2012-06-04 16:58:40 +02:00
|
|
|
<?php
|
|
|
|
|
/*
|
|
|
|
|
FusionPBX
|
|
|
|
|
Version: MPL 1.1
|
|
|
|
|
|
|
|
|
|
The contents of this file are subject to the Mozilla Public License Version
|
|
|
|
|
1.1 (the "License"); you may not use this file except in compliance with
|
|
|
|
|
the License. You may obtain a copy of the License at
|
|
|
|
|
http://www.mozilla.org/MPL/
|
|
|
|
|
|
|
|
|
|
Software distributed under the License is distributed on an "AS IS" basis,
|
|
|
|
|
WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
|
|
|
for the specific language governing rights and limitations under the
|
|
|
|
|
License.
|
|
|
|
|
|
|
|
|
|
The Original Code is FusionPBX
|
|
|
|
|
|
|
|
|
|
The Initial Developer of the Original Code is
|
|
|
|
|
Mark J Crane <markjcrane@fusionpbx.com>
|
2025-02-06 02:09:08 +01:00
|
|
|
Portions created by the Initial Developer are Copyright (C) 2008-2025
|
2012-06-04 16:58:40 +02:00
|
|
|
the Initial Developer. All Rights Reserved.
|
|
|
|
|
|
|
|
|
|
Contributor(s):
|
|
|
|
|
Mark J Crane <markjcrane@fusionpbx.com>
|
|
|
|
|
*/
|
2020-07-28 23:47:36 +02:00
|
|
|
|
2023-06-15 19:28:23 +02:00
|
|
|
//includes files
|
|
|
|
|
require_once __DIR__ . "/require.php";
|
2013-09-01 08:40:28 +02:00
|
|
|
|
2017-06-10 06:13:51 +02:00
|
|
|
//add multi-lingual support
|
|
|
|
|
$language = new text;
|
2017-06-10 17:22:24 +02:00
|
|
|
$text = $language->get(null, 'resources');
|
2017-06-10 06:13:51 +02:00
|
|
|
|
|
|
|
|
//for compatibility require this library if less than version 5.5
|
2013-09-01 08:40:28 +02:00
|
|
|
if (version_compare(phpversion(), '5.5', '<')) {
|
|
|
|
|
require_once "resources/functions/password.php";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//start the session
|
2024-01-22 22:20:28 +01:00
|
|
|
if (function_exists('session_start')) {
|
2023-09-11 09:45:19 +02:00
|
|
|
if (!isset($_SESSION)) {
|
|
|
|
|
session_start();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//regenerate sessions to avoid session id attacks such as session fixation
|
2024-09-03 06:48:02 +02:00
|
|
|
if (isset($_SESSION['authorized']) && $_SESSION['authorized']) {
|
2024-09-04 20:37:06 +02:00
|
|
|
//set the last activity time
|
2023-09-11 09:45:19 +02:00
|
|
|
$_SESSION['session']['last_activity'] = time();
|
2024-09-04 20:37:06 +02:00
|
|
|
|
|
|
|
|
//if session created is not set then set the time
|
2023-09-11 09:45:19 +02:00
|
|
|
if (!isset($_SESSION['session']['created'])) {
|
|
|
|
|
$_SESSION['session']['created'] = time();
|
2024-09-04 20:37:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//check the elapsed time if exceeds limit then rotate the session
|
|
|
|
|
if (time() - $_SESSION['session']['created'] > 900) {
|
2024-09-03 06:48:02 +02:00
|
|
|
|
|
|
|
|
//build the user log array
|
2024-09-04 20:37:06 +02:00
|
|
|
$log_array['domain_uuid'] = $_SESSION['user']['domain_uuid'];
|
|
|
|
|
$log_array['domain_name'] = $_SESSION['user']['domain_name'];
|
|
|
|
|
$log_array['username'] = $_SESSION['user']['username'];
|
|
|
|
|
$log_array['user_uuid'] = $_SESSION['user']['user_uuid'];
|
2024-09-03 06:48:02 +02:00
|
|
|
$log_array['authorized'] = true;
|
|
|
|
|
|
2024-09-04 20:37:06 +02:00
|
|
|
//session started more than 15 minutes
|
|
|
|
|
session_regenerate_id(true);
|
|
|
|
|
|
|
|
|
|
// update creation time
|
|
|
|
|
$_SESSION['session']['created'] = time();
|
|
|
|
|
|
2024-09-03 06:48:02 +02:00
|
|
|
//add the result to the user logs
|
|
|
|
|
user_logs::add($log_array);
|
2023-09-11 09:45:19 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//set the domains session
|
|
|
|
|
if (!isset($_SESSION['domains'])) {
|
|
|
|
|
$domain = new domains();
|
|
|
|
|
$domain->session();
|
|
|
|
|
$domain->set();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//set the domain_uuid variable from the session
|
|
|
|
|
if (!empty($_SESSION["domain_uuid"])) {
|
|
|
|
|
$domain_uuid = $_SESSION["domain_uuid"];
|
|
|
|
|
}
|
2012-06-04 16:58:40 +02:00
|
|
|
|
2016-12-12 07:37:59 +01:00
|
|
|
//define variables
|
|
|
|
|
if (!isset($_SESSION['template_content'])) { $_SESSION["template_content"] = null; }
|
|
|
|
|
|
2024-01-22 22:20:28 +01:00
|
|
|
//if session authorized is not set then set the default value to false
|
|
|
|
|
if (!isset($_SESSION['authorized'])) {
|
|
|
|
|
$_SESSION['authorized'] = false;
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-24 07:11:28 +01:00
|
|
|
//session validate: use HTTP_USER_AGENT as a default value
|
|
|
|
|
if (!isset($conf['session.validate'])) {
|
|
|
|
|
$conf['session.validate'][] = 'HTTP_USER_AGENT';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//session validate: prepare the server array
|
|
|
|
|
foreach($conf['session.validate'] as $name) {
|
|
|
|
|
$server_array[$name] = $_SERVER[$name];
|
|
|
|
|
}
|
2024-02-21 23:04:09 +01:00
|
|
|
unset($name);
|
2024-01-24 07:11:28 +01:00
|
|
|
|
|
|
|
|
//session validate: check to see if the session is valid
|
|
|
|
|
if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', implode($server_array))) {
|
2024-01-22 22:20:28 +01:00
|
|
|
session_destroy();
|
2024-01-23 07:45:00 +01:00
|
|
|
header("Location: ".PROJECT_PATH."/logout.php");
|
2024-01-22 22:20:28 +01:00
|
|
|
}
|
|
|
|
|
|
2023-04-16 09:10:39 +02:00
|
|
|
//if the session is not authorized then verify the identity
|
2024-01-22 22:20:28 +01:00
|
|
|
if (!$_SESSION['authorized']) {
|
2015-03-17 15:44:09 +01:00
|
|
|
|
2012-06-04 16:58:40 +02:00
|
|
|
//clear the menu
|
2018-06-06 07:36:24 +02:00
|
|
|
unset($_SESSION["menu"]);
|
2012-06-04 16:58:40 +02:00
|
|
|
|
|
|
|
|
//clear the template only if the template has not been assigned by the superadmin
|
2023-05-05 18:46:37 +02:00
|
|
|
if (empty($_SESSION['domain']['template']['name'])) {
|
2012-06-04 16:58:40 +02:00
|
|
|
$_SESSION["template_content"] = '';
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-11 07:13:08 +02:00
|
|
|
//validate the username and password
|
|
|
|
|
$auth = new authentication;
|
|
|
|
|
$result = $auth->validate();
|
2021-04-01 04:54:23 +02:00
|
|
|
|
2023-04-16 09:10:39 +02:00
|
|
|
//if not authorized
|
2023-06-27 04:31:25 +02:00
|
|
|
if (empty($_SESSION['authorized']) || !$_SESSION['authorized']) {
|
2023-04-16 09:10:39 +02:00
|
|
|
//log the failed auth attempt to the system to the syslog server
|
2025-02-06 02:09:08 +01:00
|
|
|
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
|
|
|
|
|
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]);
|
|
|
|
|
closelog();
|
2018-06-06 07:36:24 +02:00
|
|
|
|
2012-06-04 16:58:40 +02:00
|
|
|
//redirect the user to the login page
|
2025-02-06 02:09:08 +01:00
|
|
|
$target_path = !empty($_REQUEST["path"]) ? $_REQUEST["path"] : $_SERVER["PHP_SELF"];
|
|
|
|
|
message::add($text['message-authentication_failed'], 'negative');
|
|
|
|
|
header("Location: ".PROJECT_PATH."/?path=".urlencode($target_path));
|
|
|
|
|
exit;
|
2012-06-04 16:58:40 +02:00
|
|
|
}
|
|
|
|
|
|
2021-08-01 06:55:48 +02:00
|
|
|
//if logged in, redirect to login destination
|
2021-08-05 06:38:48 +02:00
|
|
|
if (!isset($_REQUEST["key"])) {
|
2025-02-06 02:09:08 +01:00
|
|
|
|
|
|
|
|
//create database object
|
|
|
|
|
$database = database::new();
|
|
|
|
|
|
|
|
|
|
//connect to the settings object
|
|
|
|
|
$settings = new settings(['database' => $database, 'domain_uuid' => $domain_uuid, 'user_uuid' => $user_uuid]);
|
|
|
|
|
|
|
|
|
|
//redirect the user
|
2022-03-11 04:10:16 +01:00
|
|
|
if (isset($_SESSION['redirect_path'])) {
|
|
|
|
|
$redirect_path = $_SESSION['redirect_path'];
|
|
|
|
|
unset($_SESSION['redirect_path']);
|
2025-02-06 02:09:08 +01:00
|
|
|
|
2022-03-11 04:10:16 +01:00
|
|
|
// prevent open redirect attacks. redirect url shouldn't contain a hostname
|
|
|
|
|
$parsed_url = parse_url($redirect_path);
|
|
|
|
|
if ($parsed_url['host']) {
|
|
|
|
|
die("Was someone trying to hack you?");
|
|
|
|
|
}
|
|
|
|
|
header("Location: ".$redirect_path);
|
2025-02-06 02:09:08 +01:00
|
|
|
exit;
|
2022-03-11 04:10:16 +01:00
|
|
|
}
|
2025-02-06 02:09:08 +01:00
|
|
|
elseif (!empty($settings->get('login', 'destination', ''))) {
|
|
|
|
|
header("Location: ".$settings->get('login', 'destination', ''));
|
|
|
|
|
exit;
|
2023-04-16 09:10:39 +02:00
|
|
|
}
|
|
|
|
|
elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) {
|
2021-11-10 16:27:53 +01:00
|
|
|
header("Location: ".PROJECT_PATH."/core/dashboard/");
|
2025-02-06 02:09:08 +01:00
|
|
|
exit;
|
2021-08-05 06:38:48 +02:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
require_once "resources/header.php";
|
|
|
|
|
require_once "resources/footer.php";
|
|
|
|
|
}
|
2021-08-01 06:55:48 +02:00
|
|
|
}
|
2021-08-05 06:38:48 +02:00
|
|
|
|
2012-06-04 16:58:40 +02:00
|
|
|
}
|
|
|
|
|
|
2019-09-24 21:51:38 +02:00
|
|
|
?>
|
