2011-03-16 18:28:52 +00:00
|
|
|
<?php
|
2007-04-03 14:10:23 +00:00
|
|
|
|
2016-12-26 16:11:00 -07:00
|
|
|
require_once 'includes/authentication_functions.inc.php';
|
|
|
|
|
|
2014-02-03 22:32:45 +00:00
|
|
|
@ini_set('session.use_only_cookies', 1);
|
|
|
|
|
@ini_set('session.cookie_httponly', 1);
|
2016-12-26 16:11:00 -07:00
|
|
|
@ini_set('session.use_strict_mode', 1); // php >= 5.5.2
|
|
|
|
|
@ini_set('session.use_trans_sid', 0); // insecure feature, be sure it is disabled
|
|
|
|
|
|
|
|
|
|
/* make sure our PHP sessions can survive for the desired amount of time */
|
|
|
|
|
@ini_set('session.gc_maxlifetime', $config['auth_remember'] * 60 * 60 * 24);
|
|
|
|
|
|
2009-05-11 14:59:40 +00:00
|
|
|
|
2016-12-26 16:11:00 -07:00
|
|
|
auth_check_session();
|
2010-07-05 19:19:19 +00:00
|
|
|
|
|
|
|
|
// Preflight checks
|
2015-07-13 20:10:26 +02:00
|
|
|
if (!is_dir($config['rrd_dir'])) {
|
|
|
|
|
echo "<div class='errorbox'>RRD Log Directory is missing ({$config['rrd_dir']}). Graphing may fail.</div>";
|
2011-03-26 19:28:39 +00:00
|
|
|
}
|
2010-07-05 19:19:19 +00:00
|
|
|
|
2015-07-13 20:10:26 +02:00
|
|
|
if (!is_dir($config['temp_dir'])) {
|
|
|
|
|
echo "<div class='errorbox'>Temp Directory is missing ({$config['temp_dir']}). Graphing may fail.</div>";
|
2011-03-26 19:28:39 +00:00
|
|
|
}
|
2010-07-05 19:19:19 +00:00
|
|
|
|
2015-07-13 20:10:26 +02:00
|
|
|
if (!is_writable($config['temp_dir'])) {
|
|
|
|
|
echo "<div class='errorbox'>Temp Directory is not writable ({$config['tmp_dir']}). Graphing may fail.</div>";
|
2011-03-26 19:28:39 +00:00
|
|
|
}
|
2010-07-05 19:19:19 +00:00
|
|
|
|
2014-02-03 22:32:45 +00:00
|
|
|
// Clear up any old sessions
|
2015-07-13 20:10:26 +02:00
|
|
|
dbDelete('session', '`session_expiry` < ?', array(time()));
|
|
|
|
|
|
2016-09-13 15:10:42 +01:00
|
|
|
if ($vars['page'] == 'logout' && $_SESSION['authenticated']) {
|
2015-07-13 20:10:26 +02:00
|
|
|
dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Logged Out'), 'authlog');
|
2016-12-26 16:11:00 -07:00
|
|
|
auth_end_session();
|
2015-07-13 20:10:26 +02:00
|
|
|
$auth_message = 'Logged Out';
|
2015-08-11 14:54:05 -07:00
|
|
|
header('Location: ' . $config['base_url']);
|
2015-07-13 20:10:26 +02:00
|
|
|
exit;
|
2007-04-03 14:10:23 +00:00
|
|
|
}
|
|
|
|
|
|
2016-12-26 16:11:00 -07:00
|
|
|
unset($form_password);
|
|
|
|
|
unset($form_username);
|
|
|
|
|
|
2014-02-03 22:32:45 +00:00
|
|
|
// We are only interested in login details passed via POST.
|
|
|
|
|
if (isset($_POST['username']) && isset($_POST['password'])) {
|
2016-12-26 16:11:00 -07:00
|
|
|
$form_username = clean($_POST['username']);
|
|
|
|
|
$form_password = $_POST['password'];
|
2016-08-18 20:28:22 -05:00
|
|
|
} elseif (isset($_GET['username']) && isset($_GET['password'])) {
|
2016-12-26 16:11:00 -07:00
|
|
|
/* FIXME: allowing GET for authentication reduces security */
|
|
|
|
|
$form_username = clean($_GET['username']);
|
|
|
|
|
$form_password = $_GET['password'];
|
2016-12-12 14:25:30 +00:00
|
|
|
} elseif (isset($_SERVER['REMOTE_USER'])) {
|
2016-12-26 16:11:00 -07:00
|
|
|
$form_username = clean($_SERVER['REMOTE_USER']);
|
2009-06-19 10:43:02 +00:00
|
|
|
}
|
|
|
|
|
|
2015-07-13 20:10:26 +02:00
|
|
|
if (!isset($config['auth_mechanism'])) {
|
|
|
|
|
$config['auth_mechanism'] = 'mysql';
|
2010-02-28 13:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
2016-12-26 16:11:00 -07:00
|
|
|
if (!$_SESSION['authenticated']) {
|
|
|
|
|
$auth_mechanism_successful = false;
|
2009-06-19 10:43:02 +00:00
|
|
|
|
2016-12-26 16:11:00 -07:00
|
|
|
if (isset($form_username)) {
|
|
|
|
|
/* try password auth */
|
|
|
|
|
$_SESSION['username'] = $form_username;
|
|
|
|
|
$auth_mechanism_successful = authenticate($form_username, $form_password);
|
|
|
|
|
if ($auth_mechanism_successful !== 1) {
|
|
|
|
|
$auth_mechanism_successful = false;
|
|
|
|
|
}
|
|
|
|
|
if (isset($_SESSION['username']) && $_SESSION['username'] !== $form_username) {
|
|
|
|
|
/* Must be using one of the auth methods that trusts $_SERVER['REMOTE_USER'] */
|
|
|
|
|
$form_username = $_SESSION['username'];
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-07-13 20:10:26 +02:00
|
|
|
|
2016-12-26 16:11:00 -07:00
|
|
|
if ($auth_mechanism_successful === 1) {
|
|
|
|
|
if ($config['twofactor'] === true && !isset($_SESSION['twofactor'])) {
|
|
|
|
|
include_once $config['install_dir'].'/html/includes/authentication/twofactor.lib.php';
|
|
|
|
|
twofactor_auth();
|
2015-07-13 20:10:26 +02:00
|
|
|
}
|
|
|
|
|
|
2016-12-26 16:11:00 -07:00
|
|
|
if (!$config['twofactor'] || $_SESSION['twofactor']) {
|
|
|
|
|
/* Congratulations, you are authenticated! */
|
|
|
|
|
|
|
|
|
|
/* do this before changing the session_id so the session cookie has
|
|
|
|
|
* the right lifetime; a long expiration time on an unauthenticated
|
|
|
|
|
* session should not be dangerous */
|
|
|
|
|
if (isset($_POST['remember'])) {
|
|
|
|
|
// keep session cookie for auth_remember days
|
|
|
|
|
session_set_cookie_params($config['auth_remember'] * 60 * 60 * 24);
|
|
|
|
|
$_SESSION['expires'] = time() + $config['auth_remember'] * 60 * 60 * 24;
|
|
|
|
|
} else {
|
|
|
|
|
// keep session cookie for the duration of the browser session
|
|
|
|
|
session_set_cookie_params(0);
|
|
|
|
|
|
|
|
|
|
// valid for auth_no_remember minutes, regardless of activity
|
|
|
|
|
$_SESSION['expires'] = time() + $config['auth_no_remember'] * 60;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* prevent session fixation vulnerabilities */
|
|
|
|
|
auth_update_session_id();
|
|
|
|
|
|
|
|
|
|
$_SESSION['authenticated'] = true;
|
|
|
|
|
dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Logged In'), 'authlog');
|
2015-07-13 20:10:26 +02:00
|
|
|
}
|
2016-12-26 16:11:00 -07:00
|
|
|
}
|
2015-07-13 20:10:26 +02:00
|
|
|
|
2016-12-26 16:11:00 -07:00
|
|
|
if ($_SESSION['authenticated']) {
|
|
|
|
|
if (!$_SESSION['username']) {
|
|
|
|
|
unset($_SESSION['authenticated']);
|
|
|
|
|
print_error("ERROR: auth_mechanism did not set session username");
|
|
|
|
|
exit();
|
2015-07-13 20:10:26 +02:00
|
|
|
}
|
2016-12-26 16:11:00 -07:00
|
|
|
$_SESSION['userlevel'] = get_userlevel($_SESSION['username']);
|
|
|
|
|
$_SESSION['user_id'] = get_userid($_SESSION['username']);
|
2015-07-13 20:10:26 +02:00
|
|
|
|
|
|
|
|
$permissions = permissions_cache($_SESSION['user_id']);
|
2016-12-26 16:11:00 -07:00
|
|
|
if ($auth_mechanism_successful === 1) {
|
2015-07-13 20:10:26 +02:00
|
|
|
header('Location: '.$_SERVER['REQUEST_URI'], true, 303);
|
|
|
|
|
exit;
|
|
|
|
|
}
|
2016-12-26 16:11:00 -07:00
|
|
|
} elseif (isset($form_username) || isset($_SESSION['username'])) {
|
2016-09-09 08:04:03 -05:00
|
|
|
global $auth_error;
|
|
|
|
|
if (isset($auth_error)) {
|
|
|
|
|
$auth_message = $auth_error;
|
|
|
|
|
} else {
|
|
|
|
|
$auth_message = 'Authentication Failed';
|
|
|
|
|
}
|
2016-12-26 16:11:00 -07:00
|
|
|
auth_end_session();
|
2015-07-13 20:10:26 +02:00
|
|
|
dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Authentication Failure'), 'authlog');
|
2015-04-11 21:01:33 +01:00
|
|
|
}
|
2016-12-26 16:11:00 -07:00
|
|
|
} else {
|
|
|
|
|
/* we have a valid, previously-authenticated session */
|
2011-03-16 18:28:52 +00:00
|
|
|
}
|
