source: trunk/header.session.inc.php @ 2910

Revision 2910, 3.7 KB checked in by niltonneto, 14 years ago (diff)

Ticket #1041 - Reativada configuração "Verificar endereço IP de todas sessões".

Line 
1<?php
2
3        /***************************************************************************
4        * Expresso Livre                                                           *
5        * http://www.expressolivre.org                                             *
6        * --------------------------------------------                             *
7        *  This program is free software; you can redistribute it and/or modify it *
8        *  under the terms of the GNU General Public License as published by the   *
9        *  Free Software Foundation; either version 2 of the License, or (at your  *
10        *  option) any later version.                                              *
11        \**************************************************************************/
12    if ( isset( $_COOKIE[ 'sessionid' ] ) )
13                session_id( $_COOKIE[ 'sessionid' ] );
14
15        session_start( );
16
17        $sess = $_SESSION[ 'phpgw_session' ];
18        $invalidSession = false;
19        $user_agent = array();
20        if (isset($GLOBALS['phpgw']) && !isset($_SESSION['connection_db_info'])){
21                $_SESSION['phpgw_info']['admin']['server']['sessions_checkip'] = $GLOBALS['phpgw_info']['server']['sessions_checkip'];
22                if($GLOBALS['phpgw_info']['server']['use_https'] == 1) {
23                $new_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR']."," : ""). $_SERVER['REMOTE_ADDR'];
24                $GLOBALS['phpgw']->db->query("UPDATE phpgw_access_log SET ip='$new_ip' WHERE account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['sessionid']}'",__LINE__,__FILE__);
25                }
26                $GLOBALS['phpgw']->db->query("select trim(sessionid),".($_SESSION['phpgw_info']['admin']['server']['sessions_checkip'] ? "ip," : "")."browser from phpgw_access_log where account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['sessionid']}' limit 1",__LINE__,__FILE__);
27                $GLOBALS['phpgw']->db->next_record();
28                if($GLOBALS['phpgw']->db->row( ))
29                        $_SESSION['connection_db_info']['user_auth'] = implode("",$GLOBALS['phpgw']->db->row( ));
30        }
31        if($_SESSION['connection_db_info']['user_auth']){
32                $invalidSession = true;
33                $http_user_agent = substr($_SERVER[ 'HTTP_USER_AGENT' ],0,199);
34                $user_ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? array($_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_X_FORWARDED_FOR']) : array($_SERVER['REMOTE_ADDR']);
35                $user_agent[] = ($_SESSION['phpgw_info']['admin']['server']['sessions_checkip'] ? "{$sess['session_id']}{$user_ip[0]}" : "{$sess['session_id']}").$http_user_agent;
36                if(count($user_ip) == 2) {
37                        $user_agent[] = "{$sess['session_id']}{$user_ip[1]}".$http_user_agent;
38                        $user_agent[] = $sess['session_id'].implode(",",array_reverse($user_ip)).$http_user_agent;
39                }
40                $pconnection_id = $_SESSION['connection_db_info']['user_auth'];
41                if(array_search($pconnection_id, $user_agent)  !== FALSE) {
42                        $invalidSession = false;
43                }
44        }
45        if (empty($_SESSION['phpgw_session']['session_id']) || $invalidSession)
46        {
47                if($_SESSION['connection_db_info']['user_auth'] && !strstr($_SERVER['SCRIPT_URL'],"/controller.php")) {
48                        error_log( '[ INVALID SESSION ] >>>>' .$_SESSION['connection_db_info']['user_auth'].'<<<< - >>>>' . implode("",$user_agent), 0 );
49                        $GLOBALS['phpgw']->session->phpgw_setcookie('sessionid');
50                        $GLOBALS['phpgw']->redirect($GLOBALS['phpgw_info']['server']['webserver_url'].'/login.php?cd=10');
51                }
52
53                setcookie(session_name(),"",0); // Removing session cookie.
54                unset($_SESSION);                               // Removing session values.
55                // From ExpressoAjax response "nosession"
56                if(strstr($_SERVER['SCRIPT_URL'],"/controller.php")){
57                        echo serialize(array("nosession" => true));
58                        exit;
59                }
60        }
61        else{
62                // From ExpressoAjax update session_dla (datetime last access).
63                if(strstr($_SERVER['SCRIPT_URL'],"/controller.php"))
64                        $_SESSION['phpgw_session']['session_dla'] = time();
65        }
66?>
Note: See TracBrowser for help on using the repository browser.