/[dtapublic]/to_be_filed/webprojs/php_libraries/php_library/fboprime/sess.inc
ViewVC logotype

Contents of /to_be_filed/webprojs/php_libraries/php_library/fboprime/sess.inc

Parent Directory Parent Directory | Revision Log Revision Log


Revision 35 - (show annotations) (download)
Sat Oct 8 23:35:33 2016 UTC (7 years, 7 months ago) by dashley
File size: 44243 byte(s)
Initial commit.
1 <?php
2 //$Header: /hl/cvsroots/gpl01/gpl01/webprojs/fboprime/sw/phplib/sess.inc,v 1.25 2006/11/05 18:26:05 dashley Exp $
3 //--------------------------------------------------------------------------------------------------------------
4 //sess.inc--FboPrime Session and Authentication Management Functions and Constants
5 //Copyright (C) 2006 David T. Ashley
6 //
7 //This program is free software; you can redistribute it and/or
8 //modify it under the terms of the GNU General Public License
9 //as published by the Free Software Foundation; either version 2
10 //of the License, or (at your option) any later version.
11 //
12 //This program is distributed in the hope that it will be useful,
13 //but WITHOUT ANY WARRANTY; without even the implied warranty of
14 //MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 //GNU General Public License for more details.
16 //
17 //You should have received a copy of the GNU General Public License
18 //along with this program; if not, write to the Free Software
19 //Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 //********************************************************************************
21 //Implement session and authentication functions.
22 //--------------------------------------------------------------------------------------------------------------
23 require_once("global.inc");
24 require_once("log.inc");
25 require_once("passwd.inc");
26 require_once("perm.inc");
27 require_once("sguid.inc");
28 require_once("sid.inc");
29 require_once("strfunc.inc");
30 require_once("usrs.inc");
31 require_once("utime.inc");
32 //
33 //--------------------------------------------------------------------------------------------------------------
34 //Constants for database storage, software internals, function parameters, and function return values of
35 //this module.
36 //
37 //Session reap time, in seconds. This is how old an inactive session must be in order to reap it by
38 //nightly cron job.
39 //
40 define("SESS_REAP_INACTIVE_TIME", 172800 ); //48 hours, in seconds.
41 //
42 //
43 //Function return values.
44 define("SESS_RCODE_SUCCESS", 0 ); //Successful action.
45 define("SESS_RCODE_SUCCESS_TEMP_PASSWORD", 1 ); //Authentication action was successful, but
46 //authentication was performed based on the
47 //temporary password. The user should be
48 //prompted to change their password as soon as
49 //possible.
50 define("SESS_RCODE_FAIL_USERID_EXPIRED_INACTIVE", 2 ); //Intended action failed because the userid
51 //and password specified authenticated
52 //properly, but the underlying userid is either
53 //expired or inactive. The user should be
54 //granted no privileges and instructed to contact
55 //the FBO.
56 define("SESS_RCODE_FAIL_USERID_NOEXIST", 3 ); //Intended action failed because specified
57 //userid does not exist.
58 define("SESS_RCODE_FAIL_PASSWD", 4 ); //Intended action failed because the password
59 //supplied was incorrect.
60 //
61 //Session constants for the logical page currently being visited.
62 //
63 define("SESS_LPAGE_UNDEFINED", 0); //Not yet defined or invalid SQL query
64 //result.
65 define("SESS_LPAGE_SCHEDDAYVIEW", 1); //Day view scheduler.
66 define("SESS_LPAGE_SCHEDWEEKVIEW", 2); //Week view scheduler.
67 define("SESS_LPAGE_SCHEDMONTHVIEW", 3); //Month view scheduler.
68 define("SESS_LPAGE_LOGRESOURCESCHEDULER", 4); //Log file viewing.
69 define("SESS_LPAGE_DBSTATS", 5); //Database statistics.
70 define("SESS_LPAGE_RESOURCELIST", 6); //Resource list (or all resources).
71 define("SESS_LPAGE_RESOURCERENUMBER", 7); //Resource list.
72 define("SESS_LPAGE_RESOURCEVIEW", 8); //Resource view (of individual resource).
73 define("SESS_LPAGE_RESOURCEEDIT", 9); //Resource edit (of individual resource).
74 define("SESS_LPAGE_RESOURCEADD", 10); //Resource edit (of individual resource).
75 define("SESS_LPAGE_USERSACTIVELIST", 11); //Users list (active).
76 define("SESS_LPAGE_USERSINACTIVELIST", 12); //Users list (active).
77 define("SESS_LPAGE_USERSVIEW", 13); //User view.
78 define("SESS_LPAGE_USERSEDIT", 14); //User edit.
79 define("SESS_LPAGE_USERSADD", 15); //User add.
80 define("SESS_LPAGE_MYRESERVATIONSLIST", 16); //Self-reservations list.
81 //
82 //
83 //--------------------------------------------------------------------------------------------------------------
84 //Eats the session identifier cookie, if any exists on the browser side.
85 //
86 function SESS_eat_fbopsid_cookie()
87 {
88 setcookie("fbopsid", //Cookie name.
89 FALSE, //Value. FALSE means eat the cookie.
90 0, //Expire when browser closes. The PHP documentation
91 //suggests to set this to a time well before the current
92 //time, but I don't believe this is necessary to eat a cookie.
93 CONFIG_URL_FSPATH . "/", //Path within the domain.
94 CONFIG_URL_DOMAIN, //Domain.
95 0); //Don't require secure connection.
96 }
97 //
98 //--------------------------------------------------------------------------------------------------------------
99 //Issues the SID to the browser.
100 //
101 function SESS_issue_fbopsid_cookie($sid)
102 {
103 setcookie("fbopsid", //Cookie name.
104 $sid, //Value. FALSE means eat the cookie.
105 0, //Value. 0 (according to the manual) means to keep cookie
106 //until browser closed.
107 CONFIG_URL_FSPATH . "/", //Path within the domain.
108 CONFIG_URL_DOMAIN, //Domain.
109 0); //Don't require secure connection.
110 }
111 //
112 //--------------------------------------------------------------------------------------------------------------
113 //Inserts a new record into the SESS database, using the passed associative array to assign the fields.
114 //Each element of the associative array is indexed by a field name.
115 //
116 //The function returns the integer index of the record added.
117 //
118 //This operation cannot fail. The autoincrement index is the primary key, so no duplicates or other
119 //error conditions are meaningful.
120 //
121 function SESS_insert($arg)
122 {
123 global $GLOBAL_dbhandle;
124 global $GLOBAL_dblocked;
125
126 //Build the query string with each successive parameter.
127 //
128 //sguid
129 //-----
130 if (! isset($arg["sguid"]))
131 $pushval = "";
132 else
133 $pushval = $arg["sguid"];
134 $query_string = "INSERT INTO sess SET sguid=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"";
135 //
136 //ip
137 //------
138 if (! isset($arg["ip"]))
139 $pushval = "";
140 else
141 $pushval = $arg["ip"];
142 $query_string .= (", ip=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
143 //
144 //sid
145 //---
146 if (! isset($arg["sid"]))
147 $pushval = "";
148 else
149 $pushval = $arg["sid"];
150 $query_string .= (", sid=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
151 //
152 //revaltime
153 //---------
154 if (! isset($arg["revaltime"]))
155 $pushval = "";
156 else
157 $pushval = $arg["revaltime"];
158 $query_string .= (", revaltime=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
159 //
160 //lifetime
161 //--------
162 if (! isset($arg["lifetime"]))
163 $pushval = 0;
164 else
165 $pushval = $arg["lifetime"];
166 $query_string .= (", lifetime=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
167 //
168 //usrsidx
169 //-------
170 if (! isset($arg["usrsidx"]))
171 $pushval = 0;
172 else
173 $pushval = $arg["usrsidx"];
174 $query_string .= (", usrsidx=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
175 //
176 //menulvl
177 //-------
178 if (! isset($arg["menulvl"]))
179 $pushval = 0;
180 else
181 $pushval = $arg["menulvl"];
182 $query_string .= (", menulvl=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
183 //
184 //pagereloadtime
185 //--------------
186 if (! isset($arg["pagereloadtime"]))
187 $pushval = 0;
188 else
189 $pushval = $arg["pagereloadtime"];
190 $query_string .= (", pagereloadtime=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
191 //
192 //sddt
193 //----
194 if (! isset($arg["sddt"]))
195 $pushval = "";
196 else
197 $pushval = $arg["sddt"];
198 $query_string .= (", sddt=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
199 //
200 //sdtim
201 //-----
202 if (! isset($arg["sdtim"]))
203 $pushval = "";
204 else
205 $pushval = $arg["sdtim"];
206 $query_string .= (", sdtim=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
207 //
208 //logicalpage
209 //-----------
210 if (! isset($arg["logicalpage"]))
211 $pushval = 0;
212 else
213 $pushval = $arg["logicalpage"];
214 $query_string .= (", logicalpage=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
215 //
216 //curuser
217 //-------
218 if (! isset($arg["curuser"]))
219 $pushval = 0;
220 else
221 $pushval = $arg["curuser"];
222 $query_string .= (", curuser=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
223 //
224 //curresource
225 //-----------
226 if (! isset($arg["curresource"]))
227 $pushval = 0;
228 else
229 $pushval = $arg["curresource"];
230 $query_string .= (", curresource=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
231 //
232 //curreservation
233 //--------------
234 if (! isset($arg["curreservation"]))
235 $pushval = 0;
236 else
237 $pushval = $arg["curreservation"];
238 $query_string .= (", curreservation=\"" . mysql_real_escape_string ($pushval, $GLOBAL_dbhandle) . "\"");
239 //
240 //Execute the query to insert the record.
241 $result = mysql_query($query_string, $GLOBAL_dbhandle);
242 //
243 //If the insert failed, our caller gets FALSE.
244 if ($result == FALSE)
245 {
246 $rv = FALSE;
247 }
248 else
249 {
250 //The insert was successful. Figure out the index that was assigned.
251 $result = mysql_query("SELECT LAST_INSERT_ID()");
252
253 //If we have a failure, the caller gets FALSE, otherwise the caller gets the
254 //index.
255 if ($result === FALSE)
256 {
257 $rv = FALSE;
258 }
259 else
260 {
261 //Pick apart the result.
262 $row = mysql_fetch_array($result, MYSQL_NUM);
263
264 //Extract the integer.
265 $rv = $row[0];
266
267 //Free the result memory.
268 mysql_free_result($result);
269 }
270 }
271
272 //Return the result.
273 return($rv);
274 }
275 //
276 //--------------------------------------------------------------------------------------------------------------
277 //Retrieves a two dimensional associative array corresponding to the SESS record with
278 //the passed SID, or FALSE if the record does not exist.
279 //
280 function SESS_retrieve_by_sid($sid)
281 {
282 global $GLOBAL_dbhandle;
283
284 //Form the query string.
285 $query_string = "SELECT * FROM sess WHERE sid=\""
286 .
287 mysql_real_escape_string($sid, $GLOBAL_dbhandle)
288 .
289 "\"";
290
291 //Execute the query.
292 $result = mysql_query($query_string, $GLOBAL_dbhandle);
293
294 if ($result === FALSE)
295 {
296 //Unknown query failure. Return FALSE to the caller. No need to free,
297 //as this is not a result.
298 $rv = FALSE;
299 }
300 else
301 {
302 //Figure out how many rows in the result.
303 $nrows = mysql_num_rows($result);
304
305 if ($nrows == 0)
306 {
307 //No rows in the result. The query failed to give us a record, but still
308 //we need to free the result set.
309
310 //Free the result.
311 mysql_free_result($result);
312
313 //The caller gets FALSE. No record with that SID.
314 $rv = FALSE;
315 }
316 else
317 {
318 //We have at least one record. Assume just one, because the SID is supposed
319 //to be unique.
320 $rv = mysql_fetch_assoc($result); //Get the associative record.
321
322 //Free the result.
323 mysql_free_result($result);
324 }
325
326 //Return the value to the caller.
327 return($rv);
328 }
329 }
330 //
331 //--------------------------------------------------------------------------------------------------------------
332 //Deletes the server-side session information corresponding to the passed SID, if it exists in the
333 //SESS table. Returns TRUE if at least one record is deleted, or FALSE otherwise.
334 //
335 function SESS_delete_by_sid($sid)
336 {
337 global $GLOBAL_dbhandle;
338
339 //Form the query string.
340 $query_string = "DELETE FROM sess WHERE sid=\""
341 .
342 mysql_real_escape_string($sid, $GLOBAL_dbhandle)
343 .
344 "\"";
345
346 //Execute the query.
347 mysql_query($query_string, $GLOBAL_dbhandle);
348
349 //Figure out how many rows were affected.
350 $ar = mysql_affected_rows($GLOBAL_dbhandle);
351
352 //Return the right value to the caller.
353 if ($ar <= 0)
354 return(FALSE);
355 else
356 return(TRUE);
357 }
358 //
359 //--------------------------------------------------------------------------------------------------------------
360 //Description:
361 // Authenticates a supplied password against the non-temporary password hash stored with the supplied
362 // database record from the user information. There is also a possibility that the non-temporary
363 // hash field is the empty string, which means that no password will authenticate.
364 //
365 // Returns TRUE if the authentication was successful or FALSE otherwise.
366 //
367 function SESS_nontemppwauth($userinfo, $password)
368 {
369 if (PASSWD_pwd_hash_auth($userinfo["pwhash"], $password) == 1)
370 return(TRUE);
371 else
372 return(FALSE);
373 }
374 //
375 //--------------------------------------------------------------------------------------------------------------
376 //Description:
377 // Authenticates a supplied password against the temporary password hash stored with the supplied
378 // database record from the user information. In order to authenticate, the the temporary
379 // password also must not be expired.
380 //
381 // Returns TRUE if the authentication was successful or FALSE otherwise.
382 //
383 function SESS_temppwauth($userinfo, $password)
384 {
385 global $GLOBAL_utime_ut;
386
387 if (!strlen($userinfo["lostpwgentime"]) || !strlen($userinfo["lostpwhash"]))
388 {
389 return(FALSE);
390 }
391 else
392 {
393 if (
394 UTIME_time_diff_coarse_28($GLOBAL_utime_ut, $userinfo["lostpwgentime"])
395 > //Waiting time elapsed.
396 (CONFIG_LOGIN_REC_TEMP_PW_LIFETIME * 60) //*60 because constant in minutes.
397 )
398 {
399 return(FALSE); //Temporary password has expired, so can't authenticate.
400 }
401 else
402 {
403 if (PASSWD_pwd_hash_auth($userinfo["lostpwhash"], $password) == 1)
404 return(TRUE);
405 }
406 }
407
408 //If we're lost and get here, authentication failed.
409 return(FALSE);
410 }
411 //
412 //--------------------------------------------------------------------------------------------------------------
413 //Description:
414 // Opens a new session on the server based on the passed user information and returns the
415 // SID.
416 //
417 function SESS_open_new_uinfo($userinfo)
418 {
419 global $GLOBAL_client_ip;
420 global $GLOBAL_utime_ut;
421
422 //Populate the SGUID.
423 $sess["sguid"] = SGUID_sguid();
424
425 //Populate the IP address.
426 $sess["ip"] = $GLOBAL_client_ip;
427
428 //Populate the session identifier.
429 $sid = SID_sid();
430 $sess["sid"] = $sid;
431
432 //Populate the revalidation time.
433 $sess["revaltime"] = $GLOBAL_utime_ut;
434
435 //Populate the lifetime. The lifetime is either the value stored in the permission string (if it
436 //exists there), or else the default value.
437 $sess["lifetime"] = PERM_get_val_from_string($userinfo["perm"], "sesslifetimedefault");
438 if ($sess["lifetime"] === FALSE) //If that permission/attribute does not exist.
439 $sess["lifetime"] = CONFIG_SESS_LIFETIME_DEFAULT;
440
441 //Populate the index of the relevant user.
442 $sess["usrsidx"] = $userinfo["idx"];
443
444 //Insert the record into the database.
445 SESS_insert($sess);
446
447 //Return the session ID to the caller.
448 return($sid);
449 }
450 //
451 //--------------------------------------------------------------------------------------------------------------
452 //Description:
453 // Authenticates a supplied userid and password, and returns result information to the caller.
454 // If the userid/password authenticate, retract the old cookie, open a new session on the server side,
455 // and issue a new cookie.
456 //
457 // This function is called from the main scheduling page when a userid/password is entered.
458 //
459 // If the userid supplied corresponds to a non-existent account:
460 //
461 // a)Destroy any existing server-side session information based on the current SID cookie.
462 // b)Eat the current SID cookie, if any, on the client side.
463 // c)Set the $curuserinfo to FALSE.
464 // d)Set the $cursessioninfo to FALSE.
465 // e)Set the $rcode to SESS_RCODE_FAIL_USERID_NOEXIST.
466 //
467 // Else if the userid exists and the password authenticates:
468 //
469 // If the account is inactive or expired:
470 //
471 // a)Destroy any existing server-side session information based on the current SID
472 // cookie.
473 // b)Eat the current SID cookie, if any, on the client side.
474 // c)Set the $curuserinfo to FALSE.
475 // d)Set the $cursessioninfo to FALSE.
476 // e)Set the $rcode to SESS_RCODE_FAIL_USERID_EXPIRED_INACTIVE.
477 //
478 // Else if authentication was successful based on a temporary password:
479 //
480 // a)Destroy any existing server-side session information based on the current SID
481 // cookie.
482 // b)Open a new session on the server side.
483 // c)Issue a new SID cookie to the client.
484 // d)Set the $curuserinfo to the user specified.
485 // e)Set the $cursessioninfo to the newly-created session.
486 // f)Set the $rcode to SESS_RCODE_SUCCESS_TEMP_PASSWORD.
487 //
488 // Else if authentication was successful:
489 //
490 // a)Destroy any existing server-side session information based on the current SID
491 // cookie.
492 // b)Open a new session on the server side.
493 // c)Issue a new SID cookie to the client.
494 // d)Set the $curuserinfo to the user specified.
495 // e)Set the $cursessioninfo to the newly-created session.
496 // f)Set the $rcode to SESS_RCODE_SUCCESS.
497 //
498 // Else if the userid exists but the password does not authenticate:
499 //
500 // a)Destroy any existing server-side session information based on the current SID
501 // cookie.
502 // b)Eat the current SID cookie, if any, on the client side.
503 // c)Set the $curuserinfo to FALSE.
504 // d)Set the $cursessioninfo to FALSE.
505 // e)Set the $rcode to SESS_RCODE_FAIL_PASSWD.
506 //
507 //Return Value:
508 // $rcode : Set to a constant defined at the start of this file to indicate
509 // what occurred.
510 // $curuserinfo : Set to an associative array containing full user information
511 // about a user who logs in, or FALSE if no user has successfully
512 // authenticated.
513 // $cursessioninfo : An associative array containing the complete record for the now
514 // active session, or FALSE if no session is active.
515 //
516 function SESS_userid_pwd_authenticate_open_session($userid, $password, &$rcode, &$curuserinfo, &$cursessioninfo)
517 {
518 global $PAR_fbopsid;
519 global $GLOBAL_stime_string;
520 global $GLOBAL_client_ip;
521
522 //Condition the userid to exclude forbidden characters.
523 $userid = STRFUNC_force_into_subset($userid, "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
524
525 //Convert the userid to all lower-case. This is the canonical form for userids.
526 $userid = StrToLower($userid);
527
528 //Remove all invalid characters from the password. However, don't convert it to lower-case. Passwords are
529 //case-sensitive.
530 $password = STRFUNC_force_into_subset($password, "-0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
531
532 //Try to obtain the user information from the database corresponding to the userid.
533 $curuserinfo = USRS_retrieve_by_userid($userid);
534
535 //print_r($curuserinfo);
536 //return;
537
538 //If the userid does not exist, return the correct error code.
539 if ($curuserinfo === FALSE)
540 {
541 //Log the authentication failure.
542 LOG_log(LOG_ET_LOGIN_FAIL,
543 $GLOBAL_stime_string,
544 $GLOBAL_client_ip,
545 "",
546 ($PAR_fbopsid === FALSE) ? ("") : ($PAR_fbopsid),
547 $_SERVER["PHP_SELF"],
548 "",
549 __FILE__,
550 __LINE__,
551 "Password authentication failure, non-existent userid=\"" . $userid . "\".");
552
553 //Destroy any existing server-side session information based on the current SID cookie.
554 if ($PAR_fbopsid !== FALSE)
555 SESS_delete_by_sid($PAR_fbopsid);
556
557 //Eat the client-side cookie.
558 SESS_eat_fbopsid_cookie();
559
560 //Set the $curuserinfo to FALSE.
561 $curuserinfo = FALSE;
562
563 //Set the $cursessioninfo to FALSE.
564 $cursessioninfo = FALSE;
565
566 //Set the $rcode to SESS_RCODE_FAIL_USERID_NOEXIST.
567 $rcode = SESS_RCODE_FAIL_USERID_NOEXIST;
568
569 return;
570 }
571
572 //If the userid exists but is not active, refuse the authentication.
573 if ($curuserinfo["status"] != USRS_STATUS_ACTIVE)
574 {
575 //Log the authentication failure.
576 LOG_log(LOG_ET_LOGIN_FAIL,
577 $GLOBAL_stime_string,
578 $GLOBAL_client_ip,
579 "",
580 ($PAR_fbopsid === FALSE) ? ("") : ($PAR_fbopsid),
581 $_SERVER["PHP_SELF"],
582 "",
583 __FILE__,
584 __LINE__,
585 "Password authentication failure, expired or inactive userid=\"" . $userid . "\".");
586
587 //Destroy any existing server-side session information based on the current SID cookie.
588 if ($PAR_fbopsid !== FALSE)
589 SESS_delete_by_sid($PAR_fbopsid);
590
591 //Eat the client-side cookie.
592 SESS_eat_fbopsid_cookie();
593
594 //Set the $curuserinfo to FALSE.
595 $curuserinfo = FALSE;
596
597 //Set the $cursessioninfo to FALSE.
598 $cursessioninfo = FALSE;
599
600 //Set the $rcode to SESS_RCODE_FAIL_USERID_EXPIRED_INACTIVE.
601 $rcode = SESS_RCODE_FAIL_USERID_EXPIRED_INACTIVE;
602
603 return;
604 }
605
606 //The user exists and the user's status is active. Figure out if the password is consistent
607 //with the stored non-temporary password.
608 //
609 if (SESS_nontemppwauth($curuserinfo, $password))
610 {
611 //The password supplied matches the non-temporary password hash in the database.
612 //
613 //Open a new session on the server side.
614 $sid = SESS_open_new_uinfo($curuserinfo);
615 //
616 //Log the authentication success.
617 LOG_log(LOG_ET_LOGIN_OK,
618 $GLOBAL_stime_string,
619 $GLOBAL_client_ip,
620 $userid,
621 $sid,
622 $_SERVER["PHP_SELF"],
623 "",
624 __FILE__,
625 __LINE__,
626 "Password authentication.");
627 //
628 //Issue the new cookie to the browser. It isn't necessary to replace any existing old,
629 //as this one will just replace it.
630 SESS_issue_fbopsid_cookie($sid);
631 //
632 //The current user information has already been obtained. Pull the
633 //session information.
634 $cursessioninfo = SESS_retrieve_by_sid($sid);
635 //
636 //Set the return code.
637 $rcode = SESS_RCODE_SUCCESS;
638 //
639 return;
640 }
641
642
643 //The user exists and the user's status is active. Figure out if the password is consistent
644 //with the stored temporary password.
645 //
646 if (SESS_temppwauth($curuserinfo, $password))
647 {
648 //The password supplied matches the temporary password hash in the database.
649 //
650 //Open a new session on the server side.
651 $sid = SESS_open_new_uinfo($curuserinfo);
652 //
653 //Log the authentication success.
654 LOG_log(LOG_ET_LOGIN_OK,
655 $GLOBAL_stime_string,
656 $GLOBAL_client_ip,
657 $userid,
658 $sid,
659 $_SERVER["PHP_SELF"],
660 "",
661 __FILE__,
662 __LINE__,
663 "Temporary password authentication.");
664 //
665 //Issue the new cookie to the browser. It isn't necessary to replace any existing old,
666 //as this one will just replace it.
667 SESS_issue_fbopsid_cookie($sid);
668 //
669 //The current user information has already been obtained. Pull the
670 //session information.
671 $cursessioninfo = SESS_retrieve_by_sid($sid);
672 //
673 //Set the return code.
674 $rcode = SESS_RCODE_SUCCESS_TEMP_PASSWORD;
675 //
676 return;
677 }
678
679 //If we're here, the userid was OK, but the password was wrong.
680 //Log the authentication failure.
681 LOG_log(LOG_ET_LOGIN_FAIL,
682 $GLOBAL_stime_string,
683 $GLOBAL_client_ip,
684 $userid,
685 ($PAR_fbopsid === FALSE) ? ("") : ($PAR_fbopsid),
686 $_SERVER["PHP_SELF"],
687 "",
688 __FILE__,
689 __LINE__,
690 "Password authentication failure, bad password.");
691
692 //Destroy any existing server-side session information based on the current SID cookie.
693 if ($PAR_fbopsid !== FALSE)
694 SESS_delete_by_sid($PAR_fbopsid);
695
696 //Eat the client-side cookie.
697 SESS_eat_fbopsid_cookie();
698
699 //Set the $curuserinfo to FALSE.
700 $curuserinfo = FALSE;
701
702 //Set the $cursessioninfo to FALSE.
703 $cursessioninfo = FALSE;
704
705 //Set the $rcode to indicate simple password failure.
706 $rcode = SESS_RCODE_FAIL_PASSWD;
707 }
708 //
709 //--------------------------------------------------------------------------------------------------------------
710 //Logs out the user implied by the current SID cookie. The specific actions are:
711 // a)Destroy any existing server-side session information.
712 // b)Eat the client side SID cookie.
713 //
714 //Return Values:
715 // $curuserinfo : By the definition of this what this function does, FALSE.
716 // $cursessioninfo : By the definition of this what this function does, FALSE.
717 //
718 function SESS_logout(&$curuserinfo, &$cursessioninfo)
719 {
720 global $PAR_fbopsid;
721 global $GLOBAL_stime_string;
722 global $GLOBAL_client_ip;
723
724 //Save the $sid cookie, so we can log it.
725 $log_sid = $PAR_fbopsid;
726
727 //Look up the session table entry.
728 $cursessioninfo = SESS_retrieve_by_sid($log_sid);
729
730 //Look up the user information based on the index stored with
731 //the session.
732 if ($cursessioninfo !== FALSE)
733 {
734 $curuserinfo = USRS_retrieve_by_idx($cursessioninfo["usrsidx"]);
735 }
736 else
737 {
738 $curuserinfo = FALSE;
739 }
740
741 //Swallow any session cookie.
742 SESS_eat_fbopsid_cookie();
743
744 //Destroy the server-side session state, if any.
745 if ($PAR_fbopsid !== FALSE)
746 SESS_delete_by_sid($PAR_fbopsid);
747
748 //Log the voluntary logout.
749 LOG_log(LOG_ET_LOGOUT_VOL,
750 $GLOBAL_stime_string,
751 $GLOBAL_client_ip,
752 ($curuserinfo !== FALSE) ? ($curuserinfo["userid"]) : (""),
753 ($log_sid === FALSE) ? ("") : ($log_sid),
754 $_SERVER["PHP_SELF"],
755 "",
756 __FILE__,
757 __LINE__,
758 "Logout.");
759
760
761 //Return values are, by definition, FALSE.
762 $curuserinfo = FALSE;
763 $cursessioninfo = FALSE;
764 }
765 //
766 //--------------------------------------------------------------------------------------------------------------
767 //Revalidates the session using the current SID cookie. The specific actions are:
768 //
769 // If the SID does not exist on the server side:
770 // a)Eat the current client SID cookie.
771 // Else if the session has expired due to inactivity:
772 // a)Destroy the server-side session state.
773 // b)Eat the client-side SID cookie.
774 // Else [if the session is still active]:
775 // Obtain the user information.
776 // If the user does not exist or is inactive:
777 // a)Destroy the server-side session state.
778 // b)Eat the client-side SID cookie.
779 // Else
780 // If the privilege escalation period has expired
781 // Lower the privelege escalation level.
782 // Update the revalidation time.
783 //
784 //Return Values:
785 // $curuserinfo : An associative array containing the complete record for the currently
786 // authenticated user, or FALSE if no user is authenticated.
787 // $cursessioninfo : An associative array containing the complete record for the currently
788 // active session, or FALSE if no session is active.
789 //
790 function SESS_revalidate(&$curuserinfo, &$cursessioninfo)
791 {
792 global $GLOBAL_dbhandle;
793 global $GLOBAL_dblocked;
794 global $PAR_fbopsid;
795 global $GLOBAL_stime_string;
796 global $GLOBAL_client_ip;
797 global $GLOBAL_utime_ut;
798
799 $cursessioninfo = FALSE;
800 $curuserinfo = FALSE;
801
802 //If the SID isn't defined, no user and no session.
803 if ($PAR_fbopsid === FALSE)
804 {
805 $curuserinfo = FALSE;
806 $cursessioninfo = FALSE;
807 return;
808 }
809
810 //Try to look up the session in the database. If it does not exist
811 //in the database, this is a bit suspicious but not impossible. The database
812 //could have been reaped while somebody left their browser open for a long time.
813 //If this is the case, no session and no user.
814 //
815 $cursessioninfo = SESS_retrieve_by_sid($PAR_fbopsid);
816 //
817 if ($cursessioninfo === FALSE)
818 {
819 //It is suspicious. Log it.
820 LOG_log(LOG_ET_SEC_SID_FORGED,
821 $GLOBAL_stime_string,
822 $GLOBAL_client_ip,
823 "",
824 $PAR_fbopsid,
825 $_SERVER["PHP_SELF"],
826 "",
827 __FILE__,
828 __LINE__,
829 "SID cookie value does not exist in server database, and was possibly forged.");
830
831 //Return value is no session and no user.
832 $curuserinfo = FALSE;
833 $cursessioninfo = FALSE;
834 return;
835 }
836
837 //Session exists. Try to look up the user identified in the session. If the user does not
838 //exist, this is also suspicious. The only scenario under which this might happen is if a
839 //user is expired or deleted during a session.
840 //
841 $curuserinfo = USRS_retrieve_by_idx($cursessioninfo["usrsidx"]);
842 //
843 if ($curuserinfo === FALSE)
844 {
845 //It is suspicious. Log it.
846 LOG_log(LOG_ET_SEC_SID_FORGED,
847 $GLOBAL_stime_string,
848 $GLOBAL_client_ip,
849 "",
850 $PAR_fbopsid,
851 $_SERVER["PHP_SELF"],
852 "",
853 __FILE__,
854 __LINE__,
855 "User index pointed to by SID record does not exist (idx=" . (string)$cursessioninfo["usrsidx"] . ").");
856
857 //Return value is no session and no user.
858 $curuserinfo = FALSE;
859 $cursessioninfo = FALSE;
860 return;
861 }
862
863 //If the user pointed to by the session isn't active, this probably means that
864 //the user was expired or had the status changed manually during a session.
865 //Destroy the server-side and client side session state, log it, and indicate
866 //to the caller no user and no session.
867 //If the userid exists but is not active, refuse the authentication.
868 if ($curuserinfo["status"] != USRS_STATUS_ACTIVE)
869 {
870 //It is suspicious. Log it.
871 LOG_log(LOG_ET_SEC_SID_FORGED,
872 $GLOBAL_stime_string,
873 $GLOBAL_client_ip,
874 "",
875 $PAR_fbopsid,
876 $_SERVER["PHP_SELF"],
877 "",
878 __FILE__,
879 __LINE__,
880 "User pointed to by SID record has inactive status (idx=" . (string)$cursessioninfo["usrsidx"] . ").");
881
882 //Destroy any existing server-side session information based on the current SID cookie.
883 if ($PAR_fbopsid !== FALSE)
884 SESS_delete_by_sid($PAR_fbopsid);
885
886 //Eat the client-side cookie.
887 SESS_eat_fbopsid_cookie();
888
889 //Return value is no session and no user.
890 $curuserinfo = FALSE;
891 $cursessioninfo = FALSE;
892 return;
893 }
894
895 //If the session has expired due to time, then log it and force the user out.
896 //
897 if (UTIME_time_diff_coarse_28($GLOBAL_utime_ut, $cursessioninfo["revaltime"]) > (int)$cursessioninfo["lifetime"])
898 {
899 //Log it.
900 LOG_log(LOG_ET_LOGOUT_TIME,
901 $GLOBAL_stime_string,
902 $GLOBAL_client_ip,
903 $curuserinfo["userid"],
904 $PAR_fbopsid,
905 $_SERVER["PHP_SELF"],
906 "",
907 __FILE__,
908 __LINE__,
909 "Session expired due to inactive time.");
910
911 //Destroy any existing server-side session information based on the current SID cookie.
912 if ($PAR_fbopsid !== FALSE)
913 SESS_delete_by_sid($PAR_fbopsid);
914
915 //Eat the client-side cookie.
916 SESS_eat_fbopsid_cookie();
917
918 //Return value is no session and no user.
919 $curuserinfo = FALSE;
920 $cursessioninfo = FALSE;
921 return;
922 }
923
924 //If the connecting IP of the session has changed, this is bad news and probably some type of
925 //security issue.
926 //
927 if ($cursessioninfo["ip"] != $GLOBAL_client_ip)
928 {
929 //Log it.
930 LOG_log(LOG_ET_SEC_LOGOUT_IP,
931 $GLOBAL_stime_string,
932 $GLOBAL_client_ip,
933 $curuserinfo["userid"],
934 $PAR_fbopsid,
935 $_SERVER["PHP_SELF"],
936 "",
937 __FILE__,
938 __LINE__,
939 "Stored session IP:" . $cursessioninfo["ip"] . " Current connection IP:" . $GLOBAL_client_ip . ".");
940
941 //Destroy any existing server-side session information based on the current SID cookie.
942 if ($PAR_fbopsid !== FALSE)
943 SESS_delete_by_sid($PAR_fbopsid);
944
945 //Eat the client-side cookie.
946 SESS_eat_fbopsid_cookie();
947
948 //Return value is no session and no user.
949 $curuserinfo = FALSE;
950 $cursessioninfo = FALSE;
951 return;
952 }
953
954 //All the error conditions have been ruled out. Give the session a newer timestamp, log it, and return the
955 //correct user and session information.
956 mysql_query("UPDATE sess SET revaltime=\""
957 . mysql_real_escape_string($GLOBAL_utime_ut, $GLOBAL_dbhandle)
958 . "\" WHERE sid=\""
959 . mysql_real_escape_string($PAR_fbopsid, $GLOBAL_dbhandle)
960 . "\"",
961 $GLOBAL_dbhandle);
962 //
963 LOG_log(LOG_ET_REVAL_OK,
964 $GLOBAL_stime_string,
965 $GLOBAL_client_ip,
966 $curuserinfo["userid"],
967 $PAR_fbopsid,
968 $_SERVER["PHP_SELF"],
969 "",
970 __FILE__,
971 __LINE__,
972 "Session revalidation.");
973
974 //The $curuserinfo and $cursessioninfo values are OK for return.
975 }
976 //
977 //--------------------------------------------------------------------------------------------------------------
978 //Decrements the current menu level, stores it in the correct session record of the database,
979 //and returns the new level, clipped to [0, 2].
980 //
981 //No mutual exclusion should be necessary, as a session is tied to one terminal IP--unless a user
982 //has multiple browsers open and is doing something unusual, there should be nothing noticeable.
983 //Even then it is iffy and there will be no ill effects.
984 //
985 function SESS_menulevel_decrement($sid_in, $menulevel_current)
986 {
987 global $GLOBAL_dbhandle;
988
989 //Adjust the menulevel to be one smaller.
990 if ($menulevel_current == 2)
991 $menulevel_new = 1;
992 else if ($menulevel_current == 1)
993 $menulevel_new = 0;
994 else
995 $menulevel_new = 0;
996
997 //Form a query to reflect assigning the new menu level to the session ID
998 //record.
999 $query_string = "UPDATE sess SET menulvl=\"" . (string)$menulevel_new . "\" WHERE sid=\"" . $sid_in . "\"";
1000
1001 //Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
1002 mysql_query($query_string, $GLOBAL_dbhandle);
1003
1004 //Return the new value.
1005 return($menulevel_new);
1006 }
1007 //
1008 //--------------------------------------------------------------------------------------------------------------
1009 //Increments the current menu level, stores it in the correct session record of the database,
1010 //and returns the new level, clipped to [0, 2].
1011 //
1012 //No mutual exclusion should be necessary, as a session is tied to one terminal IP--unless a user
1013 //has multiple browsers open and is doing something unusual, there should be nothing noticeable.
1014 //Even then it is iffy and there will be no ill effects.
1015 //
1016 function SESS_menulevel_increment($sid_in, $menulevel_current)
1017 {
1018 global $GLOBAL_dbhandle;
1019
1020 //Adjust the menulevel to be one larger.
1021 if ($menulevel_current == 0)
1022 $menulevel_new = 1;
1023 else if ($menulevel_current == 1)
1024 $menulevel_new = 2;
1025 else
1026 $menulevel_new = 2;
1027
1028 //Form a query to reflect assigning the new menu level to the session ID
1029 //record.
1030 $query_string = "UPDATE sess SET menulvl=\"" . (string)$menulevel_new . "\" WHERE sid=\"" . $sid_in . "\"";
1031
1032 //Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
1033 mysql_query($query_string, $GLOBAL_dbhandle);
1034
1035 //Return the new value.
1036 return($menulevel_new);
1037 }
1038 //
1039 //--------------------------------------------------------------------------------------------------------------
1040 //Updates the SDDT and SDTIM associated with the session, session identifier passed.
1041 //
1042 //To update only SDDT or SDTIM, set the other parameter FALSE.
1043 //
1044 //If both parameters are FALSE, nothing will be updated.
1045 //
1046 function SESS_update_sddt_sdtim($sid_in, $sddt_in, $sdtim_in)
1047 {
1048 global $GLOBAL_dbhandle;
1049
1050 //echo "<pre>\n";
1051 //print_r($sid_in);
1052 //print_r($sddt_in);
1053 //print_r($sdtim_in);
1054 //echo "</pre>\n";
1055
1056 if (($sddt_in !== FALSE) && ($sdtim_in !== FALSE))
1057 {
1058 //Both parameters are specified, the most common case.
1059 $query_string = "UPDATE sess SET sddt=\""
1060 .
1061 mysql_real_escape_string ((string)$sddt_in, $GLOBAL_dbhandle)
1062 .
1063 "\", sdtim=\""
1064 .
1065 mysql_real_escape_string ((string)$sdtim_in, $GLOBAL_dbhandle)
1066 .
1067 "\" WHERE sid=\""
1068 .
1069 $sid_in
1070 .
1071 "\"";
1072
1073 //Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
1074 mysql_query($query_string, $GLOBAL_dbhandle);
1075 }
1076 else if (($sddt_in === FALSE) && ($sdtim_in !== FALSE))
1077 {
1078 //Only time is specified.
1079 $query_string = "UPDATE sess SET sdtim=\""
1080 .
1081 mysql_real_escape_string ((string)$sdtim_in, $GLOBAL_dbhandle)
1082 .
1083 "\" WHERE sid=\""
1084 .
1085 $sid_in
1086 .
1087 "\"";
1088
1089 //Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
1090 mysql_query($query_string, $GLOBAL_dbhandle);
1091 }
1092 else if (($sddt_in !== FALSE) && ($sdtim_in === FALSE))
1093 {
1094 //Only date is specified.
1095 $query_string = "UPDATE sess SET sddt=\""
1096 .
1097 mysql_real_escape_string ((string)$sddt_in, $GLOBAL_dbhandle)
1098 .
1099 "\" WHERE sid=\""
1100 .
1101 $sid_in
1102 .
1103 "\"";
1104
1105 //Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
1106 mysql_query($query_string, $GLOBAL_dbhandle);
1107 }
1108 else
1109 {
1110 //Do nothing. Neither parameter is specified.
1111 }
1112 }
1113 //
1114 //--------------------------------------------------------------------------------------------------------------
1115 //Updates the logicalpage associated with a session.
1116 //
1117 function SESS_logicalpage_set($sid_in, $logicalpage_in)
1118 {
1119 global $GLOBAL_dbhandle;
1120
1121 $query_string = "UPDATE sess SET logicalpage=\""
1122 .
1123 mysql_real_escape_string ((string)$logicalpage_in, $GLOBAL_dbhandle)
1124 .
1125 "\" WHERE sid=\""
1126 .
1127 $sid_in
1128 .
1129 "\"";
1130
1131 //Run the query. We don't much care whether it fails or succeeds (nothing to be done, anyway).
1132 mysql_query($query_string, $GLOBAL_dbhandle);
1133 }
1134 //
1135 //--------------------------------------------------------------------------------------------------------------
1136 //Gets the logicalpage integer associated with a session. Returns SESS_LPAGE_UNDEFINED if can't figure
1137 //out what that is.
1138 //
1139 function SESS_logicalpage_get($sid_in)
1140 {
1141 global $GLOBAL_dbhandle;
1142
1143 //Form the query string.
1144 $query_string = "SELECT logicalpage FROM sess WHERE sid=\""
1145 .
1146 mysql_real_escape_string($sid_in, $GLOBAL_dbhandle)
1147 .
1148 "\"";
1149
1150 //Execute the query.
1151 $result = mysql_query($query_string, $GLOBAL_dbhandle);
1152
1153 if ($result === FALSE)
1154 {
1155 //Unknown query failure. Return a result code to the caller indicating
1156 //don't know.
1157 return(SESS_LPAGE_UNDEFINED);
1158 }
1159 else
1160 {
1161 //Get the integer result.
1162 $row = mysql_fetch_array($result, MYSQL_NUM);
1163
1164 $rv = $row[0];
1165
1166 //Free the result.
1167 mysql_free_result($result);
1168
1169 //Return the appropriate.
1170 if($rv > 0)
1171 return($rv);
1172 else
1173 return(SESS_LPAGE_UNDEFINED);
1174 }
1175 }
1176 //
1177 //--------------------------------------------------------------------------------------------------------------
1178 //End of $RCSfile: sess.inc,v $.
1179 //--------------------------------------------------------------------------------------------------------------
1180 ?>

dashley@gmail.com
ViewVC Help
Powered by ViewVC 1.1.25