Changeset 2855

Timestamp:

05/25/10 17:00:15 (14 years ago)

Author:

niltonneto

Message:

Ticket #1041 - Corrigido problema na validação da sessão por IP.

Location:

trunk

Files:

• doc-expressolivre/debian/arqs-conf/header.inc.php (modified) (2 diffs)
• header.inc.php.template (modified) (2 diffs)
• header.session.inc.php (modified) (1 diff)
• logout.php (modified) (1 diff)
• phpgwapi/inc/class.sessions.inc.php (modified) (1 diff)

trunk/doc-expressolivre/debian/arqs-conf/header.inc.php

@@ -123 +123 @@
         $GLOBALS['phpgw_info']['server']['versions']['current_header'] = $setup_info['phpgwapi']['versions']['current_header'];
         unset($setup_info);
-        $GLOBALS['phpgw_info']['server']['versions']['header'] = '2.0';
+        $GLOBALS['phpgw_info']['server']['versions']['header'] = '2.2';
         /* This is a fix for NT */
         if(!isset($GLOBALS['phpgw_info']['flags']['noapi']) || !$GLOBALS['phpgw_info']['flags']['noapi'] == True)
@@ -131 +131 @@
         $connection_id = $GLOBALS['phpgw']->session->sessionid;
         if (!strlen($connection_id) != 32){
-                if (!isset($_SESSION['connection_db_info']))
-                {
-                $GLOBALS['phpgw']->db->query("select trim(sessionid), ip, browser from phpgw_access_log where account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['phpgw']->session->sessionid}' limit 1",__LINE__,__FILE__);
-                $GLOBALS['phpgw']->db->next_record( );
-                $_SESSION['connection_db_info']['user_auth'] = $GLOBALS['phpgw']->db->row( );
-                }
                 include("header.session.inc.php");
         }

trunk/header.inc.php.template

@@ -118 +118 @@
         $GLOBALS['phpgw_info']['server']['versions']['current_header'] = $setup_info['phpgwapi']['versions']['current_header'];
         unset($setup_info);
-        $GLOBALS['phpgw_info']['server']['versions']['header'] = '2.0';
+        $GLOBALS['phpgw_info']['server']['versions']['header'] = '2.2';
         /* This is a fix for NT */
         if(!isset($GLOBALS['phpgw_info']['flags']['noapi']) || !$GLOBALS['phpgw_info']['flags']['noapi'] == True)
@@ -126 +126 @@
         $connection_id = $GLOBALS['phpgw']->session->sessionid;
         if (!strlen($connection_id) != 32){
-                if (!isset($_SESSION['connection_db_info']))
-                {
-                $GLOBALS['phpgw']->db->query("select trim(sessionid), ip, browser from phpgw_access_log where account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['phpgw']->session->sessionid}' limit 1",__LINE__,__FILE__);
-                $GLOBALS['phpgw']->db->next_record( );
-                $_SESSION['connection_db_info']['user_auth'] = $GLOBALS['phpgw']->db->row( );
-                }
                 include("header.session.inc.php");
         }

trunk/header.session.inc.php

@@ -10 +10 @@
         *  option) any later version.                                              *
         \**************************************************************************/
-        if ( isset( $_COOKIE[ 'sessionid' ] ) )
+    if ( isset( $_COOKIE[ 'sessionid' ] ) )
                 session_id( $_COOKIE[ 'sessionid' ] );
 
         session_start( );
+
         $sess = $_SESSION[ 'phpgw_session' ];
-        $user_ip =  (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']);
-        $connection_id = "{$sess['session_id']}{$user_ip}".substr($_SERVER[ 'HTTP_USER_AGENT' ],0,199);
- 
-        if ( empty($_SESSION['phpgw_session']['session_id']) ||
-                ($_SESSION['connection_db_info']['user_auth'] && implode('',$_SESSION['connection_db_info']['user_auth']) !== $connection_id)
-        )
+        $invalidSession = false;
+        $user_agent = array();
+        if (isset($GLOBALS['phpgw']) && !isset($_SESSION['connection_db_info'])){
+                if($GLOBALS['phpgw_info']['server']['use_https'] == 1) {
+                $new_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR']."," : ""). $_SERVER['REMOTE_ADDR'];
+                $GLOBALS['phpgw']->db->query("UPDATE phpgw_access_log SET ip='$new_ip' WHERE account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['sessionid']}'",__LINE__,__FILE__);
+                }
+                $GLOBALS['phpgw']->db->query("select trim(sessionid), ip, browser from phpgw_access_log where account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['sessionid']}' limit 1",__LINE__,__FILE__);
+                $GLOBALS['phpgw']->db->next_record();
+                if($GLOBALS['phpgw']->db->row( ))
+                        $_SESSION['connection_db_info']['user_auth'] = implode("",$GLOBALS['phpgw']->db->row( ));
+        }
+        if($_SESSION['connection_db_info']['user_auth']){
+                $invalidSession = true;
+                $http_user_agent = substr($_SERVER[ 'HTTP_USER_AGENT' ],0,199);
+                $user_ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? array($_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_X_FORWARDED_FOR']) : array($_SERVER['REMOTE_ADDR']);
+                $user_agent[] = "{$sess['session_id']}{$user_ip[0]}".$http_user_agent;
+                if(count($user_ip) == 2) {
+                        $user_agent[] = "{$sess['session_id']}{$user_ip[1]}".$http_user_agent;
+                        $user_agent[] = $sess['session_id'].implode(",",array_reverse($user_ip)).$http_user_agent;
+                }
+                $pconnection_id = $_SESSION['connection_db_info']['user_auth'];
+                if(array_search($pconnection_id, $user_agent)  !== FALSE) {
+                        $invalidSession = false;
+                }
+        }
+        if (empty($_SESSION['phpgw_session']['session_id']) || $invalidSession)
         {
                 if($_SESSION['connection_db_info']['user_auth'] && !strstr($_SERVER['SCRIPT_URL'],"/controller.php")) {
-                        error_log( '[ INVALID SESSION ] >>>>' . implode('',$_SESSION['connection_db_info']['user_auth']) . '<<<< - >>>>' . $connection_id . '<<<<', 0 );
-                        @require_once dirname( __FILE__ ) . '/logout.php';
+                        error_log( '[ INVALID SESSION ] >>>>' .$_SESSION['connection_db_info']['user_auth'].'<<<< - >>>>' . implode("",$user_agent), 0 );
+                        require_once dirname( __FILE__ ) . '/logout.php';
                 }
 

trunk/logout.php

@@ -20 +20 @@
                 'nonavbar'               => True
         );
-        include('./header.inc.php');
+        include(dirname( __FILE__ ).'/header.inc.php');
 
         $GLOBALS['sessionid'] = get_var('sessionid',array('GET','COOKIE'));

trunk/phpgwapi/inc/class.sessions.inc.php

@@ -404 +404 @@
                 * Get the ip address of current users
                 *
-                * @return string ip address
+                * @return string HTTP_X_FORWARDED_FOR (if exists) and REMOTE_ADDR ip addresses.
                 */
                 function getuser_ip()
                 {
-                /*
-                        if (getenv(HTTP_X_FORWARDED_FOR))
-                        {
-                                if (getenv(HTTP_CLIENT_IP))
-                                {
-                                        $ip=getenv(HTTP_CLIENT_IP);
-                                }
-                                else
-                                {
-                                        $ip=getenv(HTTP_X_FORWARDED_FOR);
-                                }
-                                $ip_proxy=getenv(REMOTE_ADDR);
-                        }
-                        else
-                        {
-                                $ip=getenv(REMOTE_ADDR);
-                        }
-                        return $ip;
-                */
-                        return (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']);
+                        return (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR']."," : "").$_SERVER['REMOTE_ADDR'];
                 }