Rev 11 | Details | Compare with Previous | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
9 | daniel-mar | 1 | <?php |
2 | |||
14 | daniel-mar | 3 | if (!defined('WBLEGAL')) die('Kann nicht ohne Personal WebBase ausgeführt werden.'); |
9 | daniel-mar | 4 | |
5 | /* if (!@is_writable('includes/session/')) |
||
6 | { |
||
7 | die($header.'<h1>Fehler</h1>Das Verzeichnis includes/session/ muss schreibbar sein (CHMOD 777)!'.$footer); |
||
8 | } */ |
||
9 | |||
10 | //@ini_set('session.auto_start', 0); |
||
11 | @ini_set('session.cache_expire', 180); |
||
12 | @ini_set('session.use_trans_sid', 0); |
||
13 | @ini_set('session.use_cookies', 1); |
||
14 | @ini_set('session.use_only_cookies', 1); |
||
15 | if ($force_ssl) @ini_set('session.cookie_secure', 1); |
||
16 | @ini_set('session.cookie_lifetime', 0); |
||
17 | @ini_set('session.gc_maxlifetime', 1440); |
||
18 | @ini_set('session.bug_compat_42', 0); |
||
19 | @ini_set('session.bug_compat_warn', 1); |
||
20 | if (version_compare(PHP_VERSION, '5.0.0', 'ge') && substr(PHP_OS, 0, 3) != 'WIN') |
||
21 | { |
||
22 | @ini_set('session.hash_function', 1); |
||
23 | @ini_set('session.hash_bits_per_character', 6); |
||
24 | } |
||
25 | //@ini_set('session.save_handler', 'user'); // Auskommentiert. Geht mit aktuellen PHP Versionen nicht mehr, denn man muss session_set_save_handler() aufrufen (siehe https://bugs.php.net/bug.php?id=77384 ) |
||
26 | // @ini_set('session.save_path', 'includes/session/'); |
||
27 | //@ini_set('arg_separator.output', '&'); |
||
28 | //@ini_set('url_rewriter.tags', 'a=href,area=href,frame=src,input=src,fieldset='); |
||
29 | |||
30 | $ib_session_name = 'ironbase'; |
||
31 | |||
32 | @session_unset(); |
||
33 | @session_destroy(); |
||
34 | |||
35 | ib_newdatabasetable('sessions', $m2, 'SessionID', "varchar(255) NOT NULL", |
||
36 | 'LastUpdated', "datetime NOT NULL", |
||
37 | 'DataValue', "text"); |
||
38 | |||
39 | if (function_exists('set_searchable')) set_searchable($m2, 'sessions', 0); |
||
40 | |||
41 | my_add_key($mysql_zugangsdaten['praefix'].'sessions', 'SessionID', false, 'SessionID'); |
||
42 | |||
43 | if (!function_exists('sessao_open')) |
||
44 | { |
||
45 | function sessao_open($aSavaPath, $aSessionName) |
||
46 | { |
||
47 | sessao_gc( ini_get('session.gc_maxlifetime') ); |
||
48 | return True; |
||
49 | } |
||
50 | } |
||
51 | |||
52 | if (!function_exists('sessao_close')) |
||
53 | { |
||
54 | function sessao_close() |
||
55 | { |
||
56 | return True; |
||
57 | } |
||
58 | } |
||
59 | |||
60 | if (!function_exists('sessao_read')) |
||
61 | { |
||
62 | function sessao_read( $aKey ) |
||
63 | { |
||
64 | global $mysql_zugangsdaten; |
||
65 | |||
66 | $busca = db_query("SELECT `DataValue` FROM `".$mysql_zugangsdaten['praefix']."sessions` WHERE `SessionID` = '".db_simple_escape($aKey)."'"); |
||
67 | if (db_num($busca) == 0) |
||
68 | { |
||
69 | db_query("INSERT INTO `".$mysql_zugangsdaten['praefix']."sessions` (`SessionID`, `LastUpdated`, `DataValue`) VALUES ('".db_simple_escape($aKey)."', NOW(), '')"); |
||
70 | return ''; |
||
71 | } |
||
72 | else |
||
73 | { |
||
74 | $r = db_fetch($busca); |
||
75 | return md5_decrypt($r['DataValue'], $mysql_zugangsdaten['username'].':'.$mysql_zugangsdaten['passwort']); |
||
76 | } |
||
77 | } |
||
78 | } |
||
79 | |||
80 | if (!function_exists('sessao_write')) |
||
81 | { |
||
82 | function sessao_write( $aKey, $aVal ) |
||
83 | { |
||
84 | global $mysql_zugangsdaten; |
||
85 | |||
86 | db_query("UPDATE `".$mysql_zugangsdaten['praefix']."sessions` SET `DataValue` = '".md5_encrypt($aVal, $mysql_zugangsdaten['username'].':'.$mysql_zugangsdaten['passwort'])."', `LastUpdated` = NOW() WHERE `SessionID` = '".db_simple_escape($aKey)."'"); |
||
87 | return True; |
||
88 | } |
||
89 | } |
||
90 | |||
91 | if (!function_exists('sessao_destroy')) |
||
92 | { |
||
93 | function sessao_destroy( $aKey ) |
||
94 | { |
||
95 | global $mysql_zugangsdaten; |
||
96 | |||
97 | db_query("DELETE FROM `".$mysql_zugangsdaten['praefix']."sessions` WHERE `SessionID` = '".db_simple_escape($aKey)."'"); |
||
98 | if (db_affected_rows() > 0) |
||
99 | db_query("OPTIMIZE TABLE `".$mysql_zugangsdaten['praefix']."sessions`"); |
||
100 | return True; |
||
101 | } |
||
102 | } |
||
103 | |||
104 | if (!function_exists('sessao_gc')) |
||
105 | { |
||
106 | function sessao_gc( $aMaxLifeTime ) |
||
107 | { |
||
108 | global $mysql_zugangsdaten; |
||
109 | |||
110 | db_query("DELETE FROM `".$mysql_zugangsdaten['praefix']."sessions` WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`LastUpdated`) > ".db_simple_escape($aMaxLifeTime)); |
||
111 | if (db_affected_rows() > 0) |
||
112 | db_query("OPTIMIZE TABLE `".$mysql_zugangsdaten['praefix']."sessions`"); |
||
113 | return True; |
||
114 | } |
||
115 | } |
||
116 | |||
117 | @session_set_save_handler("sessao_open", "sessao_close", "sessao_read", "sessao_write", "sessao_destroy", "sessao_gc"); |
||
118 | |||
119 | @session_name($ib_session_name); |
||
120 | @session_start(); |
||
121 | |||
122 | if (version_compare(PHP_VERSION, '5.1.2', 'lt') && isset($_COOKIE[$ib_session_name]) && eregi("\r|\n", $_COOKIE[$ib_session_name])) |
||
123 | { |
||
124 | die('Angriff'); |
||
125 | } |
||
126 | |||
127 | /* if (!preg_match("/^[0-9a-z]*$/i", session_id())) |
||
128 | { |
||
129 | die($header.'Fehler! Die Session-ID ist ungültig.'.$footer); |
||
130 | } */ |
||
131 | |||
132 | /* |
||
133 | |||
134 | Ich gebe es auf! Ich sitze seit 5 Tagen ununterbrochen daran, |
||
135 | session_regenerate_id auf allen 4 Testsystemen zum Laufen zu |
||
136 | bekommen, doch andauernd gehen die Session-Informationen verloren! |
||
137 | Ich denke, dass die untenstehende Lösung genug ausreicht. |
||
138 | |||
139 | $ary = explode('/', $_SERVER['PHP_SELF']); |
||
140 | if ($ary[count($ary)-1] == 'modulseite.php') |
||
141 | { |
||
142 | // @session_regenerate_id(true); |
||
143 | |||
144 | @session_start(); |
||
145 | $old_sessid = @session_id(); |
||
146 | @session_regenerate_id(); |
||
147 | $new_sessid = @session_id(); |
||
148 | @session_id($old_sessid); |
||
149 | @session_destroy(); |
||
150 | |||
151 | $old_session = $_SESSION; |
||
152 | @session_id($new_sessid); |
||
153 | @session_start(); |
||
154 | $_SESSION = $old_session; |
||
155 | } |
||
156 | |||
157 | */ |
||
158 | |||
159 | $usedns = TRUE; |
||
160 | |||
161 | $useragent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : ''; |
||
162 | $host = fetchip(); |
||
163 | |||
164 | if ($usedns) // <- war im Originalen $global['dns']... was soll das sein?! |
||
165 | $dns = @gethostbyaddr($host); |
||
166 | else |
||
167 | $dns = $host; |
||
168 | |||
169 | if ((isset($_SESSION['session_secured'])) && ($_SESSION['session_secured'])) |
||
170 | { |
||
171 | if ( |
||
172 | (($_SESSION['host'] != $host) && !$usedns) |
||
173 | || ($_SESSION['dns'] != $dns) |
||
174 | || ($_SESSION['useragent'] != $useragent) |
||
175 | ) { |
||
176 | session_regenerate_id(); |
||
177 | session_unset(); |
||
178 | } |
||
179 | } else { |
||
180 | $_SESSION['host'] = $host; |
||
181 | $_SESSION['dns'] = $dns; |
||
182 | $_SESSION['useragent'] = $useragent; |
||
183 | $_SESSION['session_secured'] = 1; |
||
184 | } |
||
185 | |||
186 | // ----------------------------------------------------------------------------------------------------- |
||
187 | |||
188 | $gesperrt = $header.'<h1>Fehler</h1>Sie wurden als Benutzer von Personal WebBase gesperrt. Bitte wenden Sie sich an den Serveradministrator.<br><br><a href="index.php">Zurück zum Webinterface</a>'.$footer; |
||
11 | daniel-mar | 189 | |
14 | daniel-mar | 190 | if (!isset($wb_user_type)) $wb_user_type = -1; |
9 | daniel-mar | 191 | |
192 | if (isset($_POST['login_process']) && ($_POST['login_process'] == '1')) |
||
193 | { |
||
14 | daniel-mar | 194 | if ($wb_user_type == 2) |
9 | daniel-mar | 195 | { |
11 | daniel-mar | 196 | if (md5($ib_user_passwort) != $konfiguration['main_administration']['admin_pwd']) // TODO: use sha3 hash, salted and peppered |
9 | daniel-mar | 197 | { |
198 | if (!headers_sent()) header('location: index.php?prv_modul=main_administration'); |
||
199 | } |
||
200 | else |
||
201 | { |
||
202 | $_SESSION['last_login'] = $konfiguration['main_administration']['last_login']; |
||
203 | $_SESSION['last_login_ip'] = $konfiguration['main_administration']['last_login_ip']; |
||
204 | |||
205 | $res = db_query("SELECT NOW()"); |
||
206 | $row = db_fetch($res); |
||
207 | |||
208 | ib_change_config('last_login', $row[0], 'main_administration'); |
||
209 | ib_change_config('last_login_ip', $_SERVER['REMOTE_ADDR'], 'main_administration'); |
||
210 | |||
14 | daniel-mar | 211 | $_SESSION['wb_user_type'] = $wb_user_type; |
9 | daniel-mar | 212 | $_SESSION['ib_user_passwort'] = $ib_user_passwort; |
213 | } |
||
214 | } |
||
215 | |||
14 | daniel-mar | 216 | if ($wb_user_type == '1') |
9 | daniel-mar | 217 | { |
218 | if (($ib_user_username == $konfiguration['main_gastzugang']['gast_username']) && ($ib_user_passwort == $konfiguration['main_gastzugang']['gast_passwort'])) |
||
219 | { |
||
220 | if ($konfiguration['main_gastzugang']['enable_gast']) |
||
221 | { |
||
14 | daniel-mar | 222 | $wb_user_type = '0'; |
9 | daniel-mar | 223 | } |
224 | else |
||
225 | { |
||
226 | @session_unset(); |
||
227 | @session_destroy(); |
||
228 | |||
229 | if (!headers_sent()) header('location: index.php?prv_modul='.urlencode($m2)); |
||
230 | } |
||
231 | } |
||
232 | |||
11 | daniel-mar | 233 | $res = db_query("SELECT * FROM `".$mysql_zugangsdaten['praefix']."users` WHERE `username` = '".db_escape($ib_user_username)."' AND `passwort` = '".md5($ib_user_passwort)."'"); // TODO: use sha3 hash, salted and peppered |
9 | daniel-mar | 234 | if (db_num($res) > 0) |
235 | { |
||
236 | $row = db_fetch($res); |
||
237 | foreach ($row as $key => $value) |
||
238 | $benutzer[$key] = $value; |
||
239 | |||
240 | if ($benutzer['gesperrt'] == '1') |
||
241 | { |
||
242 | @session_unset(); |
||
243 | @session_destroy(); |
||
244 | |||
245 | die($gesperrt); |
||
246 | } |
||
247 | else |
||
248 | { |
||
249 | $rs = db_query("SELECT NOW()"); |
||
250 | $rw = db_fetch($rs); |
||
251 | |||
252 | $_SESSION['last_login'] = $benutzer['last_login']; |
||
253 | $_SESSION['last_login_ip'] = $benutzer['last_login_ip']; |
||
254 | db_query("UPDATE `".$mysql_zugangsdaten['praefix']."users` SET `last_login` = '".$rw[0]."', `last_login_ip` = '".$_SERVER['REMOTE_ADDR']."' WHERE `username` = '".db_escape($ib_user_username)."'"); |
||
255 | $benutzer['last_login'] = $rw[0]; |
||
256 | $benutzer['last_login_ip'] = $_SERVER['REMOTE_ADDR']; |
||
257 | |||
14 | daniel-mar | 258 | $_SESSION['wb_user_type'] = $wb_user_type; |
9 | daniel-mar | 259 | $_SESSION['ib_user_username'] = $ib_user_username; |
260 | $_SESSION['ib_user_passwort'] = $ib_user_passwort; |
||
261 | } |
||
262 | } |
||
263 | else |
||
264 | { |
||
265 | @session_unset(); |
||
266 | @session_destroy(); |
||
267 | |||
268 | if (!headers_sent()) header('location: index.php?prv_modul='.urlencode($m2)); |
||
269 | } |
||
270 | } |
||
271 | |||
14 | daniel-mar | 272 | if ($wb_user_type == '0') |
9 | daniel-mar | 273 | { |
274 | if ($konfiguration['main_gastzugang']['enable_gast']) |
||
275 | { |
||
11 | daniel-mar | 276 | $res = db_query("SELECT * FROM `".$mysql_zugangsdaten['praefix']."users` WHERE `username` = '".db_escape($konfiguration['main_gastzugang']['gast_username'])."' AND `passwort` = '".md5($konfiguration['main_gastzugang']['gast_passwort'])."'"); // TODO: use sha3 hash, salted and peppered |
9 | daniel-mar | 277 | if (db_num($res) > 0) |
278 | { |
||
279 | $row = db_fetch($res); |
||
280 | foreach ($row as $key => $value) |
||
281 | $benutzer[$key] = $value; |
||
282 | |||
283 | if ($benutzer['gesperrt'] == '1') |
||
284 | { |
||
285 | @session_unset(); |
||
286 | @session_destroy(); |
||
287 | |||
288 | die($gesperrt); |
||
289 | } |
||
290 | else |
||
291 | { |
||
292 | $rs = db_query("SELECT NOW()"); |
||
293 | $rw = db_fetch($rs); |
||
294 | |||
295 | $_SESSION['last_login'] = $benutzer['last_login']; |
||
296 | $_SESSION['last_login_ip'] = $benutzer['last_login_ip']; |
||
297 | db_query("UPDATE `".$mysql_zugangsdaten['praefix']."users` SET `last_login` = '".$rw[0]."', `last_login_ip` = '".$_SERVER['REMOTE_ADDR']."' WHERE `username` = '".db_escape($konfiguration['main_gastzugang']['gast_username'])."'"); |
||
298 | $benutzer['last_login'] = $rw[0]; |
||
299 | $benutzer['last_login_ip'] = $_SERVER['REMOTE_ADDR']; |
||
300 | |||
14 | daniel-mar | 301 | $_SESSION['wb_user_type'] = $wb_user_type; |
9 | daniel-mar | 302 | } |
303 | } |
||
304 | else |
||
305 | { |
||
306 | @session_unset(); |
||
307 | @session_destroy(); |
||
308 | |||
309 | if (!headers_sent()) header('location: index.php?prv_modul=main_gastzugang'); |
||
310 | } |
||
311 | } |
||
312 | else |
||
313 | { |
||
314 | @session_unset(); |
||
315 | @session_destroy(); |
||
316 | |||
317 | if (!headers_sent()) header('location: index.php?prv_modul=main_gastzugang'); |
||
318 | } |
||
319 | } |
||
320 | } |
||
321 | else |
||
322 | { |
||
14 | daniel-mar | 323 | if ((!isset($_SESSION['wb_user_type'])) || (($_SESSION['wb_user_type'] != '0') && ($_SESSION['wb_user_type'] != '1') && ($_SESSION['wb_user_type'] != '2'))) |
9 | daniel-mar | 324 | { |
14 | daniel-mar | 325 | $wb_user_type = -1; |
9 | daniel-mar | 326 | } |
327 | else |
||
328 | { |
||
14 | daniel-mar | 329 | if ($_SESSION['wb_user_type'] == '0') |
9 | daniel-mar | 330 | { |
331 | if ($konfiguration['main_gastzugang']['enable_gast']) |
||
332 | { |
||
11 | daniel-mar | 333 | $res = db_query("SELECT * FROM `".$mysql_zugangsdaten['praefix']."users` WHERE `username` = '".db_escape($konfiguration['main_gastzugang']['gast_username'])."' AND `passwort` = '".md5($konfiguration['main_gastzugang']['gast_passwort'])."'"); // TODO: use sha3 hash, salted and peppered |
9 | daniel-mar | 334 | if (db_num($res) > 0) |
335 | { |
||
336 | $row = db_fetch($res); |
||
337 | foreach ($row as $key => $value) |
||
338 | $benutzer[$key] = $value; |
||
339 | |||
340 | if ($benutzer['gesperrt'] == '1') |
||
341 | { |
||
342 | @session_unset(); |
||
343 | @session_destroy(); |
||
344 | |||
345 | die($gesperrt); |
||
346 | } |
||
347 | else |
||
348 | { |
||
14 | daniel-mar | 349 | $wb_user_type = $_SESSION['wb_user_type']; |
9 | daniel-mar | 350 | $ib_user_username = $konfiguration['main_gastzugang']['gast_username']; |
351 | $ib_user_passwort = $konfiguration['main_gastzugang']['gast_passwort']; |
||
352 | } |
||
353 | } |
||
354 | else |
||
355 | { |
||
356 | @session_unset(); |
||
357 | @session_destroy(); |
||
358 | |||
359 | if (!headers_sent()) header('location: index.php?prv_modul=main_gastzugang'); |
||
360 | } |
||
361 | } |
||
362 | else |
||
363 | { |
||
364 | @session_unset(); |
||
365 | @session_destroy(); |
||
366 | |||
367 | if (!headers_sent()) header('location: index.php?prv_modul='.urlencode($m2)); |
||
368 | } |
||
369 | } |
||
14 | daniel-mar | 370 | else if ($_SESSION['wb_user_type'] == '1') |
9 | daniel-mar | 371 | { |
11 | daniel-mar | 372 | $res = db_query("SELECT * FROM `".$mysql_zugangsdaten['praefix']."users` WHERE `username` = '".db_escape($_SESSION['ib_user_username'])."' AND `passwort` = '".md5($_SESSION['ib_user_passwort'])."'"); // TODO: use sha3 hash, salted and peppered |
9 | daniel-mar | 373 | if (db_num($res) > 0) |
374 | { |
||
375 | $row = db_fetch($res); |
||
376 | foreach ($row as $key => $value) |
||
377 | $benutzer[$key] = $value; |
||
378 | |||
379 | if ($benutzer['gesperrt'] == '1') |
||
380 | { |
||
381 | @session_unset(); |
||
382 | @session_destroy(); |
||
383 | |||
384 | die($gesperrt); |
||
385 | } |
||
386 | else |
||
387 | { |
||
14 | daniel-mar | 388 | $wb_user_type = $_SESSION['wb_user_type']; |
9 | daniel-mar | 389 | $ib_user_username = $_SESSION['ib_user_username']; |
390 | $ib_user_passwort = $_SESSION['ib_user_passwort']; |
||
391 | } |
||
392 | } |
||
393 | else |
||
394 | { |
||
395 | @session_unset(); |
||
396 | @session_destroy(); |
||
397 | |||
398 | if (!headers_sent()) header('location: index.php?prv_modul='.urlencode($m2)); |
||
399 | } |
||
400 | } |
||
14 | daniel-mar | 401 | else if ($_SESSION['wb_user_type'] == '2') |
9 | daniel-mar | 402 | { |
11 | daniel-mar | 403 | if (md5($_SESSION['ib_user_passwort']) != $konfiguration['main_administration']['admin_pwd']) // TODO: use sha3 hash, salted and peppered |
9 | daniel-mar | 404 | { |
405 | if (!headers_sent()) header('location: index.php?prv_modul=main_administration'); |
||
406 | } |
||
407 | else |
||
408 | { |
||
14 | daniel-mar | 409 | $wb_user_type = $_SESSION['wb_user_type']; |
9 | daniel-mar | 410 | $ib_user_passwort = $_SESSION['ib_user_passwort']; |
411 | } |
||
412 | } |
||
413 | } |
||
414 | } |
||
415 | |||
416 | ?> |