15 năm trước cách đây · 071750dee7
--- a/application/loginwebpage.class.inc.php
+++ b/application/loginwebpage.class.inc.php
@@ -75,21 +75,50 @@ h1 {
 
				 		}		

			
 
				 		// Finally, destroy the session.

			
 
				 		session_destroy();

			
 
				+	}
			
 
				+
			
 
				+	static function SecureConnectionRequired()
			
 
				+	{
			
 
				+		$oConfig = new Config(ITOP_CONFIG_FILE);
			
 
				+		return $oConfig->GetSecureConnectionRequired();
			
 
				+	}

			
 
				+
			
 
				+	static function IsConnectionSecure()
			
 
				+	{
			
 
				+		$bSecured = false;
			
 
				+
			
 
				+		if ( !empty($_SERVER['HTTPS']) && ($_SERVER['HTTPS']!= 'off') )
			
 
				+		{
			
 
				+			$bSecured = true;
			
 
				+		}
			
 
				+		return $bSecured;
			
 
				 	}

			
 
				 	

			
 
				 	static function DoLogin()

			
 
				 	{

			
 
				-		$operation = utils::ReadParam('loginop', '');

			
 
				+		if (self::SecureConnectionRequired() && !self::IsConnectionSecure())
			
 
				+		{
			
 
				+			// Non secured URL... redirect to a secured one
			
 
				+			$sUrl = Utils::GetAbsoluteUrl(true /* query string */, true /* force HTTPS */);
			
 
				+			header("Location: $sUrl");			
			
 
				+			exit;
			
 
				+		}

			
 
				+		$operation = utils::ReadParam('loginop', '');
			
 
				 		session_start();

			
 
				 

			
 
				 		if ($operation == 'logoff')

			
 
				 		{

			
 
				 			self::ResetSession();

			
 
				 		}

			
 
				-		

			
 
				+	

			
 
				 		if (!isset($_SESSION['auth_user']) || !isset($_SESSION['auth_pwd']))

			
 
				 		{

			
 
				-			if ($operation == 'login')

			
 
				+			if ($operation == 'loginurl')

			
 
				+			{

			
 
				+				$sAuthUser = utils::ReadParam('auth_user', '', 'get');

			
 
				+				$sAuthPwd = utils::ReadParam('auth_pwd', '', 'get');

			
 
				+			}

			
 
				+			else if ($operation == 'login')

			
 
				 			{

			
 
				 				$sAuthUser = utils::ReadParam('auth_user', '', 'post');

			
 
				 				$sAuthPwd = utils::ReadParam('auth_pwd', '', 'post');

			
@@ -106,9 +135,9 @@ h1 {
 
				 		{

			
 
				 			$sAuthUser = $_SESSION['auth_user'];

			
 
				 			$sAuthPwd = $_SESSION['auth_pwd'];

			
 
				-		}

			
 
				+		}
			
 
				 		if (!UserRights::Login($sAuthUser, $sAuthPwd))

			
 
				-		{

			
 
				+		{
			
 
				 			self::ResetSession();

			
 
				 			$oPage = new LoginWebPage();

			
 
				 			$oPage->DisplayLoginForm( true /* failed attempt */);

			
@@ -119,8 +148,8 @@ h1 {
 
				 		{

			
 
				 			$_SESSION['auth_user'] = $sAuthUser ;

			
 
				 			$_SESSION['auth_pwd'] = $sAuthPwd;

			
 
				-			

			
 
				-		}

			
 
				+		

			
 
				+		}
			
 
				 	}

			
 
				 } // End of class

			
 
				 ?>

			
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -153,18 +153,26 @@ class utils
 
				      * @param $bQueryString bool True to also get the query string, false otherwise

			
 
				      * @return string The absolute URL to the current page

			
 
				      */                   

			
 
				-	static public function GetAbsoluteUrl($bQueryString = true)

			
 
				+	static public function GetAbsoluteUrl($bQueryString = true, $bForceHTTPS = false)

			
 
				 	{

			
 
				 		// Build an absolute URL to this page on this server/port

			
 
				-		$sServerName = $_SERVER['SERVER_NAME'];

			
 
				-		$sProtocol = isset($_SERVER['HTTPS']) ? 'https' : 'http';

			
 
				-		if ($sProtocol == 'http')

			
 
				-		{

			
 
				-			$sPort = ($_SERVER['SERVER_PORT'] == 80) ? '' : ':'.$_SERVER['SERVER_PORT'];

			
 
				+		$sServerName = $_SERVER['SERVER_NAME'];
			
 
				+		if ($bForceHTTPS)
			
 
				+		{
			
 
				+			$sProtocol = 'https';
			
 
				+			$sPort = '';
			
 
				 		}

			
 
				-		else

			
 
				-		{

			
 
				-			$sPort = ($_SERVER['SERVER_PORT'] == 443) ? '' : ':'.$_SERVER['SERVER_PORT'];

			
 
				+		else
			
 
				+		{
			
 
				+			$sProtocol = isset($_SERVER['HTTPS']) ? 'https' : 'http';
			
 
				+			if ($sProtocol == 'http')

			
 
				+			{

			
 
				+				$sPort = ($_SERVER['SERVER_PORT'] == 80) ? '' : ':'.$_SERVER['SERVER_PORT'];

			
 
				+			}

			
 
				+			else

			
 
				+			{

			
 
				+				$sPort = ($_SERVER['SERVER_PORT'] == 443) ? '' : ':'.$_SERVER['SERVER_PORT'];

			
 
				+			}

			
 
				 		}

			
 
				 		// $_SERVER['REQUEST_URI'] is empty when running on IIS

			
 
				 		// Let's use Ivan Tcholakov's fix (found on www.dokeos.com)

			
--- a/core/config.class.inc.php
+++ b/core/config.class.inc.php
@@ -20,6 +20,7 @@ define ('DEFAULT_MIN_DISPLAY_LIMIT', 10);
 
				 define ('DEFAULT_MAX_DISPLAY_LIMIT', 15);

			
 
				 define ('DEFAULT_STANDARD_RELOAD_INTERVAL', 5*60);

			
 
				 define ('DEFAULT_FAST_RELOAD_INTERVAL', 1*60);

			
 
				+define ('DEFAULT_SECURE_CONNECTION_REQUIRED', false);

			
 
				 

			
 
				 class Config

			
 
				 {

			
@@ -54,6 +55,11 @@ class Config
 
				 	 */	 	

			
 
				 	protected $m_iFastReloadInterval;

			
 
				 	

			
 
				+	/**

			
 
				+	 * @var boolean Whether or not a secure connection is required for using the application

			
 
				+	 */	 	

			
 
				+	protected $m_bSecureConnectionRequired;

			
 
				+
			
 
				 	public function __construct($sConfigFile, $bLoadConfig = true)

			
 
				 	{

			
 
				 		$this->m_sFile = $sConfigFile;

			
@@ -70,6 +76,7 @@ class Config
 
				 		$this->m_iMaxDisplayLimit = DEFAULT_MAX_DISPLAY_LIMIT;

			
 
				 		$this->m_iStandardReloadInterval = DEFAULT_STANDARD_RELOAD_INTERVAL;

			
 
				 		$this->m_iFastReloadInterval = DEFAULT_FAST_RELOAD_INTERVAL;

			
 
				+		$this->m_bSecureConnectionRequired = DEFAULT_SECURE_CONNECTION_REQUIRED;

			
 
				 		if ($bLoadConfig)

			
 
				 		{

			
 
				 			$this->Load($sConfigFile);

			
@@ -151,6 +158,7 @@ class Config
 
				 		$this->m_iMaxDisplayLimit = isset($MySettings['max_display_limit']) ? trim($MySettings['max_display_limit']) : DEFAULT_MAX_DISPLAY_LIMIT;

			
 
				 		$this->m_iStandardReloadInterval = isset($MySettings['standard_reload_interval']) ? trim($MySettings['standard_reload_interval']) : DEFAULT_STANDARD_RELOAD_INTERVAL;

			
 
				 		$this->m_iFastReloadInterval = isset($MySettings['fast_reload_interval']) ? trim($MySettings['fast_reload_interval']) : DEFAULT_FAST_RELOAD_INTERVAL;

			
 
				+		$this->m_bSecureConnectionRequired = isset($MySettings['secure_connection_required']) ? trim($MySettings['secure_connection_required']) : DEFAULT_SECURE_CONNECTION_REQUIRED;

			
 
				 	}

			
 
				 

			
 
				 	protected function Verify()

			
@@ -229,6 +237,11 @@ class Config
 
				 		return $this->m_iFastReloadInterval;

			
 
				 	}

			
 
				 

			
 
				+	public function GetSecureConnectionRequired()

			
 
				+	{

			
 
				+		return $this->m_bSecureConnectionRequired;

			
 
				+	}

			
 
				+

			
 
				 	public function SetDBHost($sDBHost)

			
 
				 	{

			
 
				 		$this->m_sDBHost = $sDBHost;

			
@@ -274,6 +287,11 @@ class Config
 
				 		$this->m_iFastReloadInterval = $iFastReloadInterval;

			
 
				 	}

			
 
				 

			
 
				+	public function SetSecureConnectionRequired($bSecureConnectionRequired)

			
 
				+	{

			
 
				+		$this->m_bSecureConnectionRequired = $bSecureConnectionRequired;

			
 
				+	}

			
 
				+

			
 
				 	public function FileIsWritable()

			
 
				 	{

			
 
				 		return is_writable($this->m_sFile);

			
@@ -315,6 +333,7 @@ class Config
 
				 			fwrite($hFile, "\t'max_display_limit' => {$this->m_iMaxDisplayLimit},\n");

			
 
				 			fwrite($hFile, "\t'standard_reload_interval' => {$this->m_iStandardReloadInterval},\n");

			
 
				 			fwrite($hFile, "\t'fast_reload_interval' => {$this->m_iFastReloadInterval},\n");

			
 
				+			fwrite($hFile, "\t'secure_connection_required' => ".($this->m_bSecureConnectionRequired ? 'true' : 'false').",\n");

			
 
				 			fwrite($hFile, ");\n");

			
 
				 			

			
 
				 			fwrite($hFile, "\n/**\n");