Commit 5fd0cd7d authored by Côme Chilliet's avatar Côme Chilliet Committed by Benoit Mortier
Browse files

Fixes #4100 Reviewed the whole logout process

Also removed code related to htaccess login/out
parent 4d2a1db0
......@@ -167,35 +167,12 @@ initLanguage();
$smarty->assign ('nextfield', 'username');
/* Do we have htaccess authentification enabled? */
$htaccess_authenticated = FALSE;
if ($config->get_cfg_value("htaccessAuthentication") == "TRUE" ) {
if (!isset($_SERVER['REMOTE_USER'])) {
msg_dialog::display(_("Configuration error"), _("There is a problem with the authentication setup!"), FATAL_ERROR_DIALOG);
exit;
}
$tmp = process_htaccess($_SERVER['REMOTE_USER'], isset($_SERVER['KRB5CCNAME']));
$username = $tmp['username'];
$server = $tmp['server'];
if ($username == "") {
msg_dialog::display(_("Error"), _("Cannot find a valid user for the current authentication setup!"), FATAL_ERROR_DIALOG);
exit;
}
if ($server == "") {
msg_dialog::display(_("Error"), _("User information is not unique across the configured LDAP trees!"), FATAL_ERROR_DIALOG);
exit;
}
$htaccess_authenticated = TRUE;
}
if (!$htaccess_authenticated) {
if (isset($_POST['server'])) {
$server = $_POST['server'];
} else {
$server = $config->data['MAIN']['DEFAULT'];
}
if (isset($_POST['server'])) {
$server = $_POST['server'];
} else {
$server = $config->data['MAIN']['DEFAULT'];
}
$config->set_current($server);
if ($_SERVER["REQUEST_METHOD"] == "POST") {
session::global_set('DEBUGLEVEL', 0);
......@@ -207,14 +184,31 @@ if (($config->get_cfg_value("forcessl") == "TRUE") && ($ssl != '')) {
exit;
}
if (isset($_REQUEST['message'])) {
switch($_REQUEST['message']) {
case 'expired':
$message = _('Your FusionDirectory session has expired!');
break;
case 'newip':
$message = _('Your IP has changed!');
break;
case 'invalidparameter':
$message = _('Invalid plugin parameter "'.$_REQUEST['plug'].'"!');
break;
case 'nosession':
$message = _('No session found!');
break;
default:
$message = $_REQUEST['message'];
}
}
/* Got a formular answer, validate and try to log in */
if (($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login'])) || $htaccess_authenticated) {
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
/* Reset error messages */
$message = "";
/* Destroy old sessions, they cause a successfull login to relog again ...*/
if (session::global_is_set('_LAST_PAGE_REQUEST')) {
session::global_set('_LAST_PAGE_REQUEST', time());
......@@ -265,32 +259,16 @@ if (($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login'])) || $htacces
$ldap->create_missing_trees(get_ou('lockRDN').get_ou('fusiondirectoryRDN').$config->current['BASE']);
}
/* Check for valid input */
$ok = TRUE;
if (!$htaccess_authenticated) {
$username = trim($_POST['username']);
if (!preg_match("/^[@A-Za-z0-9_.-]+$/", $username)) {
$message = _("Please specify a valid username!");
$ok = FALSE;
} elseif (mb_strlen($_POST["password"], 'UTF-8') == 0) {
$message = _("Please specify your password!");
$smarty->assign ('nextfield', 'password');
$ok = FALSE;
}
}
if ($ok) {
$username = trim($_POST['username']);
if (!preg_match("/^[@A-Za-z0-9_.-]+$/", $username)) {
$message = _("Please specify a valid username!");
} elseif (mb_strlen($_POST["password"], 'UTF-8') == 0) {
$message = _("Please specify your password!");
$smarty->assign ('nextfield', 'password');
} else {
/* Login as user, initialize user ACL's */
if ($htaccess_authenticated) {
$ui = ldap_login_user_htaccess($username);
if ($ui === NULL || !$ui) {
msg_dialog::display(_("Authentication error"), _("Cannot retrieve user information for htaccess authentication!"), FATAL_ERROR_DIALOG);
exit;
}
} else {
$ui = ldap_login_user($username, $_POST["password"]);
}
$ui = ldap_login_user($username, $_POST["password"]);
if ($ui === NULL || !$ui) {
$message = _("Please check the username/password combination.");
$smarty->assign ('nextfield', 'password');
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2013 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*/
/* Basic setup, remove eventually registered sessions */
require_once ("../include/php_setup.inc");
require_once ("functions.inc");
require_once ("variables.inc");
header("Content-type: text/html; charset=UTF-8");
/* try to start session, so we can remove userlocks,
if the old session is still available */
@session::start();
session::set('errorsAlreadyPosted', array());
if (session::global_is_set('ui')) {
/* Get config & ui informations */
$ui = session::global_get("ui");
/* config used for del_user_locks & some lines below to detect the language */
$config = session::global_get("config");
/* Remove all locks of this user */
del_user_locks($ui->dn);
/* Write something to log */
new log("security", "logout", "", array(), "User \"".$ui->username."\" logged out");
}
initLanguage();
/* Set smarty template compile directory */
if (isset($config)) {
$smarty->compile_dir = $config->get_cfg_value("templateCompileDirectory", SPOOL_DIR);
} else {
$smarty->compile_dir = SPOOL_DIR;
}
$smarty->assign("date", date("l, dS F Y H:i:s O"));
/* If GET request is posted, the logout was forced by pressing the link */
if (isset($_GET['request'])) {
/* destroy old session */
session::destroy ();
/* If we're not using htaccess authentication, just redirect... */
if (isset($config) && $config->get_cfg_value("htaccessAuthentication") == "TRUE") {
/* Else notice that the user has to close the browser... */
$smarty->assign("usePrototype", "false");
$smarty->display (get_template_path('headers.tpl'));
$smarty->display (get_template_path('logout-close.tpl'));
exit;
}
header ("Location: index.php");
exit();
} else { // The logout wasn't forced, so the session is invalid
$smarty->assign("usePrototype", "false");
$smarty->display (get_template_path('headers.tpl'));
$smarty->display (get_template_path('logout.tpl'));
exit;
}
?>
</html>
......@@ -49,22 +49,22 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
/* Logged in? Simple security check */
if (!session::global_is_set('connected')) {
new log("security", "login", "", array(), "main.php called without session - logging out");
header ("Location: logout.php");
new log('security', 'login', '', array(), 'main.php called without session - logging out');
header ('Location: index.php?message=nosession');
exit;
}
/* Check for uniqe ip address */
$ui = session::global_get('ui');
if ($_SERVER['REMOTE_ADDR'] != $ui->ip) {
new log("security", "login", "", array(), "main.php called with session which has a changed IP address.");
header ("Location: logout.php");
new log('security', 'login', '', array(), 'main.php called with session which has a changed IP address.');
header ('Location: index.php?message=newip');
exit;
}
$config = session::global_get('config');
/* If SSL is forced, just forward to the SSL enabled site */
if (($config->get_cfg_value("forcessl") == "TRUE") && ($ssl != '')) {
if (($config->get_cfg_value('forcessl') == 'TRUE') && ($ssl != '')) {
header ("Location: $ssl");
exit;
}
......@@ -87,8 +87,8 @@ if (session::global_get('_LAST_PAGE_REQUEST') == "") {
*/
if ($request_time > $max_life) {
session::destroy();
new log("security", "login", "", array(), "main.php called without session - logging out");
header ("Location: logout.php");
new log('security', 'login', '', array(), 'main.php called with expired session - logging out');
header ('Location: index.php?message=expired');
exit;
}
session::global_set('_LAST_PAGE_REQUEST', time());
......@@ -167,14 +167,14 @@ if (isset($_GET['plug']) && $plist->plugin_access_allowed($_GET['plug'])) {
$plug = validate($_GET['plug']);
$plugin_dir = $plist->get_path($plug);
session::global_set('plugin_dir', $plugin_dir);
if ($plugin_dir == "") {
new log("security", "fusiondirectory", "", array(), "main.php called with invalid plug parameter \"$plug\"");
header ("Location: logout.php");
if ($plugin_dir == '') {
new log('security', 'fusiondirectory', '', array(), "main.php called with invalid plug parameter \"$plug\"");
header ('Location: index.php?message=invalidparameter&plug='.$plug);
exit;
}
} else {
/* set to welcome page as default plugin */
session::global_set('plugin_dir', "welcome");
session::global_set('plugin_dir', 'welcome');
$plugin_dir = "$BASE_DIR/plugins/generic/welcome";
}
......@@ -229,15 +229,6 @@ if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['password_back'])) {
exit;
}
/* Check for multiple windows logout */
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (isset($_POST['reset_session'])) {
header ("Location: logout.php");
exit;
}
}
/* Load department list when plugin has changed. That is some kind of
compromise between speed and beeing up to date */
if (isset($_GET['reset'])) {
......
<div class="plugtop">
{t}Session conflict detected{/t}
</div>
<p>
<b>{t}Warning{/t}:</b> {t}Probably there's another active instance of your session. Multiple window operation is technical not possible and heavily depends on the browser you're using. Usage of different browsers at a time (i.e. IE and Mozilla) is possible. Pressing the Logout button will close this session.{/t}
</p>
<p>
<b style="color:red;">{t}Ignoring this message will change/destroy the data you're currently editing, so please close multiple windows and log in again.{/t}</b>
</p>
<p class="plugbottom">
<input type="submit" name="reset_session" value="{t}Logout{/t}">
</p>
......@@ -10,7 +10,7 @@
<img src="geticon.php?context=actions&amp;icon=go-home&amp;size=22" alt="Main"/>&nbsp;{t}Main{/t}
</a>
&nbsp;
<a class="maintitlebar logout" href="logout.php?request">
<a class="maintitlebar logout" href="index.php">
<img src="geticon.php?context=actions&amp;icon=application-exit&amp;size=22" alt="Sign out"/>&nbsp;{t}Sign out{/t}
</a>
<a class="plugtop">
......@@ -61,7 +61,7 @@
{literal}
function logout()
{
document.location = 'logout.php';
document.location = 'index.php?message=expired';
}
{/literal}
......
<body style="background-color: white;background-image:none;">
<form action='index.php' method='post' name='mainform'>
<div style="margin-left:10%; margin-right:10%; margin-top:5%; border:2px solid red;padding-left:10px;padding-right:10px;padding-top:5px;padding-bottom:20px;">
<h1>{t}Your FusionDirectory session has been closed!{/t}</h1>
<p>
{t}Please close this browser window and clean the authentication caches to avoid an automatic re-authentication by your browser.{/t}
</p>
</div>
</form>
</body>
</html>
<body style="background-color: white;">
<form action="index.php" method="post" name="mainform">
<div style="margin-left:10%; margin-right:10%; margin-top:5%; border:2px solid red;padding-left:10px;padding-right:10px;padding-top:5px;padding-bottom:20px;">
<h1>{t}Your FusionDirectory session has expired!{/t}</h1>
<p>
{t}The last interaction with the FusionDirectory web interface has been some time ago in the past. For security reasons, the session has been closed. To continue with administrative tasks, please sign in again.{/t}
</p>
<br/>
<div style="text-align: center;"><input type="submit" name="dummy" value="{t}Sign in again{/t}"/></div>
</div>
</form>
<!-- Place cursor -->
<script type="text/javascript">
<!-- // First input field on page
focus_field('dummy');
-->
</script>
</body>
</html>
......@@ -501,96 +501,6 @@ function ldap_init ($server, $base, $binddn = '', $pass = '')
return $ldap;
}
/*!
* \brief Process htaccess authentication
*
* Process htaccess authentication
*
* \param string $username The username we ant to check
*
* \param bool $kerberos TRUE to use kerberos FALSE otherwise
*
* \return array containing username and server
*/
function process_htaccess ($username, $kerberos = FALSE)
{
global $config;
/* Search for $username and optional @REALM in all configured LDAP trees */
foreach (array_keys($config->data["LOCATIONS"]) as $name) {
$config->set_current($name);
$mode = "kerberos";
if ($config->get_cfg_value("useSaslForKerberos") == "TRUE") {
$mode = "sasl";
}
/* Look for entry or realm */
$ldap = $config->get_ldap_link();
if (!$ldap->success()) {
msg_dialog::display(_("LDAP error"),
msgPool::ldaperror($ldap->get_error(), "", LDAP_AUTH)."<br><br>".session::get('errors'),
FATAL_ERROR_DIALOG);
exit();
}
$ldap->search("(&(objectClass=inetOrgPerson)(|(uid=$username)(userPassword={$mode}$username)))", array("uid"));
/* Found a uniq match? Return it... */
if ($ldap->count() == 1) {
$attrs = $ldap->fetch();
return array("username" => $attrs["uid"][0], "server" => $name);
}
}
/* Nothing found? Return emtpy array */
return array("username" => "", "server" => "");
}
/*!
* \brief Verify user login against htaccess and then ldap
*
* Checks if the specified username is available in apache, maps the user
* to an LDAP user. The password has been checked by apache already.
*
* \param string $username The username to check.
*
* \return TRUE on SUCCESS, NULL or FALSE on error
*/
function ldap_login_user_htaccess ($username)
{
global $config;
/* Look for entry or realm */
$ldap = $config->get_ldap_link();
if (!$ldap->success()) {
msg_dialog::display(_("LDAP error"),
msgPool::ldaperror($ldap->get_error(), "", LDAP_AUTH)."<br><br>".session::get('errors'),
FATAL_ERROR_DIALOG);
exit();
}
$ldap->search("(&(objectClass=inetOrgPerson)(uid=$username))", array("uid"));
/* Found no uniq match? Strange, because we did above... */
if ($ldap->count() != 1) {
msg_dialog::display(_("LDAP error"), _("Login (uid) is not unique inside the LDAP tree!"), FATAL_ERROR_DIALOG);
return NULL;
}
$attrs = $ldap->fetch();
/* got user dn, fill acl's */
$ui = new userinfo($config, $ldap->getDN());
$ui->username = $attrs['uid'][0];
/* No password check needed - the webserver did it for us */
$ldap->disconnect();
/* Username is set, load subtreeACL's now */
$ui->loadACL();
return $ui;
}
/*!
* \brief Verify user login against LDAP directory
*
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment