function parseMessage()
{
// parse posted message
// abort routine on incorrect remote address
if (strcmp(SSP_paddIp($this->remoteIpAddress), SSP_paddIp($_SERVER['REMOTE_ADDR'])) != 0) {
return false;
}
$command = "";
if (isset($_POST["message"])) {
if ($messageString = $this->decrypt(SSP_stringRaw($_POST["message"]))) {
if ($message = unserialize($messageString)) {
if (is_object($message) and strtolower(get_class($message)) == "api_message") {
$this->command = $command = $message->command;
$this->data = $message->data;
}
} else {
$this->messageError($messageString, "Invalid message recieved after decryption");
}
}
}
switch ($command) {
case "keepAlive":
$this->keepAlive();
break;
case "loginSetup":
$this->loginSetup();
break;
default:
$this->errorReply("Unknown Command");
break;
}
}
public function __construct()
{
$this->generateDSN();
$this->checkProperties();
// build paths to scripts
$this->pathSite = "http://" . $this->url . "/";
$this->pathSiteHttps = "https://" . $this->url . "/";
// set mutibyte encoding
mb_internal_encoding($this->siteEncoding);
if ($this->useSSL) {
// absolute path for ssl
$this->adminDir = $this->pathSiteHttps . $this->adminDir;
$path = $this->pathSiteHttps;
} else {
$this->adminDir = $this->pathSite . $this->adminDir;
$path = $this->pathSite;
}
$this->logonScript = $path . $this->logonScript;
$this->logoffScript = $path . $this->logoffScript;
$this->passwordRecover = $path . $this->passwordRecover;
$this->newPassword = $path . $this->newPassword;
$this->userAdminScript = $path . $this->userAdminScript;
$this->totalAdminScript = $path . $this->totalAdminScript;
$this->userCreation = $path . $this->userCreation;
$this->userConfirm = $path . $this->userConfirm;
$this->userLister = $path . $this->userLister;
// configure debug
if ($this->checkDebugIp) {
if (SSP_paddIp($this->debugIP) === SSP_paddIp($_SERVER['REMOTE_ADDR'])) {
$debug = true;
} else {
$debug = false;
}
} else {
$debug = true;
}
$this->loginDebug = $this->loginDebug and $debug;
$this->accessFaultDebug = $this->accessFaultDebug and $debug;
$this->divertDebug = $this->divertDebug and $debug;
$this->displaySqlFaults = $this->displaySqlFaults and $debug;
date_default_timezone_set($this->siteTimezoneIdentifier);
Protect::setTemplatePath(__DIR__ . $this->templateDir);
// Translation configuration
if ($this->translate) {
// basic language setup
// start debug mode
if ($this->translateDebug) {
Translate::debug();
}
// configure language translation object
$SSP_lang = new Translate($this->lang, $this->translateLangs, __DIR__ . $this->translatePath);
CheckData::addTranslation($SSP_lang);
sfc\Form::addTranslation($SSP_lang);
Protect::addTranslation($SSP_lang);
}
// set up pages not to be included in the history
ProtectBase::addNoHistoryPage($this->logonScript);
ProtectBase::addNoHistoryPage($this->logoffScript);
ProtectBase::addNoHistoryPage($this->passwordRecover);
ProtectBase::addNoHistoryPage($this->userConfirm);
ProtectBase::addNoHistoryPage($this->newPassword);
ProtectBase::addNoHistoryPage($this->userCreation);
/**
* Set up PHP initialisation parameters
*
* These can be ignored and set up in the php.ini if you have access
*
* if you need to change the parameters from the default,
* simply uncomment the line and change the required paramater.
*/
// specifies the name of the session which is used as cookie name. It should only contain alphanumeric characters.
ini_set("session.name", $this->sessVarName);
// defines the name of the handler which is used for storing and retrieving data associated with a session.
// files - uses inbuilt php routines, only good for unix systems with small numbers of users
// user - database using abstraction layer.
ini_set("session.save_handler", "user");
// specifies the number of seconds after which a session will be seen as 'garbage' and cleaned up. Will also clean up any other temporary tables.
ini_set("session.gc_maxlifetime", $this->sessMaxLifetime);
// 1440 = 24 minutes
// defines the argument which is passed to the save handler. If you choose the default files handler, this is the path where the files are created. Put in directory your system can access, but not a user with a browser.
ini_set("session.save_path", "/usr/local/tmp");
// specifies the probability that the gc (garbage collection) routine is started on each request in percentage. You might want to lower this for busy sites.
ini_set("session.gc_probability", "10");
// defines the name of the handler which is used to serialize/deserialize data. Currently, a PHP internal format (name php) and WDDX is supported (name wddx). WDDX is only available, if PHP is compiled with WDDX support. Defaults to php.
// ini_set("session.serialize_handler","php");
// the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed."
// ini_set("session.cookie_lifetime","0");
// specifies path to set in session_cookie.
ini_set("session.cookie_path", $this->cookiePath);
// specifies the domain to set in session_cookie.
ini_set("session.cookie_domain", $this->cookieDomain);
if ($this->useSSL) {
ini_set("session.cookie_secure", 1);
ini_set('session.cookie_httponly', 1);
}
}
/**
* Trims the ip number down to the required accuracy for checking
* @param string $ipNumber
* @return string
*/
function SSP_trimIp($ipNumber)
{
$SSP_Config = Configuration::getConfiguration();
if (strpos($ipNumber, ":") !== false) {
$ipv6 = true;
} else {
$ipv6 = false;
}
$ip = SSP_paddIp($ipNumber);
if (!$ipv6) {
$trim = $SSP_Config->checkIpAccuracy * 6;
} else {
$trim = $SSP_Config->checkIpv6Accuracy * 5;
}
return substr($ip, 0, $trim);
}
/**
* check for maintenance mode
*/
private function maintenanceMode()
{
if ($this->cfg->siteInMaintenanceMode) {
$siteMaintenenceMode = true;
foreach ($this->cfg->siteInMaintenanceOverrideIps as $ipNumber => $name) {
if (SSP_paddIp($ipNumber) == SSP_paddIp($_SERVER["REMOTE_ADDR"])) {
$siteMaintenenceMode = false;
break;
}
}
if ($siteMaintenenceMode) {
SSP_Divert($this->cfg->siteRoot . $this->cfg->siteInMaintenanceScreen);
}
}
}
/**
* Check user account is valid for login and sets up session and remember me
* cookie if requested
* @param object $userInfo - user login information returned by the db
* @return string/bool - user's id on success else false
*/
private function logonCheck($userInfo)
{
$loginOk = false;
// if external login check ok do the rest
if ($this->userLoginCheck($userInfo)) {
// do final checks on the user and set up session info
$userOk = true;
// check user flags
foreach ($this->cfg->validUserFlags as $flagName => $validFlagValue) {
if ($userInfo->{$flagName} != $validFlagValue) {
$userOk = false;
$this->errorDesc = "Invalid user flag " . $flagName . " value required: " . $validFlagValue . " actual: " . $userInfo->{$flagName};
break;
}
}
if ($this->cfg->fixedIpAddress or $userInfo->UserIpCheck) {
// check user IP
$allowedIpAddreses = explode(',', $userInfo->UserIp);
$foundAddress = false;
foreach ($allowedIpAddreses as $ipAddress) {
if (strcasecmp(SSP_paddIp($_SERVER["REMOTE_ADDR"]), SSP_paddIp($ipAddress)) === 0) {
// Fixed ip correct
// set User ip for update into the session table
$querySet["SessionUserIp"] = $userInfo->UserIp;
$foundAddress = true;
break;
}
}
if (!$foundAddress) {
$this->errorDesc = "Current ip address {$_SERVER["REMOTE_ADDR"]} not in users list";
$userOk = false;
}
}
// check user is not already logged in
if ($userOk and !$this->cfg->allowMultipleLogin) {
$where = array("UserId" => $userInfo->UserId);
if ($this->db->get($this->cfg->sessionTable, $where, "SSP Logon: Checking for multiple logins")) {
// user already logged in
$this->errorDesc = "User already logged in";
$userOk = false;
}
}
// do final set up if everything has worked ok
if ($userOk) {
$loginOk = true;
$querySet["UserId"] = $userInfo->UserId;
if ($this->cfg->checkIpAddress) {
// set up IP address for this session
$querySet["SessionIp"] = $_SERVER["REMOTE_ADDR"];
}
if ($this->cfg->randomCheck) {
// set up random check cookie and entry
$randomCookie = mt_rand(0, 100000);
setcookie($this->cfg->randomCookie, $randomCookie, 0, $this->cfg->cookiePath, $this->cfg->cookieDomain, $this->cfg->useSSL);
$querySet["SessionRandom"] = $randomCookie;
}
if ($this->rememberMe and !$this->rememberMeLogin and $this->rememberMeSave) {
// create remember me cookie if the user was not procuced and the box was ticked
$idSet = SSP_uniqueId();
$userIdSet = $userInfo->UserId;
$timeSet = time() + $this->cfg->loginRememberMePeriod * 24 * 3600;
$rememberMeSet = array("id" => $idSet, "user_id" => $userIdSet, "date_expires" => $timeSet);
$this->db->insert($this->cfg->tableRememberMe, $rememberMeSet, "SSP Logon: creating remember me entry");
setcookie($this->cfg->loginRememberMeCookie, $idSet, $timeSet, "/", $this->cfg->cookieDomain, $this->cfg->useSSL);
}
// update session table
$where = array("SessionId" => session_id());
$this->db->update($this->cfg->sessionTable, $querySet, $where, "SSP Logon: Set up user session after succesful login");
// update login times
$oldLoginTime = $userInfo->UserDateLogon;
$currentLogonTime = time();
$fields = array("UserDateLogon" => $currentLogonTime, "UserDateLastLogon" => $oldLoginTime);
$where = array("UserId" => $userInfo->UserId);
$this->db->update($this->cfg->userTable, $fields, $where, "SSP session handling: Update login times");
}
}
if ($loginOk) {
// change the current session ID to prevent session fixation attacks
$oldSessionId = session_id();
session_regenerate_id();
$fields = array("SessionId" => session_id());
$where = array("SessionId" => $oldSessionId);
$this->db->update($this->cfg->sessionTable, $fields, $where, "SSP session handling: updating new session record after session regen");
return $userInfo->UserId;
} else {
$this->error = true;
sleep($this->cfg->logonFailDelay);
return false;
}
}