Changeset 2855


Ignore:
Timestamp:
05/25/10 17:00:15 (12 years ago)
Author:
niltonneto
Message:

Ticket #1041 - Corrigido problema na validação da sessão por IP.

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/doc-expressolivre/debian/arqs-conf/header.inc.php

    r2842 r2855  
    123123        $GLOBALS['phpgw_info']['server']['versions']['current_header'] = $setup_info['phpgwapi']['versions']['current_header']; 
    124124        unset($setup_info); 
    125         $GLOBALS['phpgw_info']['server']['versions']['header'] = '2.0'; 
     125        $GLOBALS['phpgw_info']['server']['versions']['header'] = '2.2'; 
    126126        /* This is a fix for NT */ 
    127127        if(!isset($GLOBALS['phpgw_info']['flags']['noapi']) || !$GLOBALS['phpgw_info']['flags']['noapi'] == True) 
     
    131131        $connection_id = $GLOBALS['phpgw']->session->sessionid; 
    132132        if (!strlen($connection_id) != 32){ 
    133                 if (!isset($_SESSION['connection_db_info'])) 
    134                 { 
    135                 $GLOBALS['phpgw']->db->query("select trim(sessionid), ip, browser from phpgw_access_log where account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['phpgw']->session->sessionid}' limit 1",__LINE__,__FILE__); 
    136                 $GLOBALS['phpgw']->db->next_record( ); 
    137                 $_SESSION['connection_db_info']['user_auth'] = $GLOBALS['phpgw']->db->row( ); 
    138                 } 
    139133                include("header.session.inc.php"); 
    140134        } 
  • trunk/header.inc.php.template

    r2326 r2855  
    118118        $GLOBALS['phpgw_info']['server']['versions']['current_header'] = $setup_info['phpgwapi']['versions']['current_header']; 
    119119        unset($setup_info); 
    120         $GLOBALS['phpgw_info']['server']['versions']['header'] = '2.0'; 
     120        $GLOBALS['phpgw_info']['server']['versions']['header'] = '2.2'; 
    121121        /* This is a fix for NT */ 
    122122        if(!isset($GLOBALS['phpgw_info']['flags']['noapi']) || !$GLOBALS['phpgw_info']['flags']['noapi'] == True) 
     
    126126        $connection_id = $GLOBALS['phpgw']->session->sessionid; 
    127127        if (!strlen($connection_id) != 32){ 
    128                 if (!isset($_SESSION['connection_db_info'])) 
    129                 { 
    130                 $GLOBALS['phpgw']->db->query("select trim(sessionid), ip, browser from phpgw_access_log where account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['phpgw']->session->sessionid}' limit 1",__LINE__,__FILE__); 
    131                 $GLOBALS['phpgw']->db->next_record( ); 
    132                 $_SESSION['connection_db_info']['user_auth'] = $GLOBALS['phpgw']->db->row( ); 
    133                 } 
    134128                include("header.session.inc.php"); 
    135129        } 
  • trunk/header.session.inc.php

    r2522 r2855  
    1010        *  option) any later version.                                              * 
    1111        \**************************************************************************/ 
    12         if ( isset( $_COOKIE[ 'sessionid' ] ) ) 
     12    if ( isset( $_COOKIE[ 'sessionid' ] ) ) 
    1313                session_id( $_COOKIE[ 'sessionid' ] ); 
    1414 
    1515        session_start( ); 
     16 
    1617        $sess = $_SESSION[ 'phpgw_session' ]; 
    17         $user_ip =  (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']); 
    18         $connection_id = "{$sess['session_id']}{$user_ip}".substr($_SERVER[ 'HTTP_USER_AGENT' ],0,199); 
    19   
    20         if ( empty($_SESSION['phpgw_session']['session_id']) || 
    21                 ($_SESSION['connection_db_info']['user_auth'] && implode('',$_SESSION['connection_db_info']['user_auth']) !== $connection_id) 
    22         ) 
     18        $invalidSession = false; 
     19        $user_agent = array(); 
     20        if (isset($GLOBALS['phpgw']) && !isset($_SESSION['connection_db_info'])){ 
     21                if($GLOBALS['phpgw_info']['server']['use_https'] == 1) { 
     22                $new_ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR']."," : ""). $_SERVER['REMOTE_ADDR']; 
     23                $GLOBALS['phpgw']->db->query("UPDATE phpgw_access_log SET ip='$new_ip' WHERE account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['sessionid']}'",__LINE__,__FILE__); 
     24                } 
     25                $GLOBALS['phpgw']->db->query("select trim(sessionid), ip, browser from phpgw_access_log where account_id <> 0 and lo = 0 and sessionid='{$GLOBALS['sessionid']}' limit 1",__LINE__,__FILE__); 
     26                $GLOBALS['phpgw']->db->next_record(); 
     27                if($GLOBALS['phpgw']->db->row( )) 
     28                        $_SESSION['connection_db_info']['user_auth'] = implode("",$GLOBALS['phpgw']->db->row( )); 
     29        } 
     30        if($_SESSION['connection_db_info']['user_auth']){ 
     31                $invalidSession = true; 
     32                $http_user_agent = substr($_SERVER[ 'HTTP_USER_AGENT' ],0,199); 
     33                $user_ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? array($_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_X_FORWARDED_FOR']) : array($_SERVER['REMOTE_ADDR']); 
     34                $user_agent[] = "{$sess['session_id']}{$user_ip[0]}".$http_user_agent; 
     35                if(count($user_ip) == 2) { 
     36                        $user_agent[] = "{$sess['session_id']}{$user_ip[1]}".$http_user_agent; 
     37                        $user_agent[] = $sess['session_id'].implode(",",array_reverse($user_ip)).$http_user_agent; 
     38                } 
     39                $pconnection_id = $_SESSION['connection_db_info']['user_auth']; 
     40                if(array_search($pconnection_id, $user_agent)  !== FALSE) { 
     41                        $invalidSession = false; 
     42                } 
     43        } 
     44        if (empty($_SESSION['phpgw_session']['session_id']) || $invalidSession) 
    2345        { 
    2446                if($_SESSION['connection_db_info']['user_auth'] && !strstr($_SERVER['SCRIPT_URL'],"/controller.php")) { 
    25                         error_log( '[ INVALID SESSION ] >>>>' . implode('',$_SESSION['connection_db_info']['user_auth']) . '<<<< - >>>>' . $connection_id . '<<<<', 0 ); 
    26                         @require_once dirname( __FILE__ ) . '/logout.php'; 
     47                        error_log( '[ INVALID SESSION ] >>>>' .$_SESSION['connection_db_info']['user_auth'].'<<<< - >>>>' . implode("",$user_agent), 0 ); 
     48                        require_once dirname( __FILE__ ) . '/logout.php'; 
    2749                } 
    2850 
  • trunk/logout.php

    r2 r2855  
    2020                'nonavbar'               => True 
    2121        ); 
    22         include('./header.inc.php'); 
     22        include(dirname( __FILE__ ).'/header.inc.php'); 
    2323 
    2424        $GLOBALS['sessionid'] = get_var('sessionid',array('GET','COOKIE')); 
  • trunk/phpgwapi/inc/class.sessions.inc.php

    r2686 r2855  
    404404                * Get the ip address of current users 
    405405                * 
    406                 * @return string ip address 
     406                * @return string HTTP_X_FORWARDED_FOR (if exists) and REMOTE_ADDR ip addresses. 
    407407                */ 
    408408                function getuser_ip() 
    409409                { 
    410                 /* 
    411                         if (getenv(HTTP_X_FORWARDED_FOR)) 
    412                         { 
    413                                 if (getenv(HTTP_CLIENT_IP)) 
    414                                 { 
    415                                         $ip=getenv(HTTP_CLIENT_IP); 
    416                                 } 
    417                                 else 
    418                                 { 
    419                                         $ip=getenv(HTTP_X_FORWARDED_FOR); 
    420                                 } 
    421                                 $ip_proxy=getenv(REMOTE_ADDR); 
    422                         } 
    423                         else 
    424                         { 
    425                                 $ip=getenv(REMOTE_ADDR); 
    426                         } 
    427                         return $ip; 
    428                 */ 
    429                         return (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']); 
     410                        return (isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR']."," : "").$_SERVER['REMOTE_ADDR']; 
    430411                } 
    431412 
Note: See TracChangeset for help on using the changeset viewer.