/** * for SSL Cliente Certificate we can not check password but * 1. login exists * 2. SSL context exist * * return map * */ function doSSOClientCertificate(&$dbHandler, $apache_mod_ssl_env, $authCfg = null) { global $g_tlLogger; $result = array('status' => tl::ERROR, 'msg' => null); if (!isset($apache_mod_ssl_env['SSL_PROTOCOL'])) { return $result; } // With this we trust SSL is enabled => go ahead with login control $authCfg = is_null($authCfg) ? config_get('authentication') : $authCfg; $login = $apache_mod_ssl_env[$authCfg['SSO_uid_field']]; if (!is_null($login)) { $user = new tlUser(); $user->login = $login; $login_exists = $user->readFromDB($dbHandler, tlUser::USER_O_SEARCH_BYLOGIN) >= tl::OK; if ($login_exists && $user->isActive) { // Need to do set COOKIE following Mantis model $auth_cookie_name = config_get('auth_cookie'); $expireOnBrowserClose = false; setcookie($auth_cookie_name, $user->getSecurityCookie(), $expireOnBrowserClose, '/'); // Disallow two sessions within one browser if (isset($_SESSION['currentUser']) && !is_null($_SESSION['currentUser'])) { $result['msg'] = lang_get('login_msg_session_exists1') . ' <a style="color:white;" href="logout.php">' . lang_get('logout_link') . '</a>' . lang_get('login_msg_session_exists2'); } else { // Setting user's session information $_SESSION['currentUser'] = $user; $_SESSION['lastActivity'] = time(); $g_tlLogger->endTransaction(); $g_tlLogger->startTransaction(); setUserSession($dbHandler, $user->login, $user->dbID, $user->globalRoleID, $user->emailAddress, $user->locale, null); $result['status'] = tl::OK; } } else { logAuditEvent(TLS("audit_login_failed", $login, $_SERVER['REMOTE_ADDR']), "LOGIN_FAILED", $user->dbID, "users"); } } return $result; }
list($args, $gui) = initEnv(); // verify the session during a work $redir2login = true; if (isset($_SESSION['currentUser'])) { // Session exists we need to do other checks. // // we use/copy Mantisbt approach $securityCookie = tlUser::auth_get_current_user_cookie(); $redir2login = is_null($securityCookie); if (!$redir2login) { // need to get fresh info from db, before asking for securityCookie doDBConnect($db, database::ONERROREXIT); $user = new tlUser(); $user->dbID = $_SESSION['currentUser']->dbID; $user->readFromDB($db); $dbSecurityCookie = $user->getSecurityCookie(); $redir2login = $securityCookie != $dbSecurityCookie; } } if ($redir2login) { // destroy user in session as security measure unset($_SESSION['currentUser']); // If session does not exists I think is better in order to // manage other type of authentication method/schemas // to understand that this is a sort of FIRST Access. // // When TL undertand that session exists but has expired // is OK to call login with expired indication, but is not this case // // Dev Notes: // may be we are going to login.php and it will call us again!