From 69e267fc8081a8d3f24eb52dc5c10cb5fbf638d8 Mon Sep 17 00:00:00 2001 From: Michael Elkin Date: Fri, 27 May 2011 10:23:29 -0700 Subject: [PATCH] Adding default configuration variables Updated session_api for supporting autologout on session invalidation Updated session_api for supporting header client-address override --- config_defaults_inc.php | 25 +++++++++++++++++++++++++ core/session_api.php | 35 ++++++++++++++++++++++++++++++----- 2 files changed, 55 insertions(+), 5 deletions(-) diff --git a/config_defaults_inc.php b/config_defaults_inc.php index fcab4c8..e67a22b 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -216,6 +216,31 @@ $g_session_validation = ON; /** + * Session Validation Header + * Use this header instead of the client source address. + * Useful if this is deployed behind a proxy. + * This will be the "HTTP_*" parameter, eg: g_session_validation = 'X_FORWARDED_FOR' + * @global string $g_session_validation_header + */ + $g_session_validation_header = ''; + + /** + * Session Validation Header Requirement + * Enables or disables the requirement as to whether the header + * must exist in client requests. + * If the system is accessed ONLY via proxy, then this should be enabled. + * @global bool $g_session_validation_header_required + */ + $g_session_validation_header_required = OFF; + + /** + * Session Validation Logout Option + * Alters default behavior to automatically log user out if session is invalidated. + * @global bool $g_session_autologout + */ + $g_session_autologout = OFF; + + /** * Form security validation. * This protects against Cross-Site Request Forgery, but some proxy servers may * not correctly work with this option enabled because they cache pages incorrectly. diff --git a/core/session_api.php b/core/session_api.php index c3c8ec8..1db720f 100644 --- a/core/session_api.php +++ b/core/session_api.php @@ -36,6 +36,13 @@ require_once( 'gpc_api.php' ); /** + * requires user_api + * requires authentication_api + */ +require_once( 'user_api.php' ); +require_once( 'authentication_api.php' ); + +/** * * @global MantisPHPSession $g_session */ @@ -210,7 +217,19 @@ function session_init( $p_session_id=null ) { */ function session_validate( $p_session ) { $t_user_ip = ''; - if ( isset( $_SERVER['REMOTE_ADDR'] ) ) { + # If a header is specified validate that: + # * If it is required, that it exists + # * That if it not required and present, that it is set + if ( config_get_global('session_validation_header') != '' ) { + $t_client_hdr = $_SERVER[ "HTTP_" . config_get_global('session_validation_header') ]; + if ( config_get_global('session_validation_header_required') == ON && $t_client_hdr == '' ) { + $t_user_ip = 'ERROR'; + } + else if ( $t_client_hdr != '' ) { + $t_user_ip = $t_client_hdr; + } + } + if ( $t_user-ip != '' && isset( $_SERVER['REMOTE_ADDR'] ) ) { $t_user_ip = trim( $_SERVER['REMOTE_ADDR'] ); } @@ -220,12 +239,18 @@ function session_validate( $p_session ) { } else { # Check a continued session request - if ( $t_user_ip != $t_last_ip ) { + if ( $t_user_ip != $t_last_ip || $t_user_ip == 'ERROR' ) { session_clean(); - + $t_url = ''; + + if ( config_get_global( 'session_autologout') == ON ) { + $t_url = config_get_global( 'path' ) . 'logout_page.php'; + auth_logout(); + } + else { + $t_url = config_get_global( 'path' ) . config_get_global( 'default_home_page' ); + } trigger_error( ERROR_SESSION_NOT_VALID, WARNING ); - - $t_url = config_get_global( 'path' ) . config_get_global( 'default_home_page' ); echo "\t\n"; die(); -- 1.7.4