SysPrefs->login_max_attempts = 3; 
 
 if ($SysPrefs->go_debug > 0)
-	error_reporting(-1);
+	$cur_error_level = -1;
 else
-	error_reporting(E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE);
+	$cur_error_level = E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE;
+
+error_reporting($cur_error_level);
 ini_set("display_errors", "On");
 
 if ($SysPrefs->error_logfile != '') {
@@ -424,9 +432,9 @@ if ($SysPrefs->error_logfile != '') {
 	to avoid unexpeced session timeouts.
 	Make sure this directory exists and is writable!
 */
-// ini_set('session.save_path', dirname(__FILE__).'/../tmp/');
+// ini_set('session.save_path', VARLIB_PATH.'/');
 
-ini_set('session.gc_maxlifetime', 36000); // 10hrs
+// ini_set('session.gc_maxlifetime', 36000); // 10hrs - moved to before session_manager
 
 hook_session_start(@$_POST["company_login_name"]);
 
@@ -435,8 +443,8 @@ header("Cache-control: private");
 
 get_text_init();
 
-if ($SysPrefs->login_delay > 0)
-	@include_once($path_to_root . "/tmp/faillog.php");
+if ($SysPrefs->login_delay > 0 && file_exists(VARLIB_PATH."/faillog.php"))
+	include_once(VARLIB_PATH."/faillog.php");
 
 // Page Initialisation
 if (!isset($_SESSION['wa_current_user']) || !$_SESSION['wa_current_user']->logged_in()
@@ -485,7 +493,7 @@ if (!defined('FA_LOGOUT_PHP_FILE')){
 
 	login_timeout();
 
-	if (!$_SESSION["wa_current_user"]->old_db)
+	if (!$_SESSION["wa_current_user"]->old_db && file_exists($path_to_root . '/company/'.user_company().'/installed_extensions.php'))
 		include($path_to_root . '/company/'.user_company().'/installed_extensions.php');
 
 	install_hooks();
@@ -526,10 +534,10 @@ if (!defined('FA_LOGOUT_PHP_FILE')){
 			$_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
 					'', html_specials_encode($_SERVER['REQUEST_URI'])),
 				'post' => $_POST);
-
+		if (in_ajax())
+			$Ajax->popup($path_to_root ."/access/timeout.php");
+		else
 			include($path_to_root . "/access/login.php");
-			if (in_ajax())
-				$Ajax->activate('_page_body');
 			exit;
 		} else {
 			if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
@@ -549,13 +557,17 @@ if (!defined('FA_LOGOUT_PHP_FILE')){
 			if (!$succeed)
 			{
 			// Incorrect password
-				login_fail();
+				if (isset($_SESSION['timeout'])) {
+					include($path_to_root . "/access/login.php");
+					exit;
+				} else
+					login_fail();
 			}
 			elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
 			{
 				// in case of GET request redirect to avoid confirmation dialog 
 				// after return from menu option
-				header("HTTP/1.1 303 See Other");
+				header("HTTP/1.1 307 Temporary Redirect");
 				header("Location: ".$_SESSION['timeout']['uri']);
 				exit();
 			}