WebSVN – personal-webbase – Blame – /trunk/modules/login/autostart/2.inc.php

Rev	Author	Line No.	Line
1	daniel-mar	1	<?php
		2
		3	if (!defined('WBLEGAL')) die('Kann nicht ohne Personal WebBase ausgeführt werden.');
		4
		5	// TODO: Als crossover f�r fastlogin auslagern
		6	// TODO: Auch f�r PMA/net2ftp zug�nglich machen
		7
		8	function load_fastlogin_cookie() {
		9	if (isset($_COOKIE['wb_fastlogin_key'])) {
		10	$r_user = '';
		11	$r_pwd = '';
		12	$r_succ = wb_decode_fast_login_key($_COOKIE['wb_fastlogin_key'], $r_user, $r_pwd);
		13
		14	if ($r_succ) {
		15	login_as_user($r_user, $r_pwd);
		16	} else {
		17	// Das Cookie ist ung�ltig geworden. Wir l�schen es.
		18	wbUnsetCookie('wb_fastlogin_key');
		19	unset($_COOKIE['wb_fastlogin_key']);
		20	}
		21	}
		22	}
		23
		24	// -------------------------------------------------------
		25
		26	@session_cache_limiter('private');
		27	@ini_set('session.cookie_path', RELATIVE_DIR);
		28	//@ini_set('session.cookie_domain', $_SERVER['HTTP_HOST']);
		29	//@session_set_cookie_params(0, RELATIVE_DIR, $_SERVER['HTTP_HOST'], $WBConfig->getForceSSLFlag());
		30
		31	// @ini_set('session.auto_start', 0);
		32	@ini_set('session.cache_expire', 180);
		33	@ini_set('session.use_trans_sid', 0);
		34	@ini_set('session.use_cookies', 1);
		35	@ini_set('session.use_only_cookies', 1);
		36	@ini_set('session.cookie_secure', $WBConfig->getForceSSLFlag());
		37	@ini_set('session.cookie_lifetime', 0);
		38	@ini_set('session.gc_maxlifetime', 1440);
		39	@ini_set('session.bug_compat_42', 0);
		40	@ini_set('session.bug_compat_warn', 1);
		41	if (version_compare(PHP_VERSION, '5.0.0', 'ge') && substr(PHP_OS, 0, 3) != 'WIN')
		42	{
		43	@ini_set('session.hash_function', 1);
		44	@ini_set('session.hash_bits_per_character', 6);
		45	}
		46	@ini_set('session.save_handler', 'user');
		47	// @ini_set('session.save_path', 'includes/session/');
		48	// @ini_set('arg_separator.output', '&');
		49	// @ini_set('url_rewriter.tags', 'a=href,area=href,frame=src,input=src,fieldset=');
		50
		51	$wb_session_name = 'webbase';
		52
		53	// TODO: Was hab ich mir dabei gedacht? M�glicherweise als Kompat zu den 3P-Generics
		54	@session_unset();
		55	@session_destroy();
		56
		57	wb_newdatabasetable('sessions', $m2, 'session_id', "varchar(255) NOT NULL",
		58	'last_updated', "datetime NOT NULL",
		59	'data_value', "text");
		60
		61	if (function_exists('set_searchable')) set_searchable($m2, 'sessions', 0);
		62
		63	my_add_key($WBConfig->getMySQLPrefix().'sessions', 'session_id', false, 'session_id');
		64
		65	if (!function_exists('sessao_open'))
		66	{
		67	function sessao_open($aSavaPath, $aSessionName)
		68	{
		69	sessao_gc( ini_get('session.gc_maxlifetime') );
		70	return True;
		71	}
		72	}
		73
		74	if (!function_exists('sessao_close'))
		75	{
		76	function sessao_close()
		77	{
		78	return True;
		79	}
		80	}
		81
		82	if (!function_exists('sessao_read'))
		83	{
		84	function sessao_read( $aKey )
		85	{
		86	global $WBConfig;
		87
		88	$busca = db_query("SELECT `data_value` FROM `".$WBConfig->getMySQLPrefix()."sessions` WHERE `session_id` = '".db_simple_escape($aKey)."'");
		89	if (db_num($busca) == 0)
		90	{
		91	db_query("INSERT INTO `".$WBConfig->getMySQLPrefix()."sessions` (`session_id`, `last_updated`, `data_value`) VALUES ('".db_simple_escape($aKey)."', NOW(), '')");
		92	return '';
		93	}
		94	else
		95	{
		96	$r = db_fetch($busca);
		97	return md5_decrypt($r['data_value'], $WBConfig->getMySQLUsername().':'.$WBConfig->getMySQLPassword());
		98	}
		99	}
		100	}
		101
		102	if (!function_exists('sessao_write'))
		103	{
		104	function sessao_write( $aKey, $aVal )
		105	{
		106	global $WBConfig;
		107
		108	db_query("UPDATE `".$WBConfig->getMySQLPrefix()."sessions` SET `data_value` = '".md5_encrypt($aVal, $WBConfig->getMySQLUsername().':'.$WBConfig->getMySQLPassword())."', `last_updated` = NOW() WHERE `session_id` = '".db_simple_escape($aKey)."'");
		109	return True;
		110	}
		111	}
		112
		113	if (!function_exists('sessao_destroy'))
		114	{
		115	function sessao_destroy( $aKey )
		116	{
		117	global $WBConfig;
		118
		119	db_query("DELETE FROM `".$WBConfig->getMySQLPrefix()."sessions` WHERE `session_id` = '".db_simple_escape($aKey)."'");
		120	if (db_affected_rows() > 0)
		121	db_query("OPTIMIZE TABLE `".$WBConfig->getMySQLPrefix()."sessions`");
		122	return True;
		123	}
		124	}
		125
		126	if (!function_exists('sessao_gc'))
		127	{
		128	function sessao_gc( $aMaxLifeTime )
		129	{
		130	global $WBConfig;
		131
		132	db_query("DELETE FROM `".$WBConfig->getMySQLPrefix()."sessions` WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`last_updated`) > ".db_simple_escape($aMaxLifeTime));
		133	if (db_affected_rows() > 0)
		134	db_query("OPTIMIZE TABLE `".$WBConfig->getMySQLPrefix()."sessions`");
		135	return True;
		136	}
		137	}
		138
		139	@session_set_save_handler("sessao_open", "sessao_close", "sessao_read", "sessao_write", "sessao_destroy", "sessao_gc");
		140
		141	@session_name($wb_session_name);
		142	@session_start();
		143
		144	// TODO EXPERIMENTAL
		145	// http://support.microsoft.com/default.aspx?scid=kb;EN-US;323752
		146	// http://www.hypotext.de/Tipps+und+Tricks/Sessions+beim+Einbinden+externer+Inhalte+in+einen+Frameset_45.htxt
		147	// header('p3p: CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"');
		148	// header('P3P: CP="CAO PSA OUR"');
		149
		150	// Micro$hit IE cached die Index-Frameset-Seite...
		151	// http://www.webmaster-eye.de/PHP-Dateien-nicht-cachen.254.artikel.html
		152	// Die 'Laufzeit' der Datei wird auf den 10.1.1970 gesetzt, also schon lange abgelaufen ;)
		153	header("Expires: Mon, 10 Jan 1970 01:01:01 GMT");
		154	// Der 'Last-Modified' Parameter wird auf das aktuelle Datum gesetzt.
		155	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
		156	// Die f�r die Proxys interessante Cache-Control wird eingestellt.
		157	header("Cache-Control: no-store, no-cache, must-revalidate");
		158	// Siehe einen Kommentar weiter oben ...
		159	header("Pragma: no-cache");
		160	// Jetzt folgt der Inhalt der Seite ...
		161
		162	if (version_compare(PHP_VERSION, '5.1.2', 'lt') && isset($_COOKIE[$wb_session_name]) && eregi("\r\|\n", $_COOKIE[$wb_session_name]))
		163	{
		164	die('Angriff');
		165	}
		166
		167	/* if (!preg_match("/^[0-9a-z]*$/i", session_id()))
		168	{
		169	die($header.'Fehler! Die Session-ID ist ungültig.'.$footer);
		170	} */
		171
		172	/*
		173
		174	Ich gebe es auf! Ich sitze seit 5 Tagen ununterbrochen daran,
		175	session_regenerate_id auf allen 4 Testsystemen zum Laufen zu
		176	bekommen, doch andauernd gehen die Session-Informationen verloren!
		177	Ich denke, dass die untenstehende L�sung genug ausreicht.
		178
		179	$ary = explode('/', $_SERVER['PHP_SELF']);
		180	if ($ary[count($ary)-1] == 'page.php')
		181	{
		182	// @session_regenerate_id(true);
		183
		184	@session_start();
		185	$old_sessid = @session_id();
		186	@session_regenerate_id();
		187	$new_sessid = @session_id();
		188	@session_id($old_sessid);
		189	@session_destroy();
		190
		191	$old_session = $_SESSION;
		192	@session_id($new_sessid);
		193	@session_start();
		194	$_SESSION = $old_session;
		195	}
		196
		197	*/
		198
		199	$usedns = TRUE;
		200
		201	$useragent = (isset($_SERVER['HTTP_USER_AGENT'])) ? $_SERVER['HTTP_USER_AGENT'] : '';
		202	$host = fetchip();
		203
		204	if ($usedns) // <- war im Originalen $global['dns']... was soll das sein?!
		205	$dns = @gethostbyaddr($host);
		206	else
		207	$dns = $host;
		208
		209	if ((isset($_SESSION['session_secured'])) && ($_SESSION['session_secured']))
		210	{
		211	if ((($_SESSION['host'] != $host) && !$usedns)
		212	\|\| ($_SESSION['dns'] != $dns)
		213	\|\| ($_SESSION['useragent'] != $useragent)
		214	) {
		215	session_regenerate_id();
		216	session_unset();
		217	session_destroy();
		218	}
		219	} else {
		220	$_SESSION['host'] = $host;
		221	$_SESSION['dns'] = $dns;
		222	$_SESSION['useragent'] = $useragent;
		223	$_SESSION['session_secured'] = 1;
		224	}
		225
		226	// -----------------------------------------------------------------------------------------------------
		227
		228	define('SPERRMELDUNG', $header.'<h1>Fehler</h1>Ihr Benutzerkonto wurde auf diesem Personal WebBase-Server gesperrt. Bitte wenden Sie sich an den Serveradministrator.<br><br><a href="index.php">Zurück zum Webinterface</a>'.$footer);
		229
		230	function login_as_user($username, $password) {
		231	global $WBConfig, $benutzer, $m2; // TODO: $m2 besser als parameter, damit funktion auch von guest verwendet werden kann
		232
		233	$res = db_query("SELECT * FROM `".$WBConfig->getMySQLPrefix()."users` WHERE `username` = '".db_escape($username)."' AND `password` = '".md5($password)."'");
		234	if (db_num($res) > 0)
		235	{
		236	$row = db_fetch($res);
		237	foreach ($row as $key => $value)
		238	$benutzer[$key] = $value;
		239
		240	if ($benutzer['banned'] == '1')
		241	{
		242	@session_unset();
		243	@session_destroy();
		244
		245	die(SPERRMELDUNG);
		246	}
		247	else
		248	{
		249	$_SESSION['last_login'] = $benutzer['last_login'];
		250	$_SESSION['last_login_ip'] = $benutzer['last_login_ip'];
		251	db_query("UPDATE `".$WBConfig->getMySQLPrefix()."users` SET `last_login` = NOW(), `last_login_ip` = '".$_SERVER['REMOTE_ADDR']."' WHERE `username` = '".db_escape($username)."'");
		252	$benutzer['last_login'] = db_time();
		253	$benutzer['last_login_ip'] = $_SERVER['REMOTE_ADDR'];
		254
		255	$_SESSION['wb_user_type'] = '1';
		256	$_SESSION['wb_user_username'] = $username;
		257	$_SESSION['wb_user_password'] = $password;
		258	}
		259	}
		260	else
		261	{
		262	@session_unset();
		263	@session_destroy();
		264
		265	wb_redirect_now('index.php?prv_modul='.$m2);
		266	}
		267	}
		268
		269	// -----------------------------------------------------------------------------------------------------
		270
		271	if (!isset($wb_user_type)) $wb_user_type = -1;
		272
		273	if (isset($_POST['login_process']) && ($_POST['login_process'] == '1'))
		274	{
		275	if ($wb_user_type == 2)
		276	{
		277	if (md5($wb_user_password) != $configuration['main_administration']['admin_pwd'])
		278	{
		279	wb_redirect_now('index.php?prv_modul=main_administration');
		280	}
		281	else
		282	{
		283	$_SESSION['last_login'] = $configuration['main_administration']['last_login'];
		284	$_SESSION['last_login_ip'] = $configuration['main_administration']['last_login_ip'];
		285
		286	wb_change_config('last_login', db_time(), 'main_administration');
		287	wb_change_config('last_login_ip', $_SERVER['REMOTE_ADDR'], 'main_administration');
		288
		289	$_SESSION['wb_user_type'] = $wb_user_type;
		290	$_SESSION['wb_user_password'] = $wb_user_password;
		291	}
		292	}
		293
		294	if ($wb_user_type == '1')
		295	{
		296	if (($wb_user_username == $configuration['main_guest_login']['gast_username']) && ($wb_user_password == $configuration['main_guest_login']['gast_password']))
		297	{
		298	if ($configuration['main_guest_login']['enable_gast'])
		299	{
		300	$wb_user_type = '0';
		301	}
		302	else
		303	{
		304	@session_unset();
		305	@session_destroy();
		306
		307	wb_redirect_now('index.php?prv_modul='.$m2);
		308	}
		309	} else {
		310	login_as_user($wb_user_username, $wb_user_password);
		311	}
		312	}
		313
		314	if ($wb_user_type == '0')
		315	{
		316	if ($configuration['main_guest_login']['enable_gast'])
		317	{
		318	$res = db_query("SELECT * FROM `".$WBConfig->getMySQLPrefix()."users` WHERE `username` = '".db_escape($configuration['main_guest_login']['gast_username'])."' AND `password` = '".md5($configuration['main_guest_login']['gast_password'])."'");
		319	if (db_num($res) > 0)
		320	{
		321	$row = db_fetch($res);
		322	foreach ($row as $key => $value)
		323	$benutzer[$key] = $value;
		324
		325	if ($benutzer['banned'] == '1')
		326	{
		327	@session_unset();
		328	@session_destroy();
		329
		330	die(SPERRMELDUNG);
		331	}
		332	else
		333	{
		334	$_SESSION['last_login'] = $benutzer['last_login'];
		335	$_SESSION['last_login_ip'] = $benutzer['last_login_ip'];
		336	db_query("UPDATE `".$WBConfig->getMySQLPrefix()."users` SET `last_login` = NOW(), `last_login_ip` = '".$_SERVER['REMOTE_ADDR']."' WHERE `username` = '".db_escape($configuration['main_guest_login']['gast_username'])."'");
		337	$benutzer['last_login'] = db_time();
		338	$benutzer['last_login_ip'] = $_SERVER['REMOTE_ADDR'];
		339
		340	$_SESSION['wb_user_type'] = $wb_user_type;
		341	}
		342	}
		343	else
		344	{
		345	@session_unset();
		346	@session_destroy();
		347
		348	wb_redirect_now('index.php?prv_modul=main_guest_login');
		349	}
		350	}
		351	else
		352	{
		353	@session_unset();
		354	@session_destroy();
		355
		356	wb_redirect_now('index.php?prv_modul=main_guest_login');
		357	}
		358	}
		359	}
		360	else
		361	{
		362	if ((!isset($_SESSION['wb_user_type'])) \|\| (($_SESSION['wb_user_type'] != '0') && ($_SESSION['wb_user_type'] != '1') && ($_SESSION['wb_user_type'] != '2')))
		363	{
		364	$wb_user_type = -1;
		365
		366	load_fastlogin_cookie();
		367	}
		368	else
		369	{
		370	if ($_SESSION['wb_user_type'] == '0')
		371	{
		372	if ($configuration['main_guest_login']['enable_gast'])
		373	{
		374	$res = db_query("SELECT * FROM `".$WBConfig->getMySQLPrefix()."users` WHERE `username` = '".db_escape($configuration['main_guest_login']['gast_username'])."' AND `password` = '".md5($configuration['main_guest_login']['gast_password'])."'");
		375	if (db_num($res) > 0)
		376	{
		377	$row = db_fetch($res);
		378	foreach ($row as $key => $value)
		379	$benutzer[$key] = $value;
		380
		381	if ($benutzer['banned'] == '1')
		382	{
		383	@session_unset();
		384	@session_destroy();
		385
		386	die(SPERRMELDUNG);
		387	}
		388	else
		389	{
		390	$wb_user_type = $_SESSION['wb_user_type'];
		391	$wb_user_username = $configuration['main_guest_login']['gast_username'];
		392	$wb_user_password = $configuration['main_guest_login']['gast_password'];
		393	}
		394	}
		395	else
		396	{
		397	@session_unset();
		398	@session_destroy();
		399
		400	wb_redirect_now('index.php?prv_modul=main_guest_login');
		401	}
		402	}
		403	else
		404	{
		405	@session_unset();
		406	@session_destroy();
		407
		408	wb_redirect_now('index.php?prv_modul='.$m2);
		409	}
		410	}
		411	else if ($_SESSION['wb_user_type'] == '1')
		412	{
		413	$res = db_query("SELECT * FROM `".$WBConfig->getMySQLPrefix()."users` WHERE `username` = '".db_escape($_SESSION['wb_user_username'])."' AND `password` = '".md5($_SESSION['wb_user_password'])."'");
		414	if (db_num($res) > 0)
		415	{
		416	$row = db_fetch($res);
		417	foreach ($row as $key => $value)
		418	$benutzer[$key] = $value;
		419
		420	if ($benutzer['banned'] == '1')
		421	{
		422	@session_unset();
		423	@session_destroy();
		424
		425	die(SPERRMELDUNG);
		426	}
		427	else
		428	{
		429	$wb_user_type = $_SESSION['wb_user_type'];
		430	$wb_user_username = $_SESSION['wb_user_username'];
		431	$wb_user_password = $_SESSION['wb_user_password'];
		432	}
		433	}
		434	else
		435	{
		436	@session_unset();
		437	@session_destroy();
		438
		439	wb_redirect_now('index.php?prv_modul='.$m2);
		440	}
		441	}
		442	else if ($_SESSION['wb_user_type'] == '2')
		443	{
		444	if (md5($_SESSION['wb_user_password']) != $configuration['main_administration']['admin_pwd'])
		445	{
		446	wb_redirect_now('index.php?prv_modul=main_administration');
		447	}
		448	else
		449	{
		450	$wb_user_type = $_SESSION['wb_user_type'];
		451	$wb_user_password = $_SESSION['wb_user_password'];
		452	}
		453	}
		454	}
		455	}
		456
		457	?>

Subversion Repositories personal-webbase

personal-webbase/trunk/modules/login/autostart/2.inc.php – Rev 1