1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
<?php
// $Header: /cvsroot/phpldapadmin/phpldapadmin/lib/session_functions.php,v 1.18.2.4 2008/01/13 06:35:51 wurley Exp $
/**
* A collection of functions to handle sessions throughout phpLDAPadmin.
* @author The phpLDAPadmin development team
* @package phpLDAPadmin
*/
/** The session ID that phpLDAPadmin will use for all sessions */
define('PLA_SESSION_ID','PLASESSID');
/** Enables session paranoia, which causes SIDs to change each page load (EXPERIMENTAL!) */
define('pla_session_id_paranoid', false);
/** Flag to indicate whether the session has already been initialized (this constant gets stored in $_SESSION) */
define('pla_session_id_init', 'pla_initialized');
/** The minimum first char value IP in hex for IP hashing. */
define('pla_session_id_ip_min', 8);
/** The maximum first char value of the IP in hex for IP hashing. */
define('pla_session_id_ses_max', 36);
/**
* Creates a new session id, which includes an IP hash.
*
* @return string the new session ID string
*/
function pla_session_get_id() {
if (DEBUG_ENABLED)
debug_log('Entered with ()',1,__FILE__,__LINE__,__METHOD__);
$id_md5 = md5(rand(1,1000000));
$ip_md5 = md5($_SERVER['REMOTE_ADDR']);
$id_hex = hexdec($id_md5[0]) + 1;
$ip_hex = hexdec($ip_md5[0]);
if ($ip_hex <= pla_session_id_ip_min)
$ip_len = pla_session_id_ip_min;
else
$ip_len = $ip_hex - 1;
$new_id = substr($id_md5, 0, $id_hex) .
substr($ip_md5, $ip_hex, $ip_len) .
substr($id_md5, $id_hex, pla_session_id_ses_max - ($id_hex + $ip_len));
return $new_id;
}
/**
* Checks if the session belongs to an IP
*
* @return bool True, if the session is valid
*/
function pla_session_verify_id() {
if (DEBUG_ENABLED)
debug_log('Entered with ()',1,__FILE__,__LINE__,__METHOD__);
$check_id = session_id();
$ip_md5 = md5($_SERVER['REMOTE_ADDR']);
$id_hex = hexdec($check_id[0]) + 1;
$ip_hex = hexdec($ip_md5[0]);
if ($ip_hex <= pla_session_id_ip_min)
$ip_len = pla_session_id_ip_min;
else
$ip_len = $ip_hex - 1;
$ip_ses = substr($check_id, $id_hex, $ip_len);
$ip_ver = substr($ip_md5, $ip_hex, $ip_len);
return ($ip_ses == $ip_ver);
}
function pla_session_param() {
/* If cookies were disabled, build the url parameter for the session id.
* It will be append to the url to be redirect */
return (SID != '') ? sprintf('&%s=%s',session_name(),session_id()) : '';
}
/**
* The only function which should be called by a user
*
* @see common.php
* @see PLA_SESSION_ID
* @return bool Returns true if the session was started the first time
*/
function pla_session_start() {
global $config;
/* If session.auto_start is on in the server's PHP configuration (php.ini), then
* we will have problems loading our schema cache since the session will have started
* prior to loading the SchemaItem (and descedants) class. Destroy the auto-started
* session to prevent this problem.
*/
if (ini_get('session.auto_start'))
@session_destroy();
# Do we already have a session?
if (@session_id())
die;
@session_name(PLA_SESSION_ID);
@session_start();
# Do we have a valid session?
$is_initialized = is_array($_SESSION) && array_key_exists(pla_session_id_init,$_SESSION);
if (! $is_initialized) {
if (pla_session_id_paranoid) {
ini_set('session.use_trans_sid',0);
@session_destroy();
@session_id(pla_session_get_id());
@session_start();
ini_set('session.use_trans_sid',1);
}
$_SESSION[pla_session_id_init]['version'] = pla_version();
$_SESSION[pla_session_id_init]['config'] = filemtime(CONFDIR.'config.php');
}
@header('Cache-control: private'); // IE 6 Fix
if (pla_session_id_paranoid && ! pla_session_verify_id())
pla_error('Session inconsistent or session timeout');
# Check we have the correct version of the SESSION cache
if (isset($_SESSION['cache']) || isset($_SESSION[pla_session_id_init])) {
if (! is_array($_SESSION[pla_session_id_init])) $_SESSION[pla_session_id_init] = array();
if (! isset($_SESSION[pla_session_id_init]['version']) || ! isset($_SESSION[pla_session_id_init]['config'])
|| $_SESSION[pla_session_id_init]['version'] !== pla_version()
|| $_SESSION[pla_session_id_init]['config'] != filemtime(CONFDIR.'config.php')) {
$_SESSION[pla_session_id_init]['version'] = pla_version();
$_SESSION[pla_session_id_init]['config'] = filemtime(CONFDIR.'config.php');
unset($_SESSION['cache']);
unset($_SESSION[APPCONFIG]);
# Our configuration information has changed, so we'll redirect to index.php to get it reloaded again.
system_message(array(
'title'=>_('Configuration cache stale.'),
'body'=>_('Your configuration has been automatically refreshed.'),
'type'=>'info'));
$config_file = CONFDIR.'config.php';
check_config($config_file);
} else {
# Sanity check, specially when upgrading from a previous release.
if (isset($_SESSION['cache']))
foreach (array_keys($_SESSION['cache']) as $id)
if (isset($_SESSION['cache'][$id]['tree']['null']) && ! is_object($_SESSION['cache'][$id]['tree']['null']))
unset($_SESSION['cache'][$id]);
}
}
# If we came via index.php, then set our $config.
if (! isset($_SESSION[APPCONFIG]) && isset($config))
$_SESSION[APPCONFIG] = $config;
}
/**
* Stops the current session.
*/
function pla_session_close() {
@session_write_close();
}
?>
|
