/** * Make sure the session hasn't been hijacked * @return bool * @todo Salt? */ function checkSession() { if (sha1(md5($_SERVER['REMOTE_ADDR'] . 'ahsh') . md5($_SERVER['HTTP_USER_AGENT'] . 'afke')) != @$_SESSION['fingerprint']) { Flash::create('Session check failed'); return false; } if (mt_rand(1, 20) == 1) { regenerateSession(); } return true; }
private function tryImportLDAP($username, $password) { global $CONFIG, $DB, $Controller; $ldapconn = ldap_connect($CONFIG->LDAP->bindurl); if (!(strstr($username, '*') === false)) { //Don't search for wildcards Flash::create(__('Ajabaja!'), 'warning'); return false; } if ($ldapconn) { // Bind (log in) to LDAP server if (ldap_bind($ldapconn, $CONFIG->LDAP->binddn, $CONFIG->LDAP->bindpw)) { //echo "LDAP bind successful...<br />\n"; $unameattr = $CONFIG->LDAP->unameattr; if (@empty($unameattr)) { $unameattr = 'cn'; } $storeattrs = $CONFIG->LDAP->storeattrs; if (@empty($storeattrs)) { // Not configured properly return false; } $filter = '(' . $unameattr . '=' . $username . ')'; $search = ldap_search($ldapconn, $CONFIG->LDAP->basedn, $filter, $storeattrs, 0, 1); // The last parameter is to limit search to 1 result returned if ($search) { // Found user $entry = @ldap_first_entry($ldapconn, $search); // Get DN from search result $dn = @ldap_get_dn($ldapconn, $entry); if (!$dn) { return false; } //echo 'Found ' . $dn . "\n"; // LiU programregistrering // FIXME: $CONFIG $filterattr = 'liuStudentProgramCode'; // Y-programregistrering // FIXME: $CONFIG $filterregexp = '/^[6t]cyy[yi]-[1-9]-[vh]t20[01][0-9]$/'; $attrs = @ldap_get_attributes($ldapconn, $entry); $user_ok = false; $userdata = array(); for ($i = 0; $i < $attrs['count']; $i++) { $attr_name = $attrs[$i]; for ($j = 0; $j < $attrs[$attr_name]['count']; $j++) { if ($attr_name == $filterattr) { if (preg_match($filterregexp, $attrs[$attr_name][$j])) { // User is okay to log in even though admin hasn't imported them from LDAP $user_ok = true; } } if (isset($userdata[$attr_name])) { if ($this->compareLDAP($attr_name, $userdata[$attr_name], $attrs[$attr_name][$j]) < 0) { $userdata[$attr_name] = $attrs[$attr_name][$j]; } } else { $userdata[$attr_name] = $attrs[$attr_name][$j]; } } } if (!$user_ok) { // User does not match the regexp, won't be allowed to log in. return false; } if (!array_key_exists($unameattr, $userdata) || !$userdata[$unameattr]) { dump($userdata); Flash::create(__('No username attribute value for: ') . $dn . ' unameattr: ' . $unameattr, 'warning'); return false; } // Don't unbind. /* http://php.net/manual/en/function.ldap-unbind.php * kmenard at wpi dot edu * 29-Nov-2001 07:47 * ldap_unbind kills the link descriptor. So, if you want to rebind * as another user, just bind again; don't unbind. * Otherwise, you'll have to open up a new connection. */ // Try to bind as the user account // @ to not print a big error message if the user entered the wrong password if (@ldap_bind($ldapconn, $dn, $password)) { regenerateSession(true); //echo 'Login successful'; $username = $userdata[$unameattr]; if ($DB->users->exists(array('username' => $username))) { // This can actually happen through a race condition if the same user tries to log in twice in parallel. Flash::create(__('BUG: Username already in use, try logging in again: ') . $username, 'warning'); return false; } Flash::create(__('Adding user: '******'confirmation'); if ($user = $Controller->newObj('User')) { $user->username = $username; $user->passwordhash = 'LDAP'; Log::write('Imported user \'' . $username . '\' (id=' . $user->ID . ') from LDAP through autoimport', 20); foreach ($userdata as $attr => $value) { if ($attr == $unameattr || $attr == 'userPassword') { continue; } $user->userinfo = array($attr => $value); } $user->userinfo = array('dn' => $dn); } else { Flash::create(__('Solidbase is broken! (unable to instantiate class User)'), 'warning'); return false; } $_SESSION['uid'] = $user->ID; $_SESSION['username'] = $username; $_SESSION['upwd'] = 'LDAP'; $_SESSION['loggedIn'] = time(); $_SESSION['lastLogin'] = time(); return $_SESSION['uid']; } else { //echo 'Login failed'; Flash::create(__('Wrong username or password'), 'warning'); return false; } } } else { //echo "LDAP bind failed..."; return false; } } else { // This will only happen if the ldap extension is broken // because OpenLDAP-2.x.x doesn't connect until the ldap_bind() call return false; } }
public static function checkSession() { try { if (!is_numeric($_SESSION['id']) && !isset($_SESSION["email"]) && !isset($_SESSION["right"])) { throw new Exception('No session started.'); } if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) { throw new Exception('IP Address mixmatch (possible session hijacking attempt).'); } if ($_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) { throw new Exception('Useragent mixmatch (possible session hijacking attempt).'); } // Une fois sur 100 génère un nouvel session ID. if (mt_rand(1, 100) == 1) { regenerateSession(); } return true; } catch (Exception $e) { return false; } }