MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
***********************************************************************/
+define('VARLIB_PATH', $path_to_root.'/tmp');
+define('VARLOG_PATH', $path_to_root.'/tmp');
+define('SECURE_ONLY', true); // if you really need also http (unsecure) access allowed, you can set this to NULL
class SessionManager
{
function login_fail()
{
global $path_to_root;
-
+
header("HTTP/1.1 401 Authorization Required");
echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
-
echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
echo "<br><a href='$path_to_root/index.php'>" . _("Try again") . "</a>";
echo "</center>";
-
kill_login();
die();
}
{
global $path_to_root;
- echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
- echo "<b>" . _("The email address does not exist in the system.") . "<b><br><br>";
+ echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Email") . "<b></font><br><br>";
+ echo "<b>" . _("The email address does not exist in the system, or is used by more than one user.") . "<b><br><br>";
- echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
- echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
- echo "</center>";
+ echo _("Plase try again or contact your system administrator to obtain new password.");
+
echo "<br><a href='$path_to_root/index.php?reset=1'>" . _("Try again") . "</a>";
+ echo "</center>";
kill_login();
die();
{
global $path_to_root;
- echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
- echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
+ echo "<center><br><br><font size='5' color='green'><b>" . _("New password sent") . "<b></font><br><br>";
+ echo "<b>" . _("A new password has been sent to your mailbox.") . "<b><br><br>";
- echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
- echo "</center>";
+
echo "<br><a href='$path_to_root/index.php'>" . _("Login here") . "</a>";
+ echo "</center>";
kill_login();
die();
$user = $_SESSION["wa_current_user"]->user;
+ $_SESSION["wa_current_user"]->login_attempt++;
if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay))
return true;
return false;
}
+
+/*
+ Ensure file is re-read on next request if php caching is active
+*/
+function cache_invalidate($filename)
+{
+ if (function_exists('opcache_invalidate')) // OpCode extension
+ opcache_invalidate($filename);
+}
+
/*
Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file.
Login attempts counter is created for every new user IP, which partialy prevent DOS attacks.
$msg .= "*/\n";
$msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
- $filename = $path_to_root."/tmp/faillog.php";
+ $filename = VARLIB_PATH."/faillog.php";
- if ((!file_exists($filename) && is_writable($path_to_root.'/tmp')) || is_writable($filename))
+ if ((!file_exists($filename) && is_writable(VARLIB_PATH)) || is_writable($filename))
{
file_put_contents($filename, $msg);
+ cache_invalidate($filename);
}
}
//
function strip_quotes($data)
{
- if(get_magic_quotes_gpc()) {
+ if(version_compare(phpversion(), '5.4', '<') && get_magic_quotes_gpc()) {
if(is_array($data)) {
foreach($data as $k => $v) {
$data[$k] = strip_quotes($data[$k]);
include_once($path_to_root . "/includes/errors.inc");
// colect all error msgs
set_error_handler('error_handler' /*, errtypes */);
+set_exception_handler('exception_handler');
include_once($path_to_root . "/includes/current_user.inc");
include_once($path_to_root . "/frontaccounting.php");
if (file_exists($path_to_root.'/'.$ext['path'].'/hooks.php'))
include_once($path_to_root.'/'.$ext['path'].'/hooks.php');
}
+
+ini_set('session.gc_maxlifetime', 36000); // moved from below.
+
$Session_manager = new SessionManager();
-$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
+$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)), 0, '/', null, SECURE_ONLY);
$_SESSION['SysPrefs'] = new sys_prefs();
$SysPrefs->login_max_attempts = 3;
if ($SysPrefs->go_debug > 0)
- error_reporting(-1);
+ $cur_error_level = -1;
else
- error_reporting(E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE);
+ $cur_error_level = E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE;
+
+error_reporting($cur_error_level);
ini_set("display_errors", "On");
if ($SysPrefs->error_logfile != '') {
ini_set("log_errors", "On");
}
-
/*
Uncomment the setting below when using FA on shared hosting
to avoid unexpeced session timeouts.
Make sure this directory exists and is writable!
*/
-// ini_set('session.save_path', dirname(__FILE__).'/../tmp/');
+// ini_set('session.save_path', VARLIB_PATH.'/');
-ini_set('session.gc_maxlifetime', 36000); // 10hrs
+// ini_set('session.gc_maxlifetime', 36000); // 10hrs - moved to before session_manager
hook_session_start(@$_POST["company_login_name"]);
get_text_init();
-if ($SysPrefs->login_delay > 0)
- @include_once($path_to_root . "/tmp/faillog.php");
+if ($SysPrefs->login_delay > 0 && file_exists(VARLIB_PATH."/faillog.php"))
+ include_once(VARLIB_PATH."/faillog.php");
// Page Initialisation
if (!isset($_SESSION['wa_current_user']) || !$_SESSION['wa_current_user']->logged_in()
login_timeout();
- if (!$_SESSION["wa_current_user"]->old_db)
- include_once($path_to_root . '/company/'.user_company().'/installed_extensions.php');
+ if (!$_SESSION["wa_current_user"]->old_db && file_exists($path_to_root . '/company/'.user_company().'/installed_extensions.php'))
+ include($path_to_root . '/company/'.user_company().'/installed_extensions.php');
install_hooks();
$_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
'', html_specials_encode($_SERVER['REQUEST_URI'])),
'post' => $_POST);
-
+ if (in_ajax())
+ $Ajax->popup($path_to_root ."/access/timeout.php");
+ else
include($path_to_root . "/access/login.php");
- if (in_ajax())
- $Ajax->activate('_page_body');
exit;
} else {
if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
if (!$succeed)
{
// Incorrect password
- login_fail();
+ if (isset($_SESSION['timeout'])) {
+ include($path_to_root . "/access/login.php");
+ exit;
+ } else
+ login_fail();
}
elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
{
// in case of GET request redirect to avoid confirmation dialog
// after return from menu option
- header("HTTP/1.1 303 See Other");
+ header("HTTP/1.1 307 Temporary Redirect");
header("Location: ".$_SESSION['timeout']['uri']);
exit();
}
if (db_fixed())
db_set_encoding($_SESSION['language']->encoding);
- $SysPrefs->refresh_company_prefs();
+ $SysPrefs->refresh();
}
if (!isset($_SESSION["App"])) {
$_SESSION["App"] = new front_accounting();
projects / fa-stable.git / blobdiff