Go to most recent revision | Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
1 | daniel-mar | 1 | <?php |
2 | |||
3 | if (!defined('WBLEGAL')) die('Kann nicht ohne Personal WebBase ausgeführt werden.'); |
||
4 | |||
5 | // TODO: Als crossover für fastlogin auslagern |
||
6 | // TODO: Auch für PMA/net2ftp zugänglich machen |
||
7 | |||
8 | function load_fastlogin_cookie() { |
||
9 | if (isset($_COOKIE['wb_fastlogin_key'])) { |
||
10 | $r_user = ''; |
||
11 | $r_pwd = ''; |
||
12 | $r_succ = wb_decode_fast_login_key($_COOKIE['wb_fastlogin_key'], $r_user, $r_pwd); |
||
13 | |||
14 | if ($r_succ) { |
||
15 | login_as_user($r_user, $r_pwd); |
||
16 | } else { |
||
17 | // Das Cookie ist ungültig geworden. Wir löschen es. |
||
18 | wbUnsetCookie('wb_fastlogin_key'); |
||
19 | unset($_COOKIE['wb_fastlogin_key']); |
||
20 | } |
||
21 | } |
||
22 | } |
||
23 | |||
24 | // ------------------------------------------------------- |
||
25 | |||
26 | @session_cache_limiter('private'); |
||
27 | @ini_set('session.cookie_path', RELATIVE_DIR); |
||
28 | //@ini_set('session.cookie_domain', $_SERVER['HTTP_HOST']); |
||
29 | //@session_set_cookie_params(0, RELATIVE_DIR, $_SERVER['HTTP_HOST'], $WBConfig->getForceSSLFlag()); |
||
30 | |||
31 | // @ini_set('session.auto_start', 0); |
||
32 | @ini_set('session.cache_expire', 180); |
||
33 | @ini_set('session.use_trans_sid', 0); |
||
34 | @ini_set('session.use_cookies', 1); |
||
35 | @ini_set('session.use_only_cookies', 1); |
||
36 | @ini_set('session.cookie_secure', $WBConfig->getForceSSLFlag()); |
||
37 | @ini_set('session.cookie_lifetime', 0); |
||
38 | @ini_set('session.gc_maxlifetime', 1440); |
||
39 | @ini_set('session.bug_compat_42', 0); |
||
40 | @ini_set('session.bug_compat_warn', 1); |
||
41 | if (version_compare(PHP_VERSION, '5.0.0', 'ge') && substr(PHP_OS, 0, 3) != 'WIN') |
||
42 | { |
||
43 | @ini_set('session.hash_function', 1); |
||
44 | @ini_set('session.hash_bits_per_character', 6); |
||
45 | } |
||
46 | @ini_set('session.save_handler', 'user'); |
||
47 | // @ini_set('session.save_path', 'includes/session/'); |
||
48 | // @ini_set('arg_separator.output', '&'); |
||
49 | // @ini_set('url_rewriter.tags', 'a=href,area=href,frame=src,input=src,fieldset='); |
||
50 | |||
51 | $wb_session_name = 'webbase'; |
||
52 | |||
53 | // TODO: Was hab ich mir dabei gedacht? Möglicherweise als Kompat zu den 3P-Generics |
||
54 | @session_unset(); |
||
55 | @session_destroy(); |
||
56 | |||
57 | wb_newdatabasetable('sessions', $m2, 'session_id', "varchar(255) NOT NULL", |
||
58 | 'last_updated', "datetime NOT NULL", |
||
59 | 'data_value', "text"); |
||
60 | |||
61 | if (function_exists('set_searchable')) set_searchable($m2, 'sessions', 0); |
||
62 | |||
63 | my_add_key($WBConfig->getMySQLPrefix().'sessions', 'session_id', false, 'session_id'); |
||
64 | |||
65 | if (!function_exists('sessao_open')) |
||
66 | { |
||
67 | function sessao_open($aSavaPath, $aSessionName) |
||
68 | { |
||
69 | sessao_gc( ini_get('session.gc_maxlifetime') ); |
||
70 | return True; |
||
71 | } |
||
72 | } |
||
73 | |||
74 | if (!function_exists('sessao_close')) |
||
75 | { |
||
76 | function sessao_close() |
||
77 | { |
||
78 | return True; |
||
79 | } |
||
80 | } |
||
81 | |||
82 | if (!function_exists('sessao_read')) |
||
83 | { |
||
84 | function sessao_read( $aKey ) |
||
85 | { |
||
86 | global $WBConfig; |
||
87 | |||
88 | $busca = db_query("SELECT `data_value` FROM `".$WBConfig->getMySQLPrefix()."sessions` WHERE `session_id` = '".db_simple_escape($aKey)."'"); |
||
89 | if (db_num($busca) == 0) |
||
90 | { |
||
91 | db_query("INSERT INTO `".$WBConfig->getMySQLPrefix()."sessions` (`session_id`, `last_updated`, `data_value`) VALUES ('".db_simple_escape($aKey)."', NOW(), '')"); |
||
92 | return ''; |
||
93 | } |
||
94 | else |
||
95 | { |
||
96 | $r = db_fetch($busca); |
||
97 | return md5_decrypt($r['data_value'], $WBConfig->getMySQLUsername().':'.$WBConfig->getMySQLPassword()); |
||
98 | } |
||
99 | } |
||
100 | } |
||
101 | |||
102 | if (!function_exists('sessao_write')) |
||
103 | { |
||
104 | function sessao_write( $aKey, $aVal ) |
||
105 | { |
||
106 | global $WBConfig; |
||
107 | |||
108 | db_query("UPDATE `".$WBConfig->getMySQLPrefix()."sessions` SET `data_value` = '".md5_encrypt($aVal, $WBConfig->getMySQLUsername().':'.$WBConfig->getMySQLPassword())."', `last_updated` = NOW() WHERE `session_id` = '".db_simple_escape($aKey)."'"); |
||
109 | return True; |
||
110 | } |
||
111 | } |
||
112 | |||
113 | if (!function_exists('sessao_destroy')) |
||
114 | { |
||
115 | function sessao_destroy( $aKey ) |
||
116 | { |
||
117 | global $WBConfig; |
||
118 | |||
119 | db_query("DELETE FROM `".$WBConfig->getMySQLPrefix()."sessions` WHERE `session_id` = '".db_simple_escape($aKey)."'"); |
||
120 | if (db_affected_rows() > 0) |
||
121 | db_query("OPTIMIZE TABLE `".$WBConfig->getMySQLPrefix()."sessions`"); |
||
122 | return True; |
||
123 | } |
||
124 | } |
||
125 | |||
126 | if (!function_exists('sessao_gc')) |
||
127 | { |
||
128 | function sessao_gc( $aMaxLifeTime ) |
||
129 | { |
||
130 | global $WBConfig; |
||
131 | |||
132 | db_query("DELETE FROM `".$WBConfig->getMySQLPrefix()."sessions` WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`last_updated`) > ".db_simple_escape($aMaxLifeTime)); |
||
133 | if (db_affected_rows() > 0) |
||
134 | db_query("OPTIMIZE TABLE `".$WBConfig->getMySQLPrefix()."sessions`"); |
||
135 | return True; |
||
136 | } |
||
137 | } |
||
138 | |||
139 | @session_set_save_handler("sessao_open", "sessao_close", "sessao_read", "sessao_write", "sessao_destroy", "sessao_gc"); |
||
140 | |||
141 | @session_name($wb_session_name); |
||
142 | @session_start(); |
||
143 | |||
144 | // TODO EXPERIMENTAL |
||
145 | // http://support.microsoft.com/default.aspx?scid=kb;EN-US;323752 |
||
146 | // http://www.hypotext.de/Tipps+und+Tricks/Sessions+beim+Einbinden+externer+Inhalte+in+einen+Frameset_45.htxt |
||
147 | // header('p3p: CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"'); |
||
148 | // header('P3P: CP="CAO PSA OUR"'); |
||
149 | |||
150 | // Micro$hit IE cached die Index-Frameset-Seite... |
||
151 | // http://www.webmaster-eye.de/PHP-Dateien-nicht-cachen.254.artikel.html |
||
152 | // Die 'Laufzeit' der Datei wird auf den 10.1.1970 gesetzt, also schon lange abgelaufen ;) |
||
153 | header("Expires: Mon, 10 Jan 1970 01:01:01 GMT"); |
||
154 | // Der 'Last-Modified' Parameter wird auf das aktuelle Datum gesetzt. |
||
155 | header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); |
||
156 | // Die für die Proxys interessante Cache-Control wird eingestellt. |
||
157 | header("Cache-Control: no-store, no-cache, must-revalidate"); |
||
158 | // Siehe einen Kommentar weiter oben ... |
||
159 | header("Pragma: no-cache"); |
||
160 | // Jetzt folgt der Inhalt der Seite ... |
||
161 | |||
162 | if (version_compare(PHP_VERSION, '5.1.2', 'lt') && isset($_COOKIE[$wb_session_name]) && eregi("\r|\n", $_COOKIE[$wb_session_name])) |
||
163 | { |
||
164 | die('Angriff'); |
||
165 | } |
||
166 | |||
167 | /* if (!preg_match("/^[0-9a-z]*$/i", session_id())) |
||
168 | { |
||
169 | die($header.'Fehler! Die Session-ID ist ungültig.'.$footer); |
||
170 | } */ |
||
171 | |||
172 | /* |
||
173 | |||
174 | Ich gebe es auf! Ich sitze seit 5 Tagen ununterbrochen daran, |
||
175 | session_regenerate_id auf allen 4 Testsystemen zum Laufen zu |
||
176 | bekommen, doch andauernd gehen die Session-Informationen verloren! |
||
177 | Ich denke, dass die untenstehende Lösung genug ausreicht. |
||
178 | |||
179 | $ary = explode('/', $_SERVER['PHP_SELF']); |
||
180 | if ($ary[count($ary)-1] == 'page.php') |
||
181 | { |
||
182 | // @session_regenerate_id(true); |
||
183 | |||
184 | @session_start(); |
||
185 | $old_sessid = @session_id(); |
||
186 | @session_regenerate_id(); |
||
187 | $new_sessid = @session_id(); |
||
188 | @session_id($old_sessid); |
||
189 | @session_destroy(); |
||
190 | |||
191 | $old_session = $_SESSION; |
||
192 | @session_id($new_sessid); |
||
193 | @session_start(); |
||
194 | $_SESSION = $old_session; |
||
195 | } |
||
196 | |||
197 | */ |
||
198 | |||
199 | $usedns = TRUE; |
||
200 | |||
201 | $useragent = (isset($_SERVER['HTTP_USER_AGENT'])) ? $_SERVER['HTTP_USER_AGENT'] : ''; |
||
202 | $host = fetchip(); |
||
203 | |||
204 | if ($usedns) // <- war im Originalen $global['dns']... was soll das sein?! |
||
205 | $dns = @gethostbyaddr($host); |
||
206 | else |
||
207 | $dns = $host; |
||
208 | |||
209 | if ((isset($_SESSION['session_secured'])) && ($_SESSION['session_secured'])) |
||
210 | { |
||
211 | if ((($_SESSION['host'] != $host) && !$usedns) |
||
212 | || ($_SESSION['dns'] != $dns) |
||
213 | || ($_SESSION['useragent'] != $useragent) |
||
214 | ) { |
||
215 | session_regenerate_id(); |
||
216 | session_unset(); |
||
217 | session_destroy(); |
||
218 | } |
||
219 | } else { |
||
220 | $_SESSION['host'] = $host; |
||
221 | $_SESSION['dns'] = $dns; |
||
222 | $_SESSION['useragent'] = $useragent; |
||
223 | $_SESSION['session_secured'] = 1; |
||
224 | } |
||
225 | |||
226 | // ----------------------------------------------------------------------------------------------------- |
||
227 | |||
228 | define('SPERRMELDUNG', $header.'<h1>Fehler</h1>Ihr Benutzerkonto wurde auf diesem Personal WebBase-Server gesperrt. Bitte wenden Sie sich an den Serveradministrator.<br><br><a href="index.php">Zurück zum Webinterface</a>'.$footer); |
||
229 | |||
230 | function login_as_user($username, $password) { |
||
231 | global $WBConfig, $benutzer, $m2; // TODO: $m2 besser als parameter, damit funktion auch von guest verwendet werden kann |
||
232 | |||
233 | $res = db_query("SELECT * FROM `".$WBConfig->getMySQLPrefix()."users` WHERE `username` = '".db_escape($username)."' AND `password` = '".md5($password)."'"); |
||
234 | if (db_num($res) > 0) |
||
235 | { |
||
236 | $row = db_fetch($res); |
||
237 | foreach ($row as $key => $value) |
||
238 | $benutzer[$key] = $value; |
||
239 | |||
240 | if ($benutzer['banned'] == '1') |
||
241 | { |
||
242 | @session_unset(); |
||
243 | @session_destroy(); |
||
244 | |||
245 | die(SPERRMELDUNG); |
||
246 | } |
||
247 | else |
||
248 | { |
||
249 | $_SESSION['last_login'] = $benutzer['last_login']; |
||
250 | $_SESSION['last_login_ip'] = $benutzer['last_login_ip']; |
||
251 | db_query("UPDATE `".$WBConfig->getMySQLPrefix()."users` SET `last_login` = NOW(), `last_login_ip` = '".$_SERVER['REMOTE_ADDR']."' WHERE `username` = '".db_escape($username)."'"); |
||
252 | $benutzer['last_login'] = db_time(); |
||
253 | $benutzer['last_login_ip'] = $_SERVER['REMOTE_ADDR']; |
||
254 | |||
255 | $_SESSION['wb_user_type'] = '1'; |
||
256 | $_SESSION['wb_user_username'] = $username; |
||
257 | $_SESSION['wb_user_password'] = $password; |
||
258 | } |
||
259 | } |
||
260 | else |
||
261 | { |
||
262 | @session_unset(); |
||
263 | @session_destroy(); |
||
264 | |||
265 | wb_redirect_now('index.php?prv_modul='.$m2); |
||
266 | } |
||
267 | } |
||
268 | |||
269 | // ----------------------------------------------------------------------------------------------------- |
||
270 | |||
271 | if (!isset($wb_user_type)) $wb_user_type = -1; |
||
272 | |||
273 | if (isset($_POST['login_process']) && ($_POST['login_process'] == '1')) |
||
274 | { |
||
275 | if ($wb_user_type == 2) |
||
276 | { |
||
277 | if (md5($wb_user_password) != $configuration['main_administration']['admin_pwd']) |
||
278 | { |
||
279 | wb_redirect_now('index.php?prv_modul=main_administration'); |
||
280 | } |
||
281 | else |
||
282 | { |
||
283 | $_SESSION['last_login'] = $configuration['main_administration']['last_login']; |
||
284 | $_SESSION['last_login_ip'] = $configuration['main_administration']['last_login_ip']; |
||
285 | |||
286 | wb_change_config('last_login', db_time(), 'main_administration'); |
||
287 | wb_change_config('last_login_ip', $_SERVER['REMOTE_ADDR'], 'main_administration'); |
||
288 | |||
289 | $_SESSION['wb_user_type'] = $wb_user_type; |
||
290 | $_SESSION['wb_user_password'] = $wb_user_password; |
||
291 | } |
||
292 | } |
||
293 | |||
294 | if ($wb_user_type == '1') |
||
295 | { |
||
296 | if (($wb_user_username == $configuration['main_guest_login']['gast_username']) && ($wb_user_password == $configuration['main_guest_login']['gast_password'])) |
||
297 | { |
||
298 | if ($configuration['main_guest_login']['enable_gast']) |
||
299 | { |
||
300 | $wb_user_type = '0'; |
||
301 | } |
||
302 | else |
||
303 | { |
||
304 | @session_unset(); |
||
305 | @session_destroy(); |
||
306 | |||
307 | wb_redirect_now('index.php?prv_modul='.$m2); |
||
308 | } |
||
309 | } else { |
||
310 | login_as_user($wb_user_username, $wb_user_password); |
||
311 | } |
||
312 | } |
||
313 | |||
314 | if ($wb_user_type == '0') |
||
315 | { |
||
316 | if ($configuration['main_guest_login']['enable_gast']) |
||
317 | { |
||
318 | $res = db_query("SELECT * FROM `".$WBConfig->getMySQLPrefix()."users` WHERE `username` = '".db_escape($configuration['main_guest_login']['gast_username'])."' AND `password` = '".md5($configuration['main_guest_login']['gast_password'])."'"); |
||
319 | if (db_num($res) > 0) |
||
320 | { |
||
321 | $row = db_fetch($res); |
||
322 | foreach ($row as $key => $value) |
||
323 | $benutzer[$key] = $value; |
||
324 | |||
325 | if ($benutzer['banned'] == '1') |
||
326 | { |
||
327 | @session_unset(); |
||
328 | @session_destroy(); |
||
329 | |||
330 | die(SPERRMELDUNG); |
||
331 | } |
||
332 | else |
||
333 | { |
||
334 | $_SESSION['last_login'] = $benutzer['last_login']; |
||
335 | $_SESSION['last_login_ip'] = $benutzer['last_login_ip']; |
||
336 | db_query("UPDATE `".$WBConfig->getMySQLPrefix()."users` SET `last_login` = NOW(), `last_login_ip` = '".$_SERVER['REMOTE_ADDR']."' WHERE `username` = '".db_escape($configuration['main_guest_login']['gast_username'])."'"); |
||
337 | $benutzer['last_login'] = db_time(); |
||
338 | $benutzer['last_login_ip'] = $_SERVER['REMOTE_ADDR']; |
||
339 | |||
340 | $_SESSION['wb_user_type'] = $wb_user_type; |
||
341 | } |
||
342 | } |
||
343 | else |
||
344 | { |
||
345 | @session_unset(); |
||
346 | @session_destroy(); |
||
347 | |||
348 | wb_redirect_now('index.php?prv_modul=main_guest_login'); |
||
349 | } |
||
350 | } |
||
351 | else |
||
352 | { |
||
353 | @session_unset(); |
||
354 | @session_destroy(); |
||
355 | |||
356 | wb_redirect_now('index.php?prv_modul=main_guest_login'); |
||
357 | } |
||
358 | } |
||
359 | } |
||
360 | else |
||
361 | { |
||
362 | if ((!isset($_SESSION['wb_user_type'])) || (($_SESSION['wb_user_type'] != '0') && ($_SESSION['wb_user_type'] != '1') && ($_SESSION['wb_user_type'] != '2'))) |
||
363 | { |
||
364 | $wb_user_type = -1; |
||
365 | |||
366 | load_fastlogin_cookie(); |
||
367 | } |
||
368 | else |
||
369 | { |
||
370 | if ($_SESSION['wb_user_type'] == '0') |
||
371 | { |
||
372 | if ($configuration['main_guest_login']['enable_gast']) |
||
373 | { |
||
374 | $res = db_query("SELECT * FROM `".$WBConfig->getMySQLPrefix()."users` WHERE `username` = '".db_escape($configuration['main_guest_login']['gast_username'])."' AND `password` = '".md5($configuration['main_guest_login']['gast_password'])."'"); |
||
375 | if (db_num($res) > 0) |
||
376 | { |
||
377 | $row = db_fetch($res); |
||
378 | foreach ($row as $key => $value) |
||
379 | $benutzer[$key] = $value; |
||
380 | |||
381 | if ($benutzer['banned'] == '1') |
||
382 | { |
||
383 | @session_unset(); |
||
384 | @session_destroy(); |
||
385 | |||
386 | die(SPERRMELDUNG); |
||
387 | } |
||
388 | else |
||
389 | { |
||
390 | $wb_user_type = $_SESSION['wb_user_type']; |
||
391 | $wb_user_username = $configuration['main_guest_login']['gast_username']; |
||
392 | $wb_user_password = $configuration['main_guest_login']['gast_password']; |
||
393 | } |
||
394 | } |
||
395 | else |
||
396 | { |
||
397 | @session_unset(); |
||
398 | @session_destroy(); |
||
399 | |||
400 | wb_redirect_now('index.php?prv_modul=main_guest_login'); |
||
401 | } |
||
402 | } |
||
403 | else |
||
404 | { |
||
405 | @session_unset(); |
||
406 | @session_destroy(); |
||
407 | |||
408 | wb_redirect_now('index.php?prv_modul='.$m2); |
||
409 | } |
||
410 | } |
||
411 | else if ($_SESSION['wb_user_type'] == '1') |
||
412 | { |
||
413 | $res = db_query("SELECT * FROM `".$WBConfig->getMySQLPrefix()."users` WHERE `username` = '".db_escape($_SESSION['wb_user_username'])."' AND `password` = '".md5($_SESSION['wb_user_password'])."'"); |
||
414 | if (db_num($res) > 0) |
||
415 | { |
||
416 | $row = db_fetch($res); |
||
417 | foreach ($row as $key => $value) |
||
418 | $benutzer[$key] = $value; |
||
419 | |||
420 | if ($benutzer['banned'] == '1') |
||
421 | { |
||
422 | @session_unset(); |
||
423 | @session_destroy(); |
||
424 | |||
425 | die(SPERRMELDUNG); |
||
426 | } |
||
427 | else |
||
428 | { |
||
429 | $wb_user_type = $_SESSION['wb_user_type']; |
||
430 | $wb_user_username = $_SESSION['wb_user_username']; |
||
431 | $wb_user_password = $_SESSION['wb_user_password']; |
||
432 | } |
||
433 | } |
||
434 | else |
||
435 | { |
||
436 | @session_unset(); |
||
437 | @session_destroy(); |
||
438 | |||
439 | wb_redirect_now('index.php?prv_modul='.$m2); |
||
440 | } |
||
441 | } |
||
442 | else if ($_SESSION['wb_user_type'] == '2') |
||
443 | { |
||
444 | if (md5($_SESSION['wb_user_password']) != $configuration['main_administration']['admin_pwd']) |
||
445 | { |
||
446 | wb_redirect_now('index.php?prv_modul=main_administration'); |
||
447 | } |
||
448 | else |
||
449 | { |
||
450 | $wb_user_type = $_SESSION['wb_user_type']; |
||
451 | $wb_user_password = $_SESSION['wb_user_password']; |
||
452 | } |
||
453 | } |
||
454 | } |
||
455 | } |
||
456 | |||
457 | ?> |