projects / fa-stable.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fail log was not written when root directory was read only.
[fa-stable.git] / includes / session.inc
1 <?php
2 /**********************************************************************
3         Copyright (C) FrontAccounting, LLC.
4         Released under the terms of the GNU General Public License, GPL,
5         as published by the Free Software Foundation, either version 3
6         of the License, or (at your option) any later version.
7         This program is distributed in the hope that it will be useful,
8         but WITHOUT ANY WARRANTY; without even the implied warranty of
9         MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
10         See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
11 ***********************************************************************/
12
13 class SessionManager
14 {
15         function sessionStart($name, $limit = 0, $path = '/', $domain = null, $secure = null)
16         {
17                 // Set the cookie name
18                 session_name($name);
19
20                 // Set SSL level
21                 $https = isset($secure) ? $secure : (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
22
23                 // Set session cookie options
24                 if (version_compare(PHP_VERSION, '5.2', '<')) // avoid failure on older php versions
25                         session_set_cookie_params($limit, $path, $domain, $https);
26                 else
27                         session_set_cookie_params($limit, $path, $domain, $https, true);
28
29                 session_start();
30
31                 // Make sure the session hasn't expired, and destroy it if it has
32                 if ($this->validateSession())
33                 {
34                         // Check to see if the session is new or a hijacking attempt
35                         if(!$this->preventHijacking())
36                         {
37                                 // Reset session data and regenerate id
38                                 $_SESSION = array();
39                                 $_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
40                                 $_SESSION['userAgent'] = @$_SERVER['HTTP_USER_AGENT'];
41                                 $this->regenerateSession();
42
43                         // Give a 5% chance of the session id changing on any request
44                         }
45                         elseif (rand(1, 100) <= 5)
46                         {
47                                 $this->regenerateSession();
48                         }
49                 }
50                 else
51                 {
52                         $_SESSION = array();
53                         session_destroy();
54                         session_start();
55                 }
56         }
57
58         function preventHijacking()
59         {
60                 if (!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent']))
61                         return false;
62
63                 if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR'])
64                         return false;
65
66                 if ( $_SESSION['userAgent'] != @$_SERVER['HTTP_USER_AGENT'])
67                         return false;
68
69                 return true;
70         }
71
72         function regenerateSession()
73         {
74                 // If this session is obsolete it means there already is a new id
75                 if (isset($_SESSION['OBSOLETE']) && ($_SESSION['OBSOLETE'] == true))
76                         return;
77
78                 // Set current session to expire in 10 seconds
79                 $_SESSION['OBSOLETE'] = true;
80                 $_SESSION['EXPIRES'] = time() + 10;
81
82                 // Create new session without destroying the old one
83                 session_regenerate_id();
84                 // Grab current session ID and close both sessions to allow other scripts to use them
85                 $newSession = session_id();
86                 session_write_close();
87                 // Set session ID to the new one, and start it back up again
88
89                 session_id($newSession);
90                 session_start();
91                 
92                 // Now we unset the obsolete and expiration values for the session we want to keep
93                 unset($_SESSION['OBSOLETE']);
94                 unset($_SESSION['EXPIRES']);
95         }
96
97         function validateSession()
98         {
99                 if (isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES']) )
100                         return false;
101
102                 if (isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time())
103                         return false;
104
105                 return true;
106         }
107 }
108
109 function output_html($text)
110 {
111         global $before_box, $Ajax, $messages;
112         // Fatal errors are not send to error_handler,
113         // so we must check the output
114         if ($text && preg_match('/\bFatal error(<.*?>)?:(.*)/i', $text, $m)) {
115                 $Ajax->aCommands = array();  // Don't update page via ajax on errors
116                 $text = preg_replace('/\bFatal error(<.*?>)?:(.*)/i','', $text);
117                 $messages[] = array(E_ERROR, $m[2], null, null);
118         }
119         $Ajax->run();
120         return  in_ajax() ? fmt_errors() : ($before_box.fmt_errors().$text);
121 }
122 //----------------------------------------------------------------------------------------
123
124 function kill_login()
125 {
126         session_unset();
127         session_destroy();
128 }
129 //----------------------------------------------------------------------------------------
130
131 function login_fail()
132 {
133         global $path_to_root;
134         
135         header("HTTP/1.1 401 Authorization Required");
136         echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
137         echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
138
139         echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
140         echo "<br><a href='$path_to_root/index.php'>" . _("Try again") . "</a>";
141         echo "</center>";
142
143         kill_login();
144         die();
145 }
146
147 function password_reset_fail()
148 {
149         global $path_to_root;
150         
151   echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
152   echo "<b>" . _("The email address does not exist in the system.") . "<b><br><br>";
153
154   echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
155   echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
156   echo "</center>";
157
158         kill_login();
159         die();
160 }
161
162 function password_reset_success()
163 {
164         global $path_to_root;
165
166   echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
167   echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
168
169   echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
170   echo "</center>";
171         
172         kill_login();
173         die();
174 }
175
176 function check_faillog()
177 {
178         global $login_delay, $login_faillog, $login_max_attempts;
179
180         $user = $_SESSION["wa_current_user"]->user;
181
182         if (@$login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay))
183                 return true;
184
185         return false;
186 }
187 /*
188         Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file.
189         Login attempts counter is created for every new user IP, which partialy prevent DOS attacks.
190 */
191 function write_login_filelog($login, $result)
192 {
193         global $login_faillog, $login_max_attempts, $path_to_root;
194
195         $user = $_SESSION["wa_current_user"]->user;
196
197         $ip = $_SERVER['REMOTE_ADDR'];
198
199         if (!isset($login_faillog[$user][$ip]) || $result) // init or reset on successfull login
200                 $login_faillog[$user] = array($ip => 0, 'last' => '');
201
202         if (!$result)
203         {
204                 if ($login_faillog[$user][$ip] < @$login_max_attempts) {
205
206                         $login_faillog[$user][$ip]++;
207                 } else {
208                         $login_faillog[$user][$ip] = 0; // comment out to restart counter only after successfull login.
209                         error_log(sprintf(_("Brute force attack on account '%s' detected. Access for non-logged users temporarily blocked."     ), $login));
210                 }
211                 $login_faillog[$user]['last'] = time();
212         }
213
214         $msg = "<?php\n";
215         $msg .= "/*\n";
216         $msg .= "Login attempts info.\n";
217         $msg .= "*/\n";
218         $msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
219
220         $filename = $path_to_root."/tmp/faillog.php";
221
222         if ((!file_exists($filename) && is_writable($path_to_root.'/tmp')) || is_writable($filename))
223         {
224                 file_put_contents($filename, $msg);
225         }
226 }
227
228 //----------------------------------------------------------------------------------------
229
230 function check_page_security($page_security)
231 {
232         global $SysPrefs;
233         
234         $msg = '';
235         
236         if (!$_SESSION["wa_current_user"]->check_user_access())
237         {
238                 // notification after upgrade from pre-2.2 version
239                 $msg = $_SESSION["wa_current_user"]->old_db ?
240                          _("Security settings have not been defined for your user account.")
241                                 . "<br>" . _("Please contact your system administrator.")       
242                         : _("Please remove \$security_groups and \$security_headings arrays from config.php file!");
243         } elseif (!$_SESSION['SysPrefs']->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) {
244                 $msg = _('Access to application has been blocked until database upgrade is completed by system administrator.');
245         }
246         
247         if ($msg){
248                 display_error($msg);
249                 end_page(@$_REQUEST['popup']);
250                 kill_login();
251                 exit;
252         }
253
254         if (!$_SESSION["wa_current_user"]->can_access_page($page_security))
255         {
256
257                 echo "<center><br><br><br><b>";
258                 echo _("The security settings on your account do not permit you to access this function");
259                 echo "</b>";
260                 echo "<br><br><br><br></center>";
261                 end_page(@$_REQUEST['popup']);
262                 exit;
263         }
264         if (!$_SESSION['SysPrefs']->db_ok 
265                 && !in_array($page_security, array('SA_SOFTWAREUPGRADE', 'SA_OPEN', 'SA_BACKUP')))
266         {
267                 display_error(_('System is blocked after source upgrade until database is updated on System/Software Upgrade page'));
268                 end_page();
269                 exit;
270         }
271
272 }
273 /*
274         Helper function for setting page security level depeding on 
275         GET start variable and/or some value stored in session variable.
276         Before the call $page_security should be set to default page_security value.
277 */
278 function set_page_security($value=null, $trans = array(), $gtrans = array())
279 {
280         global $page_security;
281
282         // first check is this is not start page call
283         foreach($gtrans as $key => $area)
284                 if (isset($_GET[$key])) {
285                         $page_security = $area;
286                         return;
287                 }
288
289         // then check session value
290         if (isset($trans[$value])) {
291                 $page_security = $trans[$value];
292                 return;
293         }
294 }
295
296 //-----------------------------------------------------------------------------
297 //      Removing magic quotes from nested arrays/variables
298 //
299 function strip_quotes($data)
300 {
301         if(get_magic_quotes_gpc()) {
302                 if(is_array($data)) {
303                         foreach($data as $k => $v) {
304                                 $data[$k] = strip_quotes($data[$k]);
305                         }
306                 } else
307                         return stripslashes($data);
308         }
309         return $data;
310 }
311
312 function html_cleanup(&$parms)
313 {
314         foreach($parms as $name => $value) {
315 //              $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
316                 if (is_array($value))
317                         html_cleanup($parms[$name]);
318                 else
319                         $parms[$name] = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? 'ISO-8859-1' : $_SESSION['language']->encoding);
320         }
321         reset($parms); // needed for direct key() usage later throughout the sources
322 }
323
324 //============================================================================
325 //
326 //
327 function login_timeout()
328 {
329         // skip timeout on logout page
330         if ($_SESSION["wa_current_user"]->logged) {
331                 $tout = $_SESSION["wa_current_user"]->timeout;
332                 if ($tout && (time() > $_SESSION["wa_current_user"]->last_act + $tout))
333                 {
334                         $_SESSION["wa_current_user"]->logged = false;
335                 }
336                 $_SESSION["wa_current_user"]->last_act = time();
337         }
338 }
339 //============================================================================
340 if (!isset($path_to_root))
341 {
342         $path_to_root = ".";
343 }
344
345 //----------------------------------------------------------------------------------------
346 // set to reasonable values if not set in config file (pre-2.3.12 installations)
347
348 if ((!isset($login_delay)) || ($login_delay < 0))
349     $login_delay = 10;
350
351 if ((!isset($login_max_attempts)) || ($login_max_attempts < 0))
352     $login_max_attempts = 3; 
353
354
355 // Prevent register_globals vulnerability
356 if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
357         die("Restricted access");
358
359 include_once($path_to_root . "/includes/errors.inc");
360 // colect all error msgs
361 set_error_handler('error_handler' /*, errtypes */);
362
363 include_once($path_to_root . "/includes/current_user.inc");
364 include_once($path_to_root . "/frontaccounting.php");
365 include_once($path_to_root . "/admin/db/security_db.inc");
366 include_once($path_to_root . "/includes/lang/language.php");
367 include_once($path_to_root . "/config_db.php");
368 include_once($path_to_root . "/includes/ajax.inc");
369 include_once($path_to_root . "/includes/ui/ui_msgs.inc");
370 include_once($path_to_root . "/includes/prefs/sysprefs.inc");
371
372 include_once($path_to_root . "/includes/hooks.inc");
373 //
374 // include all extensions hook files.
375 //
376 foreach ($installed_extensions as $ext)
377 {
378         if (file_exists($path_to_root.'/'.$ext['path'].'/hooks.php'))
379                 include_once($path_to_root.'/'.$ext['path'].'/hooks.php');
380 }
381
382 /*
383         Uncomment the setting below when using FA on shared hosting
384         to avoid unexpeced session timeouts.
385         Make sure this directory exists and is writable!
386 */
387 // ini_set('session.save_path', dirname(__FILE__).'/../tmp/');
388
389 ini_set('session.gc_maxlifetime', 36000); // 10hrs
390
391 hook_session_start(@$_POST["company_login_name"]);
392
393 $Session_manager = new SessionManager();
394 $Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
395
396 // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
397 header("Cache-control: private");
398
399 include_once($path_to_root . "/config.php");
400 get_text_init();
401
402 if ($login_delay > 0)
403         @include_once($path_to_root . "/tmp/faillog.php");
404
405 // Page Initialisation
406 if (!isset($_SESSION['wa_current_user']) || !$_SESSION['wa_current_user']->logged_in()
407         || !isset($_SESSION['language']) || !method_exists($_SESSION['language'], 'set_language'))
408 {
409         $l = array_search_value($dflt_lang, $installed_languages,  'code');
410         $_SESSION['language'] = new language($l['name'], $l['code'], $l['encoding'],
411          (isset($l['rtl']) && $l['rtl'] === true) ? 'rtl' : 'ltr');
412 }
413
414 $_SESSION['language']->set_language($_SESSION['language']->code);
415
416
417 include_once($path_to_root . "/includes/access_levels.inc");
418 include_once($path_to_root . "/version.php");
419 include_once($path_to_root . "/includes/main.inc");
420 include_once($path_to_root . "/includes/app_entries.inc");
421
422 // Ajax communication object
423 $Ajax = new Ajax();
424
425 // js/php validation rules container
426 $Validate = array();
427 // bindings for editors
428 $Editors = array();
429 // page help. Currently help for function keys.
430 $Pagehelp = array();
431
432 $Refs = new references();
433
434 // intercept all output to destroy it in case of ajax call
435 register_shutdown_function('end_flush');
436 ob_start('output_html',0);
437
438 if (!isset($_SESSION["wa_current_user"]))
439         $_SESSION["wa_current_user"] = new current_user();
440
441 html_cleanup($_GET);
442 html_cleanup($_POST);
443 html_cleanup($_REQUEST);
444 html_cleanup($_SERVER);
445
446 // logout.php is the only page we should have always 
447 // accessable regardless of access level and current login status.
448 if (!defined('FA_LOGOUT_PHP_FILE')){
449
450         login_timeout();
451
452         if (!$_SESSION["wa_current_user"]->old_db)
453                 include_once($path_to_root . '/company/'.user_company().'/installed_extensions.php');
454
455         install_hooks();
456
457         if (!$_SESSION["wa_current_user"]->logged_in())
458         {
459       if (@$allow_password_reset && !$allow_demo_mode
460         && (isset($_GET['reset']) || isset($_POST['email_entry_field']))) {
461                   if (!isset($_POST["email_entry_field"])) {
462         include($path_to_root . "/access/password_reset.php");
463         exit();
464       }
465       else {
466         if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
467           for ($i = 0; $i < count($db_connections); $i++) {
468             if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
469               $_POST["company_login_name"] = $i;
470               unset($_POST["company_login_nickname"]);
471               break 1; // cannot pass variables to break from PHP v5.4 onwards
472             }
473           }
474         }
475         $_succeed = isset($db_connections[$_POST["company_login_name"]]) &&
476           $_SESSION["wa_current_user"]->reset_password($_POST["company_login_name"],
477           $_POST["email_entry_field"]);
478         if ($_succeed)
479         {
480           password_reset_success();
481         }
482
483         password_reset_fail();
484       }
485     }
486                 // Show login screen
487                 if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
488                 {
489                         // strip ajax marker from uri, to force synchronous page reload
490                         $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
491                                         '', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2'
492                                                  ? 'ISO-8859-1' : $_SESSION['language']->encoding)), 
493                                 'post' => $_POST);
494
495                         include($path_to_root . "/access/login.php");
496                         if (in_ajax())
497                                 $Ajax->activate('_page_body');
498                         exit;
499                 } else {
500                         if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
501                                 for ($i = 0; $i < count($db_connections); $i++) {
502                                         if ($db_connections[$i]["name"] == $_POST["company_login_nickname"]) {
503                                                 $_POST["company_login_name"] = $i;
504                                                 unset($_POST["company_login_nickname"]);
505                                                 break 1; // cannot pass variables to break from PHP v5.4 onwards
506                                         }
507                                 }
508                         }
509                         $succeed = isset($db_connections[$_POST["company_login_name"]]) &&
510                                 $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
511                                 $_POST["user_name_entry_field"], $_POST["password"]);
512                         // select full vs fallback ui mode on login
513                         $_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
514                         if (!$succeed)
515                         {
516                         // Incorrect password
517                                 login_fail();
518                         }
519                         elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
520                         {
521                                 // in case of GET request redirect to avoid confirmation dialog 
522                                 // after return from menu option
523                                 header("HTTP/1.1 303 See Other");
524                                 header("Location: ".$_SESSION['timeout']['uri']);
525                                 exit();
526                         }
527                         $lang = &$_SESSION['language'];
528                         $lang->set_language($_SESSION['language']->code);
529                 }
530         } else
531         {       set_global_connection();
532                         if (db_fixed())
533                                 db_set_encoding($_SESSION['language']->encoding);
534         }
535
536         if (!isset($_SESSION["App"])) {
537                 $_SESSION["App"] = new front_accounting();
538                 $_SESSION["App"]->init();
539         }
540 }
541
542 $SysPrefs = &$_SESSION['SysPrefs'];
543
544 // POST vars cleanup needed for direct reuse.
545 // We quote all values later with db_escape() before db update.
546 $_POST = strip_quotes($_POST);
FrontAccounting stable branch