public static function checkAuthentication($sessionid) { try { if ($sessionid !== null) { self::$data = API::User()->checkAuthentication($sessionid); } if ($sessionid === null || empty(self::$data)) { self::setDefault(); self::$data = API::User()->login(array('user' => ZBX_GUEST_USER, 'password' => '', 'userData' => true)); if (empty(self::$data)) { clear_messages(1); throw new Exception(); } $sessionid = self::$data['sessionid']; } if (self::$data['gui_access'] == GROUP_GUI_ACCESS_DISABLED) { error(_('GUI access disabled.')); throw new Exception(); } zbx_setcookie('zbx_sessionid', $sessionid, self::$data['autologin'] ? time() + SEC_PER_DAY * 31 : 0); return true; } catch (Exception $e) { self::setDefault(); return false; } }
function zbx_session_start($userid, $name, $password) { $sessionid = md5(time() . $password . $name . rand(0, 10000000)); zbx_setcookie('zbx_sessionid', $sessionid); DBexecute('INSERT INTO sessions (sessionid,userid,lastaccess,status) VALUES (' . zbx_dbstr($sessionid) . ',' . $userid . ',' . time() . ',' . ZBX_SESSION_ACTIVE . ')'); return $sessionid; }
function zbx_flush_post_cookies($unset = false) { global $ZBX_PAGE_COOKIES; if (isset($ZBX_PAGE_COOKIES)) { foreach ($ZBX_PAGE_COOKIES as $cookie) { if ($unset) { zbx_unsetcookie($cookie[0]); } else { zbx_setcookie($cookie[0], $cookie[1], $cookie[2]); } } unset($ZBX_PAGE_COOKIES); } }
/** * Shorthand method for setting current session ID in cookies. * * @param string $sessionId Session ID string */ public static function setSessionCookie($sessionId) { $autoLogin = self::isGuest() ? false : (bool) self::$data['autologin']; zbx_setcookie('zbx_sessionid', $sessionId, $autoLogin ? strtotime('+1 month') : 0); }
function zbx_unsetcookie($name) { zbx_setcookie($name, null, -99999); unset($_COOKIE[$name]); }
/** * Check if session ID is authenticated * * {@source} * @access public * @static * @since 1.8 * @version 1 * * @param _array $session * @param array $session['sessionid'] Session ID * @return boolean */ public static function checkAuthentication($user = null) { global $USER_DETAILS; global $ZBX_LOCALNODEID; global $ZBX_NODES; $sessionid = is_null($user) ? null : $user['sessionid']; $USER_DETAILS = NULL; $login = FALSE; if (!is_null($sessionid)) { $sql = 'SELECT u.*,s.* ' . ' FROM sessions s,users u' . ' WHERE s.sessionid=' . zbx_dbstr($sessionid) . ' AND s.status=' . ZBX_SESSION_ACTIVE . ' AND s.userid=u.userid' . ' AND ((s.lastaccess+u.autologout>' . time() . ') OR (u.autologout=0))' . ' AND ' . DBin_node('u.userid', $ZBX_LOCALNODEID); $login = $USER_DETAILS = DBfetch(DBselect($sql)); if (!$USER_DETAILS) { $incorrect_session = true; } else { if ($login['attempt_failed']) { DBexecute('UPDATE users SET attempt_failed=0 WHERE userid=' . $login['userid']); } } } if (!$USER_DETAILS && !isset($_SERVER['PHP_AUTH_USER'])) { $sql = 'SELECT u.* ' . ' FROM users u ' . ' WHERE u.alias=' . zbx_dbstr(ZBX_GUEST_USER) . ' AND ' . DBin_node('u.userid', $ZBX_LOCALNODEID); $login = $USER_DETAILS = DBfetch(DBselect($sql)); if (!$USER_DETAILS) { $missed_user_guest = true; } else { $sessionid = zbx_session_start($USER_DETAILS['userid'], ZBX_GUEST_USER, ''); } } // Perm to login, perm to system if ($login) { $login = check_perm2login($USER_DETAILS['userid']) && check_perm2system($USER_DETAILS['userid']); } if (!$login) { $USER_DETAILS = NULL; } if ($login && $sessionid && !isset($incorrect_session)) { zbx_setcookie('zbx_sessionid', $sessionid, $USER_DETAILS['autologin'] ? time() + 86400 * 31 : 0); //1 month DBexecute('UPDATE sessions SET lastaccess=' . time() . ' WHERE sessionid=' . zbx_dbstr($sessionid)); if ($USER_DETAILS['autologout'] > 0) { DBexecute('DELETE FROM sessions WHERE userid=' . $USER_DETAILS['userid'] . ' AND status=' . ZBX_SESSION_ACTIVE . ' AND lastaccess<' . (time() - $USER_DETAILS['autologout'])); } } else { self::logout($sessionid); } if ($USER_DETAILS) { if (isset($ZBX_NODES[$ZBX_LOCALNODEID])) { $USER_DETAILS['node'] = $ZBX_NODES[$ZBX_LOCALNODEID]; } else { $USER_DETAILS['node'] = array(); $USER_DETAILS['node']['name'] = '- unknown -'; $USER_DETAILS['node']['nodeid'] = $ZBX_LOCALNODEID; } $USER_DETAILS['debug_mode'] = get_user_debug_mode($USER_DETAILS['userid']); } else { $USER_DETAILS = array('alias' => ZBX_GUEST_USER, 'userid' => 0, 'lang' => 'en_gb', 'type' => '0', 'node' => array('name' => '- unknown -', 'nodeid' => 0)); } $userip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $USER_DETAILS['userip'] = $userip; if (!$login || isset($incorrect_session) || isset($missed_user_guest)) { if (isset($incorrect_session)) { $message = 'Session terminated, re-login, please'; } else { if (isset($missed_user_guest)) { $row = DBfetch(DBselect('SELECT count(u.userid) as user_cnt FROM users u')); if (!$row || $row['user_cnt'] == 0) { $message = 'Table users is empty. Possible database corruption.'; // S_CUSER_ERROR_TABLE_USERS_EMPTY } } } if (!isset($_REQUEST['message']) && isset($message)) { $_REQUEST['message'] = $message; } return false; } return true; }
function check_authorisation() { global $DB; global $page; global $PHP_AUTH_USER, $PHP_AUTH_PW; global $USER_DETAILS; global $ZBX_LOCALNODEID; $USER_DETAILS = NULL; $login = FALSE; $sessionid = get_cookie('zbx_sessionid'); if (!is_null($sessionid)) { $sql = 'SELECT u.*,s.* ' . ' FROM sessions s,users u' . ' WHERE s.sessionid=' . zbx_dbstr($sessionid) . ' AND s.status=' . ZBX_SESSION_ACTIVE . ' AND s.userid=u.userid' . ' AND ((s.lastaccess+u.autologout>' . time() . ') OR (u.autologout=0))' . ' AND ' . DBin_node('u.userid', $ZBX_LOCALNODEID); $login = $USER_DETAILS = DBfetch(DBselect($sql)); if (!$USER_DETAILS) { $incorrect_session = true; } else { if ($login['attempt_failed']) { error(new CScript(array(bold($login['attempt_failed']), 'failed login attempts logged. Last failed attempt was from ', bold($login['attempt_ip']), ' on ', bold(date('d.m.Y H:i', $login['attempt_clock'])), '.'))); DBexecute('UPDATE users SET attempt_failed=0 WHERE userid=' . $login['userid']); } } } if (!$USER_DETAILS && !isset($_SERVER['PHP_AUTH_USER'])) { $sql = 'SELECT u.* ' . ' FROM users u ' . ' WHERE u.alias=' . zbx_dbstr(ZBX_GUEST_USER) . ' AND ' . DBin_node('u.userid', $ZBX_LOCALNODEID); $login = $USER_DETAILS = DBfetch(DBselect($sql)); if (!$USER_DETAILS) { $missed_user_guest = true; } } if ($login) { $login = check_perm2login($USER_DETAILS['userid']) && check_perm2system($USER_DETAILS['userid']); } if (!$login) { $USER_DETAILS = NULL; } if ($login && !isset($incorrect_session)) { zbx_setcookie('zbx_sessionid', $sessionid, $USER_DETAILS['autologin'] ? time() + 86400 * 31 : 0); //1 month DBexecute('UPDATE sessions SET lastaccess=' . time() . ' WHERE sessionid=' . zbx_dbstr($sessionid)); } else { zbx_unsetcookie('zbx_sessionid'); DBexecute('UPDATE sessions SET status=' . ZBX_SESSION_PASSIVE . ' WHERE sessionid=' . zbx_dbstr($sessionid)); unset($sessionid); } if ($USER_DETAILS) { $USER_DETAILS['node'] = DBfetch(DBselect('SELECT * FROM nodes WHERE nodeid=' . id2nodeid($USER_DETAILS['userid']))); if (empty($USER_DETAILS['node'])) { $USER_DETAILS['node']['name'] = '- unknown -'; $USER_DETAILS['node']['nodeid'] = $ZBX_LOCALNODEID; } } else { $USER_DETAILS = array('alias' => ZBX_GUEST_USER, 'userid' => 0, 'lang' => 'en_gb', 'type' => '0', 'node' => array('name' => '- unknown -', 'nodeid' => 0)); } $userip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $USER_DETAILS['userip'] = $userip; if (!$login || isset($incorrect_session) || isset($missed_user_guest)) { if (isset($incorrect_session)) { $message = 'Session was ended, please relogin!'; } else { if (isset($missed_user_guest)) { $row = DBfetch(DBselect('SELECT count(u.userid) as user_cnt FROM users u')); if (!$row || $row['user_cnt'] == 0) { $message = 'Table users is empty. Possible database corruption.'; } } } if (!isset($_REQUEST['message']) && isset($message)) { $_REQUEST['message'] = $message; } include 'index.php'; exit; } }
// when he presses the "Finish" button he must be redirected to the login screen if (CWebUser::isGuest() && $ZBX_CONFIG['step'] == 5 && hasRequest('finish')) { zbx_unsetcookie('ZBX_CONFIG'); redirect('index.php'); } elseif (!(CWebUser::isGuest() && $ZBX_CONFIG['step'] == 5)) { access_deny(ACCESS_DENY_PAGE); } } elseif (hasRequest('cancel') || hasRequest('finish')) { zbx_unsetcookie('ZBX_CONFIG'); redirect('index.php'); } /* * Setup wizard */ $ZBX_SETUP_WIZARD = new CSetupWizard($ZBX_CONFIG); zbx_setcookie('ZBX_CONFIG', serialize($ZBX_CONFIG)); // page title $pageTitle = ''; if (isset($ZBX_SERVER_NAME) && !zbx_empty($ZBX_SERVER_NAME)) { $pageTitle = $ZBX_SERVER_NAME . NAME_DELIMITER; } $pageTitle .= _('Installation'); $pageHeader = new CPageHeader($pageTitle); $pageHeader->addCssInit(); $pageHeader->addCssFile('styles/themes/originalblue/main.css'); $pageHeader->addJsFile('js/jquery/jquery.js'); $pageHeader->addJsFile('js/jquery/jquery-ui.js'); $pageHeader->addJsFile('js/functions.js'); // if init fails due to missing configuration, set user as guest with default en_GB language if (!CWebUser::$data) { CWebUser::setDefault();
} } if ($login) { $login = $row = DBfetch(DBselect('SELECT u.userid,u.alias,u.name,u.surname,u.url,u.refresh,u.passwd ' . ' FROM users u, users_groups ug, usrgrp g ' . ' WHERE u.alias=' . zbx_dbstr($name) . (ZBX_AUTH_INTERNAL == $authentication_type ? ' AND u.passwd=' . zbx_dbstr($password) : '') . ' AND ' . DBin_node('u.userid', $ZBX_LOCALNODEID))); } /* update internal pass if it's different if($login && ($row['passwd']!=$password) && (ZBX_AUTH_INTERNAL!=$authentication_type)){ DBexecute('UPDATE users SET passwd='.zbx_dbstr($password).' WHERE userid='.$row['userid']); } */ if ($login) { $login = check_perm2login($row['userid']) && check_perm2system($row['userid']); } if ($login) { $sessionid = md5(time() . $password . $name . rand(0, 10000000)); zbx_setcookie('zbx_sessionid', $sessionid); DBexecute('INSERT INTO sessions (sessionid,userid,lastaccess,status) VALUES (' . zbx_dbstr($sessionid) . ',' . $row['userid'] . ',' . time() . ',' . ZBX_SESSION_ACTIVE . ')'); add_audit(AUDIT_ACTION_LOGIN, AUDIT_RESOURCE_USER, 'Correct login [' . $name . ']'); if (empty($row['url'])) { $USER_DETAILS['alias'] = $row['alias']; $USER_DETAILS['userid'] = $row['userid']; $row['url'] = get_profile('web.menu.view.last', 'index.php'); unset($USER_DETAILS); } redirect($row['url']); die; } else { $row = NULL; $_REQUEST['message'] = 'Login name or password is incorrect'; add_audit(AUDIT_ACTION_LOGIN, AUDIT_RESOURCE_USER, 'Login failed [' . $name . ']'); if ($attempt) {