From: skodak Date: Fri, 2 Jan 2009 23:49:29 +0000 (+0000) Subject: MDL-16613 refactore session IP tracking; MDL-14213 improved message when IP changes... X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=9bda43e6be95a5e7db9358da308a765b16b59b06;p=moodle.git MDL-16613 refactore session IP tracking; MDL-14213 improved message when IP changes; MDL-17754 SID is regenerated when terminating session and old session is deleted --- diff --git a/lang/en_utf8/error.php b/lang/en_utf8/error.php index 6da0e37a3c..198784ba03 100644 --- a/lang/en_utf8/error.php +++ b/lang/en_utf8/error.php @@ -400,6 +400,7 @@ $string['sessioncookiesdisable'] = 'Incorrect use of require_key_login() - sessi $string['sessionerroruser'] = 'Your session has timed out. Please login again.'; $string['sessionerroruser2'] = 'A server error that affects your login session was detected. Please login again or restart your browser.'; $string['sessionipnomatch'] = 'Sorry, but your IP number seems to have changed from when you first logged in. This security feature prevents crackers stealing your identity while logged in to this site. Normal users should not be seeing this message - please ask the site administrator for help.'; +$string['sessionipnomatch2'] = 'Sorry, but your IP number seems to have changed from when you first logged in. This security feature prevents crackers stealing your identity while logged in to this site. You may see this error if you use wireless networks or if you are roaming between different networks. Please ask the site administrator for more help.

If you want to continue please press F5 key to refresh this page.'; $string['socksnotsupported'] = 'SOCKS5 proxy is not supported in PHP4'; $string['spellcheckernotconf'] = 'Spellchecker not configured'; $string['statscatchupmode'] = 'Statistics is currently in catchup mode. So far $a->daysdone day(s) have been processed and $a->dayspending are pending. Check back soon!'; diff --git a/lib/moodlelib.php b/lib/moodlelib.php index c63a6bcd6e..bc8740afc6 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -268,6 +268,10 @@ define ('DEBUG_ALL', 6143); /** DEBUG_ALL with extra Moodle debug messages - (DEBUG_ALL | 32768) */ define ('DEBUG_DEVELOPER', 38911); +/** Get remote addr constant */ +define('GETREMOTEADDR_SKIP_HTTP_CLIENT_IP', '1'); +/** Get remote addr constant */ +define('GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR', '2'); /// Blog access level constant declaration /// define ('BLOG_USER_LEVEL', 1); @@ -3364,10 +3368,6 @@ function get_complete_user_data($field, $value, $mnethostid=null) { $user->lastname = ' '; } - if (isset($_SERVER['REMOTE_ADDR'])) { - $user->sessionIP = md5(getremoteaddr()); // Store the current IP in the session - } - return $user; } @@ -7395,8 +7395,6 @@ function remoteip_in_list($list){ * * @return string The remote IP address */ -define('GETREMOTEADDR_SKIP_HTTP_CLIENT_IP', '1'); -define('GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR', '2'); function getremoteaddr() { global $CFG; diff --git a/lib/sessionlib.php b/lib/sessionlib.php index 470e7701be..7b8f87ff90 100644 --- a/lib/sessionlib.php +++ b/lib/sessionlib.php @@ -45,6 +45,8 @@ class moodle_session { } $this->check_user_initialised(); + + $this->check_security(); } /** @@ -95,11 +97,15 @@ class moodle_session { session_set_user($user); } + /** + * Does various session security checks + * @global void + */ protected function check_security() { global $CFG; - if (!empty($_SESSION['USER']->id)) { - /// Make sure current IP matches the one for this session (if required) + if (!empty($_SESSION['USER']->id) and !empty($CFG->tracksessionip)) { + /// Make sure current IP matches the one for this session $remoteaddr = getremoteaddr(); if (empty($_SESSION['USER']->sessionip)) { @@ -107,15 +113,14 @@ class moodle_session { } if ($_SESSION['USER']->sessionip != $remoteaddr) { - if (!is_guestuser($_SESSION['USER'])) { - $link = ''; - } else { - - } - print_error('sessionipnomatch', 'error'); + // this is a security feature - terminate the session in case of any doubt + $this->terminate(); + print_error('sessionipnomatch2', 'error'); } } + // TODO: add wwwroot check here + } /** @@ -138,11 +143,12 @@ class moodle_session { $line = null; if (headers_sent($file, $line)) { error_log('Can not terminate session properly - headers were already sent in file: '.$file.' on line '.$line); - } else { - // TODO: regenerate session ID here - } + // now let's try to get a new session id and destroy the old one + @session_regenerate_id(true); + + // close the session @session_write_close(); } diff --git a/lib/setup.php b/lib/setup.php index bf9e4ff335..3b17dace89 100644 --- a/lib/setup.php +++ b/lib/setup.php @@ -386,11 +386,7 @@ global $HTTPSPAGEREQUIRED; } } -/// start session and prepare global $SESSION, $USER - session_get_instance(); - $SESSION = &$_SESSION['SESSION']; - $USER = &$_SESSION['USER']; - +/// initialise ME's if (defined('FULLME')) { // Usually in command-line scripts like admin/cron.php $FULLME = FULLME; $ME = FULLME; @@ -399,6 +395,11 @@ global $HTTPSPAGEREQUIRED; $ME = strip_querystring($FULLME); } +/// start session and prepare global $SESSION, $USER + session_get_instance(); + $SESSION = &$_SESSION['SESSION']; + $USER = &$_SESSION['USER']; + /// Load up theme variables (colours etc) if (!isset($CFG->themedir)) { diff --git a/lib/weblib.php b/lib/weblib.php index 464e6c8afb..12b970a482 100644 --- a/lib/weblib.php +++ b/lib/weblib.php @@ -5925,7 +5925,7 @@ function _print_early_error($errorcode, $module, $a, $backtrace=null, $debuginfo if (debugging('', DEBUG_DEVELOPER)) { if ($debuginfo) { debugging($debuginfo, DEBUG_DEVELOPER, $backtrace); - } else { + } else if ($backtrace) { notify('Stack trace:'.print_backtrace($backtrace, true), 'notifytiny'); } }