Added comment to SECURE_ONLY constant.

[fa-stable.git] / includes / session.inc

diff --git a/includes/session.inc b/includes/session.inc
index 71206521fda2bd2d89471b85e868862fed4b4e99..5f9240eb6ad4d6b894bc97d080d775ea2f4caf12 100644 (file)
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -11,6 +11,7 @@
 ***********************************************************************/
 define('VARLIB_PATH', $path_to_root.'/tmp');
 define('VARLOG_PATH', $path_to_root.'/tmp');
+define('SECURE_ONLY', true); // if you really need also http (unsecure) access allowed, you can set this to NULL
 
 class SessionManager
 {
@@ -133,15 +134,13 @@ function kill_login()
 function login_fail()
 {
        global $path_to_root;
-       
+
        header("HTTP/1.1 401 Authorization Required");
        echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
        echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
-
        echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
        echo "<br><a href='$path_to_root/index.php'>" . _("Try again") . "</a>";
        echo "</center>";
-
        kill_login();
        die();
 }
@@ -181,6 +180,7 @@ function check_faillog()
 
        $user = $_SESSION["wa_current_user"]->user;
 
+       $_SESSION["wa_current_user"]->login_attempt++;
        if (@$SysPrefs->login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$SysPrefs->login_max_attempts) && (time() < $login_faillog[$user]['last'] + $SysPrefs->login_delay))
                return true;
 
@@ -398,7 +398,7 @@ foreach ($installed_extensions as $ext)
 ini_set('session.gc_maxlifetime', 36000); // moved from below.
 
 $Session_manager = new SessionManager();
-$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)));
+$Session_manager->sessionStart('FA'.md5(dirname(__FILE__)), 0, '/', null, SECURE_ONLY);
 
 $_SESSION['SysPrefs'] = new sys_prefs();
 
@@ -414,9 +414,11 @@ if ((!isset($SysPrefs->login_max_attempts)) || ($SysPrefs->login_max_attempts <
     $SysPrefs->login_max_attempts = 3; 
 
 if ($SysPrefs->go_debug > 0)
-       error_reporting(-1);
+       $cur_error_level = -1;
 else
-       error_reporting(E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE);
+       $cur_error_level = E_USER_WARNING|E_USER_ERROR|E_USER_NOTICE;
+
+error_reporting($cur_error_level);
 ini_set("display_errors", "On");
 
 if ($SysPrefs->error_logfile != '') {
@@ -532,10 +534,10 @@ if (!defined('FA_LOGOUT_PHP_FILE')){
                        $_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
                                        '', html_specials_encode($_SERVER['REQUEST_URI'])),
                                'post' => $_POST);
-
+               if (in_ajax())
+                       $Ajax->popup($path_to_root ."/access/timeout.php");
+               else
                        include($path_to_root . "/access/login.php");
-                       if (in_ajax())
-                               $Ajax->activate('_page_body');
                        exit;
                } else {
                        if (isset($_POST["company_login_nickname"]) && !isset($_POST["company_login_name"])) {
@@ -555,7 +557,11 @@ if (!defined('FA_LOGOUT_PHP_FILE')){
                        if (!$succeed)
                        {
                        // Incorrect password
-                               login_fail();
+                               if (isset($_SESSION['timeout'])) {
+                                       include($path_to_root . "/access/login.php");
+                                       exit;
+                               } else
+                                       login_fail();
                        }
                        elseif(isset($_SESSION['timeout']) && !$_SESSION['timeout']['post'])
                        {