projects / fa-stable.git / blob
? search:


21c402e0033284c54b7ce832efe32acc8256a451
[fa-stable.git] / includes / session.inc
1 <?php
2 /**********************************************************************
3         Copyright (C) FrontAccounting, LLC.
4         Released under the terms of the GNU General Public License, GPL,
5         as published by the Free Software Foundation, either version 3
6         of the License, or (at your option) any later version.
7         This program is distributed in the hope that it will be useful,
8         but WITHOUT ANY WARRANTY; without even the implied warranty of
9         MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
10         See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
11 ***********************************************************************/
12 define('VARLIB_PATH', $path_to_root.'/tmp');
13 define('VARLOG_PATH', $path_to_root.'/tmp');
14
15 class SessionManager
16 {
17         function sessionStart($name, $limit = 0, $path = '/', $domain = null, $secure = null)
18         {
19                 // Set the cookie name
20                 session_name($name);
21
22                 // Set SSL level
23                 $https = isset($secure) ? $secure : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
24
25                 // Set session cookie options
26                 if (version_compare(PHP_VERSION, '5.2', '<')) // avoid failure on older php versions
27                         session_set_cookie_params($limit, $path, $domain, $https);
28                 else
29                         session_set_cookie_params($limit, $path, $domain, $https, true);
30
31                 session_start();
32
33                 // Make sure the session hasn't expired, and destroy it if it has
34                 if ($this->validateSession())
35                 {
36                         // Check to see if the session is new or a hijacking attempt
37                         if(!$this->preventHijacking())
38                         {
39                                 // Reset session data and regenerate id
40                                 $_SESSION = array();
41                                 $_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
42                                 $_SESSION['userAgent'] = @$_SERVER['HTTP_USER_AGENT'];
43                                 $this->regenerateSession();
44
45                         // Give a 5% chance of the session id changing on any request
46                         }
47                         elseif (rand(1, 100) <= 5)
48                         {
49                                 $this->regenerateSession();
50                         }
51                 }
52                 else
53                 {
54                         $_SESSION = array();
55                         session_destroy();
56                         session_start();
57                 }
58         }
59
60         function preventHijacking()
61         {
62                 if (!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent']))
63                         return false;
64
65                 if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR'])
66                         return false;
67
68                 if ( $_SESSION['userAgent'] != @$_SERVER['HTTP_USER_AGENT'])
69                         return false;
70
71                 return true;
72         }
73
74         function regenerateSession()
75         {
76                 // If this session is obsolete it means there already is a new id
77                 if (isset($_SESSION['OBSOLETE']) && ($_SESSION['OBSOLETE'] == true))
78                         return;
79
80                 // Set current session to expire in 10 seconds
81                 $_SESSION['OBSOLETE'] = true;
82                 $_SESSION['EXPIRES'] = time() + 10;
83
84                 // Create new session without destroying the old one
85                 session_regenerate_id();
86                 // Grab current session ID and close both sessions to allow other scripts to use them
87                 $newSession = session_id();
88                 session_write_close();
89                 // Set session ID to the new one, and start it back up again
90
91                 session_id($newSession);
92                 session_start();
93                 
94                 // Now we unset the obsolete and expiration values for the session we want to keep
95                 unset($_SESSION['OBSOLETE']);
96                 unset($_SESSION['EXPIRES']);
97         }
98
99         function validateSession()
100         {
101                 if (isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES']) )
102                         return false;
103
104                 if (isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time())
105                         return false;
106
107                 return true;
108         }
109 }
110
111 function output_html($text)
112 {
113         global $before_box, $Ajax, $messages;
114         // Fatal errors are not send to error_handler,
115         // so we must check the output
116         if ($text && preg_match('/\bFatal error(<.*?>)?:(.*)/i', $text, $m)) {
117                 $Ajax->aCommands = array();  // Don't update page via ajax on errors
118                 $text = preg_replace('/\bFatal error(<.*?>)?:(.*)/i','', $text);
119                 $messages[] = array(E_ERROR, $m[2], null, null);
120         }
121         $Ajax->run();
122         return  in_ajax() ? fmt_errors() : ($before_box.fmt_errors().$text);
123 }
124 //----------------------------------------------------------------------------------------
125
126 function kill_login()
127 {
128         session_unset();
129         session_destroy();
130 }
131 //----------------------------------------------------------------------------------------
132
133 function login_fail()
134 {
135         global $path_to_root;
136         
137         header("HTTP/1.1 401 Authorization Required");
138         echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
139         echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
140
141         echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
142         echo "<br><a href='$path_to_root/index.php'>" . _("Try again") . "</a>";
143         echo "</center>";
144
145         kill_login();
146         die();
147 }
148
149 function password_reset_fail()
150 {
151         global $path_to_root;
152         
153         echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
154         echo "<b>" . _("The email address does not exist in the system, or is used by more than one user.") . "<b><br><br>";
155
156         echo _("Plase try again or contact your system administrator to obtain new password.");
157         echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
158         echo "</center>";
159
160         kill_login();
161         die();
162 }
163
164 function password_reset_success()
165 {
166         global $path_to_root;
167
168         echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
169         echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
170
171         echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
172         echo "</center>";
173         
174         kill_login();
175         die();
176 }
177
178 function check_faillog()
179 {
180         global $SysPrefs, $login_faillog;
181
182         $user = $_SESSION["wa_current_user"]->user;
183
184         if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay))
185                 return true;
186
187         return false;
188 }
189
190 /*
191         Ensure file is re-read on next request if php caching is active
192 */
193 function cache_invalidate($filename)
194 {
195         if (function_exists('opcache_invalidate'))      // OpCode extension
196                 opcache_invalidate($filename);
197 }
198
199 /*
200         Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file.
201         Login attempts counter is created for every new user IP, which partialy prevent DOS attacks.
202 */
203 function write_login_filelog($login, $result)
204 {
205         global $login_faillog, $SysPrefs, $path_to_root;
206
207         $user = $_SESSION["wa_current_user"]->user;
208
209         $ip = $_SERVER['REMOTE_ADDR'];
210
211         if (!isset($login_faillog[$user][$ip]) || $result) // init or reset on successfull login
212                 $login_faillog[$user] = array($ip => 0, 'last' => '');
213
214         if (!$result)
215         {
216                 if ($login_faillog[$user][$ip] < @$SysPrefs->login_max_attempts) {
217
218                         $login_faillog[$user][$ip]++;
219                 } else {
220                         $login_faillog[$user][$ip] = 0; // comment out to restart counter only after successfull login.
221                         error_log(sprintf(_("Brute force attack on account '%s' detected. Access for non-logged users temporarily blocked."     ), $login));
222                 }
223                 $login_faillog[$user]['last'] = time();
224         }
225
226         $msg = "<?php\n";
227         $msg .= "/*\n";
228         $msg .= "Login attempts info.\n";
229         $msg .= "*/\n";
230         $msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
231
232         $filename = VARLIB_PATH."/faillog.php";
233
234         if ((!file_exists($filename) && is_writable(VARLIB_PATH)) || is_writable($filename))
235         {
236                 file_put_contents($filename, $msg);
237                 cache_invalidate($filename);
238         }
239 }
240
241 //----------------------------------------------------------------------------------------
242
243 function check_page_security($page_security)
244 {
245         global $SysPrefs;
246         
247         $msg = '';
248         
249         if (!$_SESSION["wa_current_user"]->check_user_access())
250         {
251                 // notification after upgrade from pre-2.2 version
252                 $msg = $_SESSION["wa_current_user"]->old_db ?
253                          _("Security settings have not been defined for your user account.")
254                                 . "<br>" . _("Please contact your system administrator.")       
255                         : _("Please remove \$security_groups and \$security_headings arrays from config.php file!");
256         } elseif (!$SysPrefs->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) 
257         {
258                 $msg = _('Access to application has been blocked until database upgrade is completed by system administrator.');
259         }
260         
261         if ($msg){
262                 display_error($msg);
263                 end_page(@$_REQUEST['popup']);
264                 kill_login();
265                 exit;
266         }
267
268         if (!$_SESSION["wa_current_user"]->can_access_page($page_security))
269         {
270
271                 echo "<center><br><br><br><b>";
272                 echo _("The security settings on your account do not permit you to access this function");
273                 echo "</b>";
274                 echo "<br><br><br><br></center>";
275                 end_page(@$_REQUEST['popup']);
276                 exit;
277         }
278         if (!$SysPrefs->db_ok 
279                 && !in_array($page_security, array('SA_SOFTWAREUPGRADE', 'SA_OPEN', 'SA_BACKUP')))
280         {
281                 display_error(_('System is blocked after source upgrade until database is updated on System/Software Upgrade page'));
282                 end_page();
283                 exit;
284         }
285
286 }
287 /*
288         Helper function for setting page security level depeding on 
289         GET start variable and/or some value stored in session variable.
290         Before the call $page_security should be set to default page_security value.
291 */
292 function set_page_security($value=null, $trans = array(), $gtrans = array())
293 {
294         global $page_security;
295
296         // first check is this is not start page call
297         foreach($gtrans as $key => $area)
298                 if (isset($_GET[$key])) {
299                         $page_security = $area;
300                         return;
301                 }
302
303         // then check session value
304         if (isset($trans[$value])) {
305                 $page_security = $trans[$value];
306                 return;
307         }
308 }
309
310 //-----------------------------------------------------------------------------
311 //      Removing magic quotes from nested arrays/variables
312 //
313 function strip_quotes($data)
314 {
315         if(version_compare(phpversion(), '5.4', '<') && get_magic_quotes_gpc()) {
316                 if(is_array($data)) {
317                         foreach($data as $k => $v) {
318                                 $data[$k] = strip_quotes($data[$k]);
319                         }
320                 } else
321                         return stripslashes($data);
322         }
323         return $data;
324 }
325
326 /*
327         htmlspecialchars does not support certain encodings.
328         ISO-8859-2 fortunately has the same special characters positions as 
329         ISO-8859-1, so fix is easy. If any other unsupported encoding is used,
330         add workaround here.
331 */
332 function html_specials_encode($str)
333 {
334         return htmlspecialchars($str, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ?
335                  'ISO-8859-1' : $_SESSION['language']->encoding);
336 }
337
338 function html_cleanup(&$parms)
339 {
340         foreach($parms as $name => $value) {
341                 if (is_array($value))
342                         html_cleanup($parms[$name]);
343                 else
344                         $parms[$name] = html_specials_encode($value);
345         }
346         reset($parms); // needed for direct key() usage later throughout the sources
347 }
348
349 //============================================================================
350 //
351 //
352 function login_timeout()
353 {
354         // skip timeout on logout page
355         if ($_SESSION["wa_current_user"]->logged) {
356                 $tout = $_SESSION["wa_current_user"]->timeout;
357                 if ($tout && (time() > $_SESSION["wa_current_user"]->last_act + $tout))
358                 {
359                         $_SESSION["wa_current_user"]->logged = false;
360                 }
361                 $_SESSION["wa_current_user"]->last_act = time();
362         }
363 }
364 //============================================================================
365 if (!isset($path_to_root))
366 {
367         $path_to_root = ".";
368 }
369
370 // Prevent register_globals vulnerability
371 if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
372         die("Restricted access");
373
374 include_once($path_to_root . "/includes/errors.inc");
375 // colect all error msgs
376 set_error_handler('error_handler' /*, errtypes */);
377 set_exception_handler('exception_handler');
378
379 include_once($path_to_root . "/includes/current_user.inc");
380 include_once($path_to_root . "/frontaccounting.php");
381 include_once($path_to_root . "/admin/db/security_db.inc");
382 include_once($path_to_root . "/includes/lang/language.inc");
383 include_once($path_to_root . "/config_db.php");
384 include_once($path_to_root . "/includes/ajax.inc");
385 include_once($path_to_root . "/includes/ui/ui_msgs.inc");
386 include_once($path_to_root . "/includes/prefs/sysprefs.inc");
387
388 include_once($path_to_root . "/includes/hooks.inc");
389 //
390 // include all extensions hook files.
391 //
392 foreach ($installed_extensions as $ext)
393 {
394         if (file_exists($path_to_root.'/'.$ext['path'].'/hooks.php'))
395                 include_once($path_to_root.'/'.$ext['path'].'/hooks.php');
396 }
397
398 ini_set('session.gc_maxlifetime', 36000); // moved from below.
399
400 $Session_manager = new SessionManager();
401 $Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
402
403 $_SESSION['SysPrefs'] = new sys_prefs();
404
405 $SysPrefs = &$_SESSION['SysPrefs'];
406
407 //----------------------------------------------------------------------------------------
408 // set to reasonable values if not set in config file (pre-2.3.12 installations)
409
410 if ((!isset($SysPrefs->login_delay)) || ($SysPrefs->login_delay < 0))
411     $SysPrefs->login_delay = 10;
412
413 if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts < 0))
414     $SysPrefs->login_max_attempts = 3; 
415
416 if ($SysPrefs->go_debug > 0)
417         error_reporting(-1);
418 else
419         error_reporting(E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE);
420 ini_set("display_errors", "On");
421
422 if ($SysPrefs->error_logfile != '') {
423         ini_set("error_log", $SysPrefs->error_logfile);
424         ini_set("ignore_repeated_errors", "On");
425         ini_set("log_errors", "On");
426 }
427
428 /*
429         Uncomment the setting below when using FA on shared hosting
430         to avoid unexpeced session timeouts.
431         Make sure this directory exists and is writable!
432 */
433 // ini_set('session.save_path', VARLIB_PATH.'/');
434
435 // ini_set('session.gc_maxlifetime', 36000); // 10hrs - moved to before session_manager
436
437 hook_session_start(@$_POST["company_login_name"]);
438
439 // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
440 header("Cache-control: private");
441
442 get_text_init();
443
444 if ($SysPrefs->login_delay > 0 && file_exists(VARLIB_PATH."/faillog.php"))
445         include_once(VARLIB_PATH."/faillog.php");
446
447 // Page Initialisation
448 if (!isset($_SESSION['wa_current_user']) || !$_SESSION['wa_current_user']->logged_in()
449         || !isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language'))
450 {
451         $l = array_search_value($dflt_lang, $installed_languages,  'code');
452         $_SESSION['language'] = new language($l['name'], $l['code'], $l['encoding'],
453          (isset($l['rtl']) && $l['rtl'] === true) ? 'rtl' : 'ltr');
454 }
455
456 $_SESSION['language']->set_language($_SESSION['language']->code);
457
458
459 include_once($path_to_root . "/includes/access_levels.inc");
460 include_once($path_to_root . "/version.php");
461 include_once($path_to_root . "/includes/main.inc");
462 include_once($path_to_root . "/includes/app_entries.inc");
463
464 // Ajax communication object
465 $Ajax = new Ajax();
466
467 // js/php validation rules container
468 $Validate = array();
469 // bindings for editors
470 $Editors = array();
471 // page help. Currently help for function keys.
472 $Pagehelp = array();
473
474 $Refs = new references();
475
476 // intercept all output to destroy it in case of ajax call
477 register_shutdown_function('end_flush');
478 ob_start('output_html',0);
479
480 if (!isset($_SESSION["wa_current_user"]))
481         $_SESSION["wa_current_user"] = new current_user();
482
483 html_cleanup($_GET);
484 html_cleanup($_POST);
485 html_cleanup($_REQUEST);
486 html_cleanup($_SERVER);
487
488 // logout.php is the only page we should have always 
489 // accessable regardless of access level and current login status.
490 if (!defined('FA_LOGOUT_PHP_FILE')){
491
492         login_timeout();
493
494         if (!$_SESSION["wa_current_user"]->old_db && file_exists($path_to_root . '/company/'.user_company().'/installed_extensions.php'))
495                 include($path_to_root . '/company/'.user_company().'/installed_extensions.php');
496
497         install_hooks();
498
499         if (!$_SESSION["wa_current_user"]->logged_in())
500         {
501       if (@$SysPrefs->allow_password_reset && !$SysPrefs->allow_demo_mode
502         && (isset($_GET['reset']) || isset($_POST['email_entry_field']))) {
503                   if (!isset($_POST["email_entry_field"])) {
504         include($path_to_root . "/access/password_reset.php");
505         exit();
506       }
507       else {
508         if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
509           for ($i = 0; $i < count($db_connections); $i++) {
510             if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
511               $_POST["company_login_name"] = $i;
512               unset($_POST["company_login_nickname"]);
513               break 1; // cannot pass variables to break from PHP v5.4 onwards
514             }
515           }
516         }
517         $_succeed = isset($db_connections[$_POST["company_login_name"]]) &&
518           $_SESSION["wa_current_user"]->reset_password($_POST["company_login_name"],
519           $_POST["email_entry_field"]);
520         if ($_succeed)
521         {
522           password_reset_success();
523         }
524
525         password_reset_fail();
526       }
527     }
528                 // Show login screen
529                 if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
530                 {
531                         // strip ajax marker from uri, to force synchronous page reload
532                         $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
533                                         '', html_specials_encode($_SERVER['REQUEST_URI'])),
534                                 'post' => $_POST);
535
536                         include($path_to_root . "/access/login.php");
537                         if (in_ajax())
538                                 $Ajax->activate('_page_body');
539                         exit;
540                 } else {
541                         if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
542                                 for ($i = 0; $i < count($db_connections); $i++) {
543                                         if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
544                                                 $_POST["company_login_name"] = $i;
545                                                 unset($_POST["company_login_nickname"]);
546                                                 break 1; // cannot pass variables to break from PHP v5.4 onwards
547                                         }
548                                 }
549                         }
550                         $succeed = isset($db_connections[$_POST["company_login_name"]]) &&
551                                 $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
552                                 $_POST["user_name_entry_field"], $_POST["password"]);
553                         // select full vs fallback ui mode on login
554                         $_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
555                         if (!$succeed)
556                         {
557                         // Incorrect password
558                                 login_fail();
559                         }
560                         elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
561                         {
562                                 // in case of GET request redirect to avoid confirmation dialog 
563                                 // after return from menu option
564                                 header("HTTP/1.1 303 See Other");
565                                 header("Location: ".$_SESSION['timeout']['uri']);
566                                 exit();
567                         }
568                         $lang = &$_SESSION['language'];
569                         $lang->set_language($_SESSION['language']->code);
570                 }
571         } else
572         {
573                 set_global_connection();
574
575                 if (db_fixed())
576                         db_set_encoding($_SESSION['language']->encoding);
577
578                 $SysPrefs->refresh();
579         }
580         if (!isset($_SESSION["App"])) {
581                 $_SESSION["App"] = new front_accounting();
582                 $_SESSION["App"]->init();
583         }
584 }
585
586 // POST vars cleanup needed for direct reuse.
587 // We quote all values later with db_escape() before db update.
588 $_POST = strip_quotes($_POST);
FrontAccounting stable branch