yetangitu/ampache
1
0
Fork 0
mirror of https://github.com/Yetangitu/ampache synced 2025-10-03 17:59:21 +02:00
Code Issues Releases Wiki Activity

Move sessiony things from vauth into Session

Browse source
This commit is contained in:
Paul Arthur 2013-01-28 16:57:34 -05:00
parent c570bb7794
commit 58a3ab692e
7 changed files with 461 additions and 419 deletions
Download patch file Download diff file Expand all files Collapse all files

6
image.php
View file

@ -33,8 +33,8 @@ define('NO_SESSION','1');
require_once 'lib/init.php'; require_once 'lib/init.php';
// Check to see if they've got an interface session or a valid API session, if not GTFO // Check to see if they've got an interface session or a valid API session, if not GTFO
if (!vauth::session_exists('interface',$_COOKIE[Config::get('session_name')]) AND !vauth::session_exists('api',$_REQUEST['auth']) AND !vauth::session_exists('xml-rpc',$_REQUEST['auth'])) { if (!Session::exists('interface', $_COOKIE[Config::get('session_name')]) AND !Session::exists('api', $_REQUEST['auth']) AND !Session::exists('xml-rpc', $_REQUEST['auth'])) {
debug_event('DENIED','Image Access, Checked Cookie Session:' . $_COOKIE[Config::get('session_name')] . ' and Auth:' . $_REQUEST['auth'],'1'); debug_event('image','Access denied, checked cookie session:' . $_COOKIE[Config::get('session_name')] . ' and auth:' . $_REQUEST['auth'], 1);
exit; exit;
} }
@ -77,7 +77,7 @@ switch ($_GET['type']) {
break; break;
// If we need to pull the data out of the session // If we need to pull the data out of the session
case 'session': case 'session':
vauth::check_session(); Session::check();
$filename = scrub_in($_REQUEST['image_index']); $filename = scrub_in($_REQUEST['image_index']);
$image = Art::get_from_source($_SESSION['form']['images'][$filename], 'album'); $image = Art::get_from_source($_SESSION['form']['images'][$filename], 'album');
$mime = $_SESSION['form']['images'][$filename]['mime']; $mime = $_SESSION['form']['images'][$filename]['mime'];

6
lib/class/api.class.php
View file

@ -171,7 +171,7 @@ class Api {
$data['username'] = $client->username; $data['username'] = $client->username;
$data['type'] = 'api'; $data['type'] = 'api';
$data['value'] = $timestamp; $data['value'] = $timestamp;
$token = vauth::session_create($data); $token = Session::create($data);
// Insert the token into the streamer // Insert the token into the streamer
Stream::insert_session($token,$client->id); Stream::insert_session($token,$client->id);
@ -236,8 +236,8 @@ class Api {
$xmldata = array('server'=>Config::get('version'),'version'=>Api::$version,'compatible'=>'350001'); $xmldata = array('server'=>Config::get('version'),'version'=>Api::$version,'compatible'=>'350001');
// Check and see if we should extend the api sessions (done if valid sess is passed) // Check and see if we should extend the api sessions (done if valid sess is passed)
if (vauth::session_exists('api', $input['auth'])) { if (Session::exists('api', $input['auth'])) {
vauth::session_extend($input['auth']); Session::extend($input['auth']);
$xmldata = array_merge(array('session_expire'=>date("c",time()+Config::get('session_length')-60)),$xmldata); $xmldata = array_merge(array('session_expire'=>date("c",time()+Config::get('session_length')-60)),$xmldata);
} }

423
lib/class/session.class.php Normal file
View file

@ -0,0 +1,423 @@
<?php
/* vim:set softtabstop=4 shiftwidth=4 expandtab: */
/**
*
* LICENSE: GNU General Public License, version 2 (GPLv2)
* Copyright 2001 - 2013 Ampache.org
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License v2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*/
/**
*
* This class handles all of the session related stuff in Ampache
*
*/
class Session {
/**
* Constructor
* This should never be called
*/
private function __construct() {
// Rien a faire
} // __construct
/**
* open
*
* This function is for opening a new session so we just verify that we
* have a database connection, nothing more is needed.
*/
public static function open($save_path, $session_name) {
if (!is_resource(Dba::dbh())) {
debug_event('session', 'Error: no database connection session failed', 1);
return false;
}
return true;
}
/**
* close
*
* This is run on the end of a session, nothing to do here for now.
*/
public static function close() {
return true;
}
/**
* write
*
* This saves the session information into the database.
*/
public static function write($key, $value) {
if (defined('NO_SESSION_UPDATE')) { return true; }
$length = Config::get('session_length');
$value = Dba::escape($value);
$key = Dba::escape($key);
// Check to see if remember me cookie is set, if so use remember
// length, otherwise use the session length
$expire = isset($_COOKIE[Config::get('session_name') . '_remember'])
? time() + Config::get('remember_length')
: time() + Config::get('session_length');
$sql = "UPDATE `session` SET `value`='$value', " .
"`expire`='$expire' WHERE `id`='$key'";
$db_results = Dba::read($sql);
debug_event('session', 'Writing to ' . $key . ' with expire ' . $expire . ' ' . Dba::error(), 6);
return $db_results;
}
/**
* destroy
*
* This removes the specified session from the database.
*/
public static function destroy($key) {
$key = Dba::escape($key);
if (!strlen($key)) { return false; }
// Remove anything and EVERYTHING
$sql = "DELETE FROM `session` WHERE `id`='$key'";
$db_results = Dba::write($sql);
debug_event('SESSION', 'Deleting Session with key:' . $key, '6');
// Destroy our cookie!
setcookie(Config::get('session_name'), '', time() - 86400);
return true;
}
/**
* gc
*
* This function is randomly called and it cleans up the spoo
*/
public static function gc($maxlifetime) {
$sql = "DELETE FROM `session` WHERE `expire` < '" . time() . "'";
$db_results = Dba::write($sql);
// Also clean up things that use sessions as keys
Query::gc();
Tmp_Playlist::gc();
return true;
}
/**
* read
*
* This takes a key and returns the data from the database.
*/
public static function read($key) {
return self::_read($key, 'value');
}
/**
* _read
*
* This returns the specified column from the session row.
*/
private static function _read($key, $column) {
$key = Dba::escape($key);
$sql = "SELECT * FROM `session` WHERE `id`='$key' AND `expire` > '" . time() . "'";
$db_results = Dba::read($sql);
if ($results = Dba::fetch_assoc($db_results)) {
return $results[$column];
}
debug_event('session', 'Unable to read session from key ' . $key . ' no data found', 5);
return '';
}
/**
* username
*
* This returns the username associated with a session ID, if any
*/
public static function username($key) {
return self::_read($key, 'user');
}
/**
* create
* This is called when you want to create a new session
* it takes care of setting the initial cookie, and inserting the first
* chunk of data, nifty ain't it!
*/
public static function create($data) {
// Regenerate the session ID to prevent fixation
switch ($data['type']) {
case 'xml-rpc':
case 'api':
$key = md5(uniqid(rand(), true));
break;
case 'mysql':
default:
session_regenerate_id();
// Before refresh we don't have the cookie so we
// have to use session ID
$key = session_id();
break;
} // end switch on data type
$username = Dba::escape($data['username']);
$ip = $_SERVER['REMOTE_ADDR']
? Dba::escape(inet_pton($_SERVER['REMOTE_ADDR']))
: '0';
$type = Dba::escape($data['type']);
$value = Dba::escape($data['value']);
$agent = Dba::escape(substr($_SERVER['HTTP_USER_AGENT'], 0, 254));
$expire = Dba::escape(time() + Config::get('session_length'));
if (!strlen($value)) { $value = ' '; }
/* Insert the row */
$sql = "INSERT INTO `session` (`id`,`username`,`ip`,`type`,`agent`,`value`,`expire`) " .
" VALUES ('$key','$username','$ip','$type','$agent','$value','$expire')";
$db_results = Dba::write($sql);
if (!$db_results) {
debug_event('session', 'Session creation failed', 1);
return false;
}
debug_event('session', 'Session created:' . $key, 5);
return $key;
}
/**
* check
*
* This checks for an existing session. If it's still valid we go ahead
* and start it and return true.
*/
public static function check() {
$session_name = Config::get('session_name');
// No cookie no go!
if (!isset($_COOKIE[$session_name])) { return false; }
// Check for a remember me
if (isset($_COOKIE[$session_name . '_remember'])) {
self::create_remember_cookie();
}
// Set up the cookie params before we start the session.
// This is vital
session_set_cookie_params(
Config::get('cookie_life'),
Config::get('cookie_path'),
Config::get('cookie_domain'),
Config::get('cookie_secure'));
// Set name
session_name($session_name);
// Ungimp IE and go
self::ungimp_ie();
session_start();
return true;
}
/**
* exists
*
* This checks to see if the specified session of the specified type
* exists, it also provides an array of keyed data that may be required
* based on the type.
*/
public static function exists($type, $key, $data=array()) {
// Switch on the type they pass
switch ($type) {
case 'xml-rpc':
case 'api':
$key = Dba::escape($key);
$time = time();
$sql = "SELECT * FROM `session` WHERE " .
"`id`='$key' AND `expire` > '$time' " .
"AND `type`='$type'";
$db_results = Dba::read($sql);
if (Dba::num_rows($db_results)) {
return true;
}
break;
case 'interface':
$key = Dba::escape($key);
$time = time();
// Build a list of enabled authentication types
$types = Config::get('auth_methods');
if (!Config::get('use_auth')) {
$types[] = '';
}
$enabled_types = implode("','", $types);
$sql = "SELECT * FROM `session` WHERE " .
"`id`='$key' AND `expire` > '$time' " .
"AND `type` IN('$enabled_types')";
$db_results = Dba::read($sql);
if (Dba::num_rows($db_results)) {
return true;
}
break;
case 'stream':
$key = Dba::escape($key);
$ip = Dba::escape(inet_pton($data['ip']));
$agent = Dba::escape($data['agent']);
$sql = "SELECT * FROM `session_stream` WHERE " .
"`id`='$key' AND `expire` > '$time' " .
"AND `ip`='$ip' AND `agent`='$agent'";
$db_results = Dba::read($sql);
if (Dba::num_rows($db_results)) {
return true;
}
break;
default:
return false;
break;
} // type
// Default to false
return false;
}
/**
* extend
*
* This takes a SID and extends its expiration.
*/
public static function extend($sid) {
$time = time();
$sid = Dba::escape($sid);
$expire = isset($_COOKIE[Config::get('session_name') . '_remember'])
? $time + Config::get('remember_length')
: $time + Config::get('session_length');
$sql = "UPDATE `session` SET `expire`='$expire' WHERE `id`='$sid'";
if ($db_results = Dba::write($sql)) {
debug_event('session', $sid . ' has been extended to ' . date('r', $expire) . ' extension length ' . ($expire - $time), 5);
}
return $db_results;
}
/**
* _auto_init
* This function is called when the object is included, this sets up the
* session_save_handler
*/
public static function _auto_init() {
if (!function_exists('session_start')) {
header("Location:" . Config::get('web_path') . "/test.php");
exit;
}
session_set_save_handler(
array('Session', 'open'),
array('Session', 'close'),
array('Session', 'read'),
array('Session', 'write'),
array('Session', 'destroy'),
array('Session', 'gc'));
}
/**
* create_cookie
*
* This is separated into its own function because of some flaws in
* specific webservers *cough* IIS *cough* which prevent us from setting
* a cookie at the same time as a header redirect. As such on view of a
* login a cookie is set with the proper name
*/
public static function create_cookie() {
// Set up the cookie prefs before we throw down, this is very important
$cookie_life = Config::get('cookie_life');
$cookie_path = Config::get('cookie_path');
$cookie_domain = false;
$cookie_secure = Config::get('cookie_secure');
session_set_cookie_params($cookie_life,$cookie_path,$cookie_domain,$cookie_secure);
session_name(Config::get('session_name'));
/* Start the session */
self::ungimp_ie();
session_start();
}
/**
* create_remember_cookie
*
* This function just creates the remember me cookie, nothing special
*/
public static function create_remember_cookie() {
$remember_length = Config::get('remember_length');
$session_name = Config::get('session_name');
Config::set('cookie_life', $remember_length, true);
setcookie($session_name . '_remember',"Rappelez-vous, rappelez-vous le 27 mars", time() + $remember_length, '/');
}
/**
* ungimp_ie
* This function sets the cache limiting to public if you are running
* some flavor of IE. The detection used here is very conservative so
* feel free to fix it. This only has to be done if we're rolling HTTPS.
*/
public static function ungimp_ie() {
// If no https, no ungimpage required
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'on') {
return true;
}
// Try to detect IE
$agent = trim($_SERVER['HTTP_USER_AGENT']);
if ((strpos($agent, 'MSIE') !== false) ||
(strpos($agent,'Internet Explorer/') !== false)) {
session_cache_limiter('public');
}
return true;
} // ungimp_ie
}
?>

393
lib/class/vauth.class.php
View file

@ -38,117 +38,6 @@ class vauth {
// Rien a faire // Rien a faire
} // __construct } // __construct
/**
* open
* This function is for opening a new session so we just verify that we
* have a database connection, nothing more is needed
*/
public static function open($save_path, $session_name) {
if (!is_resource(Dba::dbh())) {
debug_event('SESSION', 'Error: no database connection session failed', '1');
return false;
}
return true;
} // open
/**
* close
* This is run on the end of a session, nothing to do here for now
*/
public static function close() {
return true;
} // close
/**
* read
* This takes a key and then looks in the database and returns the value
*/
public static function read($key) {
$results = self::get_session_data($key);
if (!is_array($results)) {
debug_event('SESSION', 'Unable to read session from key ' . $key . ' no data found', 5);
return '';
}
return $results['value'];
} // read
/**
* write
* This saves the session information into the database
*/
public static function write($key, $value) {
if (defined('NO_SESSION_UPDATE')) { return true; }
$length = Config::get('session_length');
$value = Dba::escape($value);
$key = Dba::escape($key);
// Check to see if remember me cookie is set, if so use remember
// length, otherwise use the session length
$expire
= isset($_COOKIE[Config::get('session_name') . '_remember'])
? time() + Config::get('remember_length')
: time() + Config::get('session_length');
$sql = "UPDATE `session` SET `value`='$value', " .
"`expire`='$expire' WHERE `id`='$key'";
$db_results = Dba::read($sql);
debug_event('SESSION', 'Writing to ' . $key . ' with expire ' . $expire . ' ' . Dba::error(), '6');
return $db_results;
} // write
/**
* destroy
* This removes the specified session from the database
*/
public static function destroy($key) {
$key = Dba::escape($key);
if (!strlen($key)) { return false; }
// Remove anything and EVERYTHING
$sql = "DELETE FROM `session` WHERE `id`='$key'";
$db_results = Dba::write($sql);
debug_event('SESSION', 'Deleting Session with key:' . $key, '6');
// Destroy our cookie!
setcookie(Config::get('session_name'), '', time() - 86400);
return true;
} // destroy
/**
* gc
* This function is randomly called and it cleans up the spoo
*/
public static function gc($maxlifetime) {
$sql = "DELETE FROM `session` WHERE `expire` < '" . time() . "'";
$db_results = Dba::write($sql);
// Also clean up things that use sessions as keys
Query::gc();
Tmp_Playlist::gc();
return true;
} // gc
/** /**
* logout * logout
* This is called when you want to log out and nuke your session * This is called when you want to log out and nuke your session
@ -161,7 +50,7 @@ class vauth {
$key = $key ? $key : session_id(); $key = $key ? $key : session_id();
// Nuke the cookie before all else // Nuke the cookie before all else
self::destroy($key); Session::destroy($key);
if ((! $relogin) && Config::get('logout_redirect')) { if ((! $relogin) && Config::get('logout_redirect')) {
$target = Config::get('logout_redirect'); $target = Config::get('logout_redirect');
} }
@ -195,286 +84,6 @@ class vauth {
} // logout } // logout
/**
* get_session_data
* This takes a key and returns the raw data from the database, nothing
* to see here move along people
*/
public static function get_session_data($key) {
$key = Dba::escape($key);
$sql = "SELECT * FROM `session` WHERE `id`='$key' AND `expire` > '" . time() . "'";
$db_results = Dba::read($sql);
if ($results = Dba::fetch_assoc($db_results)) {
return $results;
}
return false;
} // get_session_data
/**
* create_cookie
* This is separated into its own function because of some flaws in
* specific webservers *cough* IIS *cough* which prevent us from setting
* a cookie at the same time as a header redirect. As such on view of a
* login a cookie is set with the proper name
*/
public static function create_cookie() {
/* Setup the cookie prefs before we throw down, this is very important */
$cookie_life = Config::get('cookie_life');
$cookie_path = Config::get('cookie_path');
$cookie_domain = false;
$cookie_secure = Config::get('cookie_secure');
session_set_cookie_params($cookie_life,$cookie_path,$cookie_domain,$cookie_secure);
session_name(Config::get('session_name'));
/* Start the session */
self::ungimp_ie();
session_start();
} // create_cookie, just watch out for the cookie monster
/**
* create_remember_cookie
* This function just creates the remember me cookie, nothing special
*/
public static function create_remember_cookie() {
$remember_length = Config::get('remember_length');
$session_name = Config::get('session_name');
Config::set('cookie_life', $remember_length, true);
setcookie($session_name . '_remember',"Rappelez-vous, rappelez-vous le 27 mars", time() + $remember_length, '/');
} // create_remember_cookie
/**
* session_create
* This is called when you want to create a new session
* it takes care of setting the initial cookie, and inserting the first
* chunk of data, nifty ain't it!
*/
public static function session_create($data) {
// Regenerate the session ID to prevent fixation
switch ($data['type']) {
case 'xml-rpc':
case 'api':
$key = md5(uniqid(rand(), true));
break;
case 'mysql':
default:
session_regenerate_id();
// Before refresh we don't have the cookie so we
// have to use session ID
$key = session_id();
break;
} // end switch on data type
$username = Dba::escape($data['username']);
$ip = $_SERVER['REMOTE_ADDR']
? Dba::escape(inet_pton($_SERVER['REMOTE_ADDR']))
: '0';
$type = Dba::escape($data['type']);
$value = Dba::escape($data['value']);
$agent = Dba::escape(substr($_SERVER['HTTP_USER_AGENT'], 0, 254));
$expire = Dba::escape(time() + Config::get('session_length'));
/* We can't have null things here people */
if (!strlen($value)) { $value = ' '; }
/* Insert the row */
$sql = "INSERT INTO `session` (`id`,`username`,`ip`,`type`,`agent`,`value`,`expire`) " .
" VALUES ('$key','$username','$ip','$type','$agent','$value','$expire')";
$db_results = Dba::write($sql);
if (!$db_results) {
debug_event('SESSION', "Session Creation Failed with Query: $sql and " . Dba::error(), '1');
return false;
}
debug_event('SESSION', 'Session Created:' . $key, '6');
return $key;
} // session_create
/**
* check_session
* This checks for an existing session. If it's still valid we go ahead
* and start it and return true.
*/
public static function check_session() {
$session_name = Config::get('session_name');
// No cookie no go!
if (!isset($_COOKIE[$session_name])) { return false; }
// Check for a remember me
if (isset($_COOKIE[$session_name . '_remember'])) {
self::create_remember_cookie();
}
// Set up the cookie params before we start the session.
// This is vital
session_set_cookie_params(
Config::get('cookie_life'),
Config::get('cookie_path'),
Config::get('cookie_domain'),
Config::get('cookie_secure'));
// Set name
session_name($session_name);
// Ungimp IE and go
self::ungimp_ie();
session_start();
return true;
} // check_session
/**
* session_exists
* This checks to see if the specified session of the specified type
* exists, it also provides an array of key'd data that may be required
* based on the type
*/
public static function session_exists($type, $key, $data=array()) {
// Switch on the type they pass
switch ($type) {
case 'xml-rpc':
case 'api':
$key = Dba::escape($key);
$time = time();
$sql = "SELECT * FROM `session` WHERE " .
"`id`='$key' AND `expire` > '$time' " .
"AND `type`='$type'";
$db_results = Dba::read($sql);
if (Dba::num_rows($db_results)) {
return true;
}
break;
case 'interface':
$key = Dba::escape($key);
$time = time();
// Build a list of enabled authentication types
$types = Config::get('auth_methods');
if (!Config::get('use_auth')) {
$types[] = '';
}
$enabled_types = implode("','", $types);
$sql = "SELECT * FROM `session` WHERE " .
"`id`='$key' AND `expire` > '$time' " .
"AND `type` IN('$enabled_types')";
$db_results = Dba::read($sql);
if (Dba::num_rows($db_results)) {
return true;
}
break;
case 'stream':
$key = Dba::escape($key);
$ip = Dba::escape(inet_pton($data['ip']));
$agent = Dba::escape($data['agent']);
$sql = "SELECT * FROM `session_stream` WHERE " .
"`id`='$key' AND `expire` > '$time' " .
"AND `ip`='$ip' AND `agent`='$agent'";
$db_results = Dba::read($sql);
if (Dba::num_rows($db_results)) {
return true;
}
break;
default:
return false;
break;
} // type
// Default to false
return false;
} // session_exists
/**
* session_extend
* This should really be extend_session but hey you gotta go with the
* flow.
* This takes a SID and extends its expiration.
*/
public static function session_extend($sid) {
$time = time();
$sid = Dba::escape($sid);
$expire = isset($_COOKIE[Config::get('session_name') . '_remember'])
? $time + Config::get('remember_length')
: $time + Config::get('session_length');
$sql = "UPDATE `session` SET `expire`='$expire' WHERE `id`='$sid'";
$db_results = Dba::write($sql);
debug_event('SESSION', $sid . ' has been extended to ' . date('r', $expire) . ' extension length ' . ($expire - $time), 5);
return $db_results;
} // session_extend
/**
* _auto_init
* This function is called when the object is included, this sets up the
* session_save_handler
*/
public static function _auto_init() {
if (!function_exists('session_start')) {
header("Location:" . Config::get('web_path') . "/test.php");
exit;
}
session_set_save_handler(
array('vauth', 'open'),
array('vauth', 'close'),
array('vauth', 'read'),
array('vauth', 'write'),
array('vauth', 'destroy'),
array('vauth', 'gc'));
} // auto init
/**
* ungimp_ie
* This function sets the cache limiting to public if you are running
* some flavor of IE. The detection used here is very conservative so
* feel free to fix it. This only has to be done if we're rolling HTTPS.
*/
public static function ungimp_ie() {
// If no https, no ungimpage required
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'on') {
return true;
}
// Try to detect IE
$agent = trim($_SERVER['HTTP_USER_AGENT']);
if ((strpos($agent, 'MSIE') !== false) ||
(strpos($agent,'Internet Explorer/') !== false)) {
session_cache_limiter('public');
}
return true;
} // ungimp_ie
/** /**
* authenticate * authenticate
* This takes a username and password and then returns the results * This takes a username and password and then returns the results

34
lib/init.php
View file

@ -28,10 +28,10 @@ $ampache_path = dirname(__FILE__);
$prefix = realpath($ampache_path . "/../"); $prefix = realpath($ampache_path . "/../");
require_once $prefix . '/lib/init-tiny.php'; require_once $prefix . '/lib/init-tiny.php';
// Explicitly load vauth and enable the custom session handler. // Explicitly load and enable the custom session handler.
// Relying on autoload may not always load it before sessiony things are done. // Relying on autoload may not always load it before sessiony things are done.
require_once $prefix . '/lib/class/vauth.class.php'; require_once $prefix . '/lib/class/session.class.php';
vauth::_auto_init(); Session::_auto_init();
// Set up for redirection on important error cases // Set up for redirection on important error cases
$path = preg_replace('#(.*)/(\w+\.php)$#', '$1', $_SERVER['PHP_SELF']); $path = preg_replace('#(.*)/(\w+\.php)$#', '$1', $_SERVER['PHP_SELF']);
@ -132,16 +132,22 @@ set_memory_limit($results['memory_limit']);
// If we want a session // If we want a session
if (!defined('NO_SESSION') && Config::get('use_auth')) { if (!defined('NO_SESSION') && Config::get('use_auth')) {
/* Verify their session */ /* Verify their session */
if (!vauth::session_exists('interface',$_COOKIE[Config::get('session_name')])) { vauth::logout($_COOKIE[Config::get('session_name')]); exit; } if (!Session::exists('interface', $_COOKIE[Config::get('session_name')])) {
vauth::logout($_COOKIE[Config::get('session_name')]);
exit;
}
// This actually is starting the session // This actually is starting the session
vauth::check_session(); Session::check();
/* Create the new user */ /* Create the new user */
$GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']); $GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']);
/* If the user ID doesn't exist deny them */ /* If the user ID doesn't exist deny them */
if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) { vauth::logout(session_id()); exit; } if (!$GLOBALS['user']->id && !Config::get('demo_mode')) {
vauth::logout(session_id());
exit;
}
/* Load preferences and theme */ /* Load preferences and theme */
$GLOBALS['user']->update_last_seen(); $GLOBALS['user']->update_last_seen();
@ -153,17 +159,17 @@ elseif (!Config::get('use_auth')) {
$auth['id'] = -1; $auth['id'] = -1;
$auth['offset_limit'] = 50; $auth['offset_limit'] = 50;
$auth['access'] = Config::get('default_auth_level') ? User::access_name_to_level(Config::get('default_auth_level')) : '100'; $auth['access'] = Config::get('default_auth_level') ? User::access_name_to_level(Config::get('default_auth_level')) : '100';
if (!vauth::session_exists('interface',$_COOKIE[Config::get('session_name')])) { if (!Session::exists('interface', $_COOKIE[Config::get('session_name')])) {
vauth::create_cookie(); Session::create_cookie();
vauth::session_create($auth); Session::create($auth);
vauth::check_session(); Session::check();
$GLOBALS['user'] = new User($auth['username']); $GLOBALS['user'] = new User($auth['username']);
$GLOBALS['user']->username = $auth['username']; $GLOBALS['user']->username = $auth['username'];
$GLOBALS['user']->fullname = $auth['fullname']; $GLOBALS['user']->fullname = $auth['fullname'];
$GLOBALS['user']->access = $auth['access']; $GLOBALS['user']->access = $auth['access'];
} }
else { else {
vauth::check_session(); Session::check();
if ($_SESSION['userdata']['username']) { if ($_SESSION['userdata']['username']) {
$GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']); $GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']);
} }
@ -174,7 +180,9 @@ elseif (!Config::get('use_auth')) {
$GLOBALS['user']->fullname = $auth['fullname']; $GLOBALS['user']->fullname = $auth['fullname'];
$GLOBALS['user']->access = $auth['access']; $GLOBALS['user']->access = $auth['access'];
} }
if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) { vauth::logout(session_id()); exit; } if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) {
vauth::logout(session_id()); exit;
}
$GLOBALS['user']->update_last_seen(); $GLOBALS['user']->update_last_seen();
} }
} }
@ -196,7 +204,7 @@ else {
Preference::init(); Preference::init();
if (session_id()) { if (session_id()) {
vauth::session_extend(session_id()); Session::extend(session_id());
// We only need to create the tmp playlist if we have a session // We only need to create the tmp playlist if we have a session
$GLOBALS['user']->load_playlist(); $GLOBALS['user']->load_playlist();
} }

6
login.php
View file

@ -26,7 +26,7 @@ require_once 'lib/init.php';
/* We have to create a cookie here because IIS /* We have to create a cookie here because IIS
* can't handle Cookie + Redirect * can't handle Cookie + Redirect
*/ */
vauth::create_cookie(); Session::create_cookie();
Preference::init(); Preference::init();
/** /**
@ -52,7 +52,7 @@ if (($_POST['username'] && $_POST['password']) ||
($_SERVER['REMOTE_USER'] || $_SERVER['HTTP_REMOTE_USER']))) { ($_SERVER['REMOTE_USER'] || $_SERVER['HTTP_REMOTE_USER']))) {
if ($_POST['rememberme']) { if ($_POST['rememberme']) {
vauth::create_remember_cookie(); Session::create_remember_cookie();
} }
/* If we are in demo mode let's force auth success */ /* If we are in demo mode let's force auth success */
@ -137,7 +137,7 @@ if (($_POST['username'] && $_POST['password']) ||
if ($auth['success']) { if ($auth['success']) {
// $auth->info are the fields specified in the config file // $auth->info are the fields specified in the config file
// to retrieve for each user // to retrieve for each user
vauth::session_create($auth); Session::create($auth);
// Not sure if it was me or php tripping out, // Not sure if it was me or php tripping out,
// but naming this 'user' didn't work at all // but naming this 'user' didn't work at all

12
server/xml.server.php
View file

@ -48,7 +48,7 @@ if (!Config::get('access_control')) {
* Verify the existance of the Session they passed in we do allow them to * Verify the existance of the Session they passed in we do allow them to
* login via this interface so we do have an exception for action=login * login via this interface so we do have an exception for action=login
*/ */
if (!vauth::session_exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] != 'handshake' AND $_REQUEST['action'] != 'ping') { if (!Session::exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] != 'handshake' AND $_REQUEST['action'] != 'ping') {
debug_event('Access Denied','Invalid Session attempt to API [' . $_REQUEST['action'] . ']','3'); debug_event('Access Denied','Invalid Session attempt to API [' . $_REQUEST['action'] . ']','3');
ob_end_clean(); ob_end_clean();
echo XML_Data::error('401', T_('Session Expired')); echo XML_Data::error('401', T_('Session Expired'));
@ -56,10 +56,12 @@ if (!vauth::session_exists('api', $_REQUEST['auth']) AND $_REQUEST['action'] !=
} }
// If the session exists then let's try to pull some data from it to see if we're still allowed to do this // If the session exists then let's try to pull some data from it to see if we're still allowed to do this
$session = vauth::get_session_data($_REQUEST['auth']); $username =
$username = ($_REQUEST['action'] == 'handshake' || $_REQUEST['action'] == 'ping') ? $_REQUEST['user'] : $session['username']; ($_REQUEST['action'] == 'handshake' || $_REQUEST['action'] == 'ping')
? $_REQUEST['user']
: Session::user($_REQUEST['auth']);
if (!Access::check_network('init-api',$username,'5')) { if (!Access::check_network('init-api', $username, 5)) {
debug_event('Access Denied','Unauthorized access attempt to API [' . $_SERVER['REMOTE_ADDR'] . ']', '3'); debug_event('Access Denied','Unauthorized access attempt to API [' . $_SERVER['REMOTE_ADDR'] . ']', '3');
ob_end_clean(); ob_end_clean();
echo XML_Data::error('403', T_('Unauthorized access attempt to API - ACL Error')); echo XML_Data::error('403', T_('Unauthorized access attempt to API - ACL Error'));
@ -67,7 +69,7 @@ if (!Access::check_network('init-api',$username,'5')) {
} }
if ($_REQUEST['action'] != 'handshake' AND $_REQUEST['action'] != 'ping') { if ($_REQUEST['action'] != 'handshake' AND $_REQUEST['action'] != 'ping') {
vauth::session_extend($_REQUEST['auth']); Session::extend($_REQUEST['auth']);
$GLOBALS['user'] = User::get_from_username($session['username']); $GLOBALS['user'] = User::get_from_username($session['username']);
} }