source: branches/2.0/header.session.inc.php @ 2850

Revision 2850, 2.5 KB checked in by niltonneto, 14 years ago (diff)

Ticket #1041 - Corrigido problema na validação da sessão por IP.

Line 
1<?php
2    if ( isset( $_COOKIE[ 'sessionid' ] ) )
3                session_id( $_COOKIE[ 'sessionid' ] );
4
5        session_start( );
6
7        $sess = $_SESSION[ 'phpgw_session' ];
8        $invalidSession = false;
9        $user_agent = array();
10        if (isset($GLOBALS['phpgw']) && !isset($_SESSION['connection_db_info'])){
11                if($GLOBALS['phpgw_info']['server']['use_https'] == 1) {
12                $new_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR']."," : ""). $_SERVER['REMOTE_ADDR'];
13                $GLOBALS['phpgw']->db->query("UPDATE phpgw_access_log SET ip='$new_ip' WHERE account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['sessionid']}'",__LINE__,__FILE__);
14                }
15                $GLOBALS['phpgw']->db->query("select trim(sessionid), ip, browser from phpgw_access_log where account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['sessionid']}' limit 1",__LINE__,__FILE__);
16                $GLOBALS['phpgw']->db->next_record();
17                if($GLOBALS['phpgw']->db->row( ))
18                        $_SESSION['connection_db_info']['user_auth'] = implode("",$GLOBALS['phpgw']->db->row( ));
19        }
20        if($_SESSION['connection_db_info']['user_auth']){
21                $invalidSession = true;
22                $http_user_agent = substr($_SERVER[ 'HTTP_USER_AGENT' ],0,199);
23                $user_ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? array($_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_X_FORWARDED_FOR']) : array($_SERVER['REMOTE_ADDR']);
24                $user_agent[] = "{$sess['session_id']}{$user_ip[0]}".$http_user_agent;
25                if(count($user_ip) == 2) {
26                        $user_agent[] = "{$sess['session_id']}{$user_ip[1]}".$http_user_agent;
27                        $user_agent[] = $sess['session_id'].implode(",",array_reverse($user_ip)).$http_user_agent;
28                }
29                $pconnection_id = $_SESSION['connection_db_info']['user_auth'];
30                if(array_search($pconnection_id, $user_agent)  !== FALSE) {
31                        $invalidSession = false;
32                }
33        }
34        if (empty($_SESSION['phpgw_session']['session_id']) || $invalidSession)
35        {
36                if($_SESSION['connection_db_info']['user_auth'] && !strstr($_SERVER['SCRIPT_URL'],"/controller.php")) {
37                        error_log( '[ INVALID SESSION ] >>>>' .$_SESSION['connection_db_info']['user_auth'].'<<<< - >>>>' . implode("",$user_agent), 0 );
38                        require_once dirname( __FILE__ ) . '/logout.php';
39                }
40
41                setcookie(session_name(),"",0); // Removing session cookie.
42                unset($_SESSION);                               // Removing session values.
43                // From ExpressoAjax response "nosession"
44                if(strstr($_SERVER['SCRIPT_URL'],"/controller.php")){
45                        echo serialize(array("nosession" => true));
46                        exit;
47                }
48        }
49        else{
50                // From ExpressoAjax update session_dla (datetime last access).
51                if(strstr($_SERVER['SCRIPT_URL'],"/controller.php"))
52                        $_SESSION['phpgw_session']['session_dla'] = time();
53        }
54?>
Note: See TracBrowser for help on using the repository browser.