/**
* Make sure the session hasn't been hijacked
* @return bool
* @todo Salt?
*/
function checkSession()
{
if (sha1(md5($_SERVER['REMOTE_ADDR'] . 'ahsh') . md5($_SERVER['HTTP_USER_AGENT'] . 'afke')) != @$_SESSION['fingerprint']) {
Flash::create('Session check failed');
return false;
}
if (mt_rand(1, 20) == 1) {
regenerateSession();
}
return true;
}
private function tryImportLDAP($username, $password)
{
global $CONFIG, $DB, $Controller;
$ldapconn = ldap_connect($CONFIG->LDAP->bindurl);
if (!(strstr($username, '*') === false)) {
//Don't search for wildcards
Flash::create(__('Ajabaja!'), 'warning');
return false;
}
if ($ldapconn) {
// Bind (log in) to LDAP server
if (ldap_bind($ldapconn, $CONFIG->LDAP->binddn, $CONFIG->LDAP->bindpw)) {
//echo "LDAP bind successful...<br />\n";
$unameattr = $CONFIG->LDAP->unameattr;
if (@empty($unameattr)) {
$unameattr = 'cn';
}
$storeattrs = $CONFIG->LDAP->storeattrs;
if (@empty($storeattrs)) {
// Not configured properly
return false;
}
$filter = '(' . $unameattr . '=' . $username . ')';
$search = ldap_search($ldapconn, $CONFIG->LDAP->basedn, $filter, $storeattrs, 0, 1);
// The last parameter is to limit search to 1 result returned
if ($search) {
// Found user
$entry = @ldap_first_entry($ldapconn, $search);
// Get DN from search result
$dn = @ldap_get_dn($ldapconn, $entry);
if (!$dn) {
return false;
}
//echo 'Found ' . $dn . "\n";
// LiU programregistrering
// FIXME: $CONFIG
$filterattr = 'liuStudentProgramCode';
// Y-programregistrering
// FIXME: $CONFIG
$filterregexp = '/^[6t]cyy[yi]-[1-9]-[vh]t20[01][0-9]$/';
$attrs = @ldap_get_attributes($ldapconn, $entry);
$user_ok = false;
$userdata = array();
for ($i = 0; $i < $attrs['count']; $i++) {
$attr_name = $attrs[$i];
for ($j = 0; $j < $attrs[$attr_name]['count']; $j++) {
if ($attr_name == $filterattr) {
if (preg_match($filterregexp, $attrs[$attr_name][$j])) {
// User is okay to log in even though admin hasn't imported them from LDAP
$user_ok = true;
}
}
if (isset($userdata[$attr_name])) {
if ($this->compareLDAP($attr_name, $userdata[$attr_name], $attrs[$attr_name][$j]) < 0) {
$userdata[$attr_name] = $attrs[$attr_name][$j];
}
} else {
$userdata[$attr_name] = $attrs[$attr_name][$j];
}
}
}
if (!$user_ok) {
// User does not match the regexp, won't be allowed to log in.
return false;
}
if (!array_key_exists($unameattr, $userdata) || !$userdata[$unameattr]) {
dump($userdata);
Flash::create(__('No username attribute value for: ') . $dn . ' unameattr: ' . $unameattr, 'warning');
return false;
}
// Don't unbind.
/* http://php.net/manual/en/function.ldap-unbind.php
* kmenard at wpi dot edu
* 29-Nov-2001 07:47
* ldap_unbind kills the link descriptor. So, if you want to rebind
* as another user, just bind again; don't unbind.
* Otherwise, you'll have to open up a new connection.
*/
// Try to bind as the user account
// @ to not print a big error message if the user entered the wrong password
if (@ldap_bind($ldapconn, $dn, $password)) {
regenerateSession(true);
//echo 'Login successful';
$username = $userdata[$unameattr];
if ($DB->users->exists(array('username' => $username))) {
// This can actually happen through a race condition if the same user tries to log in twice in parallel.
Flash::create(__('BUG: Username already in use, try logging in again: ') . $username, 'warning');
return false;
}
Flash::create(__('Adding user: '******'confirmation');
if ($user = $Controller->newObj('User')) {
$user->username = $username;
$user->passwordhash = 'LDAP';
Log::write('Imported user \'' . $username . '\' (id=' . $user->ID . ') from LDAP through autoimport', 20);
foreach ($userdata as $attr => $value) {
if ($attr == $unameattr || $attr == 'userPassword') {
continue;
}
$user->userinfo = array($attr => $value);
}
$user->userinfo = array('dn' => $dn);
} else {
Flash::create(__('Solidbase is broken! (unable to instantiate class User)'), 'warning');
return false;
}
$_SESSION['uid'] = $user->ID;
$_SESSION['username'] = $username;
$_SESSION['upwd'] = 'LDAP';
$_SESSION['loggedIn'] = time();
$_SESSION['lastLogin'] = time();
return $_SESSION['uid'];
} else {
//echo 'Login failed';
Flash::create(__('Wrong username or password'), 'warning');
return false;
}
}
} else {
//echo "LDAP bind failed...";
return false;
}
} else {
// This will only happen if the ldap extension is broken
// because OpenLDAP-2.x.x doesn't connect until the ldap_bind() call
return false;
}
}
public static function checkSession()
{
try {
if (!is_numeric($_SESSION['id']) && !isset($_SESSION["email"]) && !isset($_SESSION["right"])) {
throw new Exception('No session started.');
}
if ($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) {
throw new Exception('IP Address mixmatch (possible session hijacking attempt).');
}
if ($_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) {
throw new Exception('Useragent mixmatch (possible session hijacking attempt).');
}
// Une fois sur 100 génère un nouvel session ID.
if (mt_rand(1, 100) == 1) {
regenerateSession();
}
return true;
} catch (Exception $e) {
return false;
}
}
