diff --git a/html/index.php b/html/index.php
index c540c53894ce0bacc4f3789842e69e07e6015da4..2efaed0230afa14f9f45c516c6be0a99298c4425 100644
--- a/html/index.php
+++ b/html/index.php
@@ -58,7 +58,7 @@ if (isset($_REQUEST['signout']) && $_REQUEST['signout']) {
phpCas::logout();
}
}
- session::destroy();
+ session::destroy('Sign out');
session::start();
}
diff --git a/html/main.php b/html/main.php
index 5433436d1469bfe3eff63635b06ef11f2f13a261..91007a46dbc1559e6dc65cfbd067a5f53dc0153f 100644
--- a/html/main.php
+++ b/html/main.php
@@ -77,8 +77,7 @@ if (session::get('_LAST_PAGE_REQUEST') != '') {
* kill session
*/
if ($request_time > $max_life) {
- session::destroy();
- logging::log('security', 'login', '', [], 'main.php called with expired session - logging out');
+ session::destroy('main.php called with expired session');
header('Location: index.php?signout=1&message=expired');
exit;
}
diff --git a/include/class_logging.inc b/include/class_logging.inc
index 441d2c444f1338d26a7f33561187b04f210cceb4..93ea2a05c1bf1ac92207484009e28b9a2f9491a8 100644
--- a/include/class_logging.inc
+++ b/include/class_logging.inc
@@ -70,6 +70,8 @@ class logging
];
if (isset($ui->dn) && !empty($ui->dn)) {
$entry['user'] = $ui->dn;
+ } elseif (isset($_SERVER['REMOTE_ADDR'])) {
+ $entry['user'] = $_SERVER['REMOTE_ADDR'];
} else {
$entry['user'] = 'unknown';
}
diff --git a/include/class_session.inc b/include/class_session.inc
index 8b0eef1b0f073edbcf8074a799a154be1c79c0fb..5bca5449b8d0a256f55d32dba0065ed6096e599e 100644
--- a/include/class_session.inc
+++ b/include/class_session.inc
@@ -177,8 +177,44 @@ class session
/*!
* \brief Destroy a session
*/
- public static function destroy ()
+ public static function destroy (string $reason = '')
{
+ global $ui;
+
+ if (!isset($ui)) {
+ $ui = static::get('ui');
+ }
+
+ try {
+ if (isset($ui)) {
+ logging::log(
+ 'security',
+ 'logout',
+ $ui->dn,
+ [],
+ sprintf(
+ '%s (%s) logged out (%s)',
+ $ui->uid,
+ ($_SERVER['REMOTE_ADDR'] ?? 'Unknown IP'),
+ $reason
+ )
+ );
+ } elseif (!empty($reason)) {
+ logging::log(
+ 'security',
+ 'session',
+ ($_SERVER['REMOTE_ADDR'] ?? ''),
+ [],
+ sprintf(
+ 'Session for %s destroyed (%s)',
+ ($_SERVER['REMOTE_ADDR'] ?? 'unknown'),
+ $reason
+ )
+ );
+ }
+ } catch (Exception $e) {
+ /* Ignore exceptions here */
+ }
@session_destroy();
}
}
diff --git a/include/login/class_LoginMethod.inc b/include/login/class_LoginMethod.inc
index ddc35506d1ee601c048620c27ee4de3a04d3c49c..0c05bb64fbdd75dd993d93a245dd2892c0df86fc 100644
--- a/include/login/class_LoginMethod.inc
+++ b/include/login/class_LoginMethod.inc
@@ -100,11 +100,7 @@ class LoginMethod
} catch (LoginFailureException $e) {
/* Load plist to be able to log */
pluglist::load();
- if (isset($_SERVER['REMOTE_ADDR'])) {
- logging::log('security', 'login', '', [], 'Authentication failed for user "'.static::$username.'" [from '.$_SERVER['REMOTE_ADDR'].']: '.$e->getMessage());
- } else {
- logging::log('security', 'login', '', [], 'Authentication failed for user "'.static::$username.'": '.$e->getMessage());
- }
+ logging::log('security', 'login failure', static::$username, [], 'Authentication failed for user "'.static::$username.'": '.$e->getMessage());
/* Show the same message whether the user exists or not to avoid information leak */
$message = $e->getMessage();
$smarty->assign('focusfield', 'password');
@@ -140,7 +136,7 @@ class LoginMethod
$expired = $ui->expired_status();
if ($expired == POSIX_ACCOUNT_EXPIRED) {
- logging::log('security', 'login', '', [], 'Account for user "'.static::$username.'" has expired');
+ logging::log('security', 'account', $ui->dn, [], 'Account for user "'.static::$username.'" has expired');
$message = _('Account locked. Please contact your system administrator!');
$smarty->assign('focusfield', 'username');
return FALSE;
@@ -152,9 +148,13 @@ class LoginMethod
/*! \brief Final step of successful login: redirect to main.php */
static function redirect ()
{
- global $config;
+ global $config, $ui;
+
/* Not account expired or password forced change go to main page */
- logging::log('security', 'login', '', [], 'User "'.static::$username.'" logged in successfully.');
+ logging::log(
+ 'security', 'login', $ui->dn, [],
+ sprintf('User "%s" logged in successfully (from %s).', static::$username, ($_SERVER['REMOTE_ADDR'] ?? 'Unknown IP'))
+ );
session::set('connected', 1);
session::set('DEBUGLEVEL', $config->get_cfg_value('DEBUGLEVEL'));
header('Location: main.php');
diff --git a/include/php_setup.inc b/include/php_setup.inc
index 2738df3d1983ff398edbcaf6b21089cca3dcc252..3d73b54f658cbf3398b4e203c228b4bcf7a98832 100644
--- a/include/php_setup.inc
+++ b/include/php_setup.inc
@@ -262,7 +262,7 @@ function gosaRaiseError ($errno, $errstr, $errfile, $errline)
/* Flush in case of fatal errors */
if (preg_match('/^fatal/i', $errstr) || (PHP_ERROR_FATAL == 'TRUE')) {
- session::destroy();
+ session::destroy('Fatal error');
if (PHP_ERROR_FATAL == 'TRUE') {
$error_collector = str_replace('display: none;', '', $error_collector);
}
diff --git a/setup/class_setup.inc b/setup/class_setup.inc
index a65d218320cea1ae1c2177ff6c286f33282e4f6b..818afce9ff628d7fd8ba310c5bba41cb3c4f71c1 100644
--- a/setup/class_setup.inc
+++ b/setup/class_setup.inc
@@ -51,9 +51,9 @@ class setup
$this->i_steps = count($this->o_steps);
/* Ensure that setup is not reachable if fusiondirectory.conf exist (CONFIG_FILE) */
- if (file_exists(CONFIG_DIR."/".CONFIG_FILE)) {
- session::destroy();
- header("Location: index.php");
+ if (file_exists(CONFIG_DIR.'/'.CONFIG_FILE)) {
+ session::destroy('Invalid setup.php call');
+ header('Location: index.php');
exit();
}
}