Commit Graph

42 Commits

Author SHA1 Message Date
Ralf Becker
8df8817318 only try sending cookies, if headers are not send, otherwise it gives just a warning 2010-11-26 20:09:50 +00:00
Ralf Becker
73beff54fe an other fix for NTLM and SiteMgr 2010-09-25 08:19:22 +00:00
Ralf Becker
1caead5ea9 "make sure to not double encode &" 2010-05-09 13:58:57 +00:00
Ralf Becker
930f1052d5 supporting digest auth (see RFC 2617), which is more secure then basic auth on http (no cleartext password), it currently requires cleartext passwords in the database, to calculate the A1 hash! 2010-05-05 09:19:37 +00:00
Klaus Leithoff
f69c071685 fix for: calling setup, sets some config values to default, all the time 2010-04-06 15:30:36 +00:00
Ralf Becker
07d7b66735 some fixes for session of basic auth clients as sogo connector:
- added user IP to hash used as session id (so changed IP, different devices force a different session)
- returning false in verify, if domain is changed
- fixed "Wrong IP" message
2010-01-12 03:55:42 +00:00
Ralf Becker
c743665438 "switching logging off again" 2009-12-03 07:56:34 +00:00
Ralf Becker
4e2a8131c3 "partly reverting r28676, as array2string and function_backtrace is not yet loaded" 2009-12-03 07:44:10 +00:00
Klaus Leithoff
493789cec5 extend some debug infos in egw_sessions; add a 4th param to replaceTagsCompletley in translation class; prepare some more htmlpurifier stuff in order to use it for the activation of links; wrap the creation of the htmlpurifier default config in a function, to be used as config object for changes when about to be used with html::purify 2009-12-02 14:56:41 +00:00
Ralf Becker
6ecac6f650 "removed unnecessary check for NOT allowed apps of anon user from session::verify, as there's an other one in egw::verify_session throwing an exception, which can be used to handle the situation better" 2009-10-25 17:28:30 +00:00
Christian Binder
08efec194f fixed not found user sessions while working with notifications and assured that all_no_sort param gets handed over to handler class 2009-10-23 13:07:11 +00:00
Ralf Becker
cdd5103888 fixing a few more PHP5.3 problems, caused by PHP5.3 behavior to NOT
register cookies in $_REQUEST any more by default (there's now a php.ini
variable 'request_order' to controll that, but we want to work with a
default configuraltion):
- session restore was not working, as only $_REQUEST[sessionid] was checked
- multi domain installs not working, as domain cookie was not checked
- encrypted session were not working, because kp3 cookie was not checked
--> there's now a static method egw_session::get_request($name), which
checks $_REQUEST[$name], $_COOKIE[$name] and for that Safari bug also
$_COOKIE[ucfirst($name)]
2009-08-22 19:32:28 +00:00
Ralf Becker
d679a00d1d "fix for bug #2112: fix maybe wrong case in username on login
makes problems eg. in filemanager (name of homedir)"
2009-07-18 13:14:13 +00:00
Ralf Becker
232252475f patch fixing many depricated functions (eg. posix regular expressions) and features, which fill up the error_log under php5.3 (and will no longer be available under php6).
Patch is mostly created by script in egroupware/doc/fix_depricated.php in separate commit.
I do NOT advice to apply this patch to a production system (it's commited to trunk!), as the automatic modified regular expressions have a good change to break something ...
2009-06-08 16:21:14 +00:00
Ralf Becker
f601537b95 fix for php5.3, which by default seems NOT include content of $_COOKIE in
$_REQUEST (request_order php.ini variable)
2009-06-07 15:49:12 +00:00
Ralf Becker
1597cdc533 "adding path (EGW_SERVER_ROOT) to hash for basic auth pseudo sesion id
(otherwise different installs in different pathes using identical credentials would share the session, which is no good idea)"
2009-04-30 07:36:07 +00:00
Ralf Becker
96f5529abf "log failed login because of hook 'session_creation' with account_id, to not block the account in that case" 2009-04-28 10:39:57 +00:00
Ralf Becker
aca05a32e3 using new check_load_extension function 2009-04-20 12:43:44 +00:00
Ralf Becker
1c11bfcf55 using a session for basic auth (not session aware) clients for WebDAV
and GroupDAV. The "sessionid" get's constructed from the basic auth
credentials and is not random (as the clients dont store them).
--> speeds up the use of *DAV
--> stops *DAV handlers to created numerious sessions
2009-04-04 08:38:56 +00:00
Ralf Becker
b976659346 "removed unnecessary ambersand in url creation, if no extravars" 2009-03-30 08:17:28 +00:00
Klaus Leithoff
0ec64072a2 enabling more info FOR THE ERROR_LOG 2008-12-09 14:02:22 +00:00
Ralf Becker
0123dc5d89 "dont log failed login attempts for the anon user, as it is a simple dos to sitemgr" 2008-11-22 08:14:59 +00:00
Ralf Becker
505fe07669 "function to analyse memory usage in the session" 2008-11-13 16:57:16 +00:00
Ralf Becker
a658d7c8ed Store config_user&_passwd of domain as hash, to be able to use them
inside eGW (without having them in cleartext available)
2008-11-09 16:15:42 +00:00
Ralf Becker
814eb013f1 Allow HTTP basic auth user to contain a domain to switch instances, as
it's done in the webgui login (for WebDAV or GroupDAV)
2008-10-26 12:18:57 +00:00
Ralf Becker
5322acf455 "fixed type causing sitemgr reloads to fail: PHP Fatal error: The script tried to execute a method or access a property of an incomplete object." 2008-10-10 13:11:37 +00:00
Ralf Becker
71063707a4 "found and fixed the real cause, appsession got called after session was commited (and therefore encrypted), these calles get now silently ignored" 2008-10-09 12:24:41 +00:00
Ralf Becker
8edc407e4d "quitent error_log from commit_session" 2008-10-09 12:12:48 +00:00
Ralf Becker
d9c93f845d "hopefully last fix for session encryption:
- flag in session if it is encrypted to prevent calling the encryption more then once, which stalls the session-content
- egw_session::session_comit() method calls now encrypt() too, as it closes the session, before the destructor is called
- hack to fix PHP Fatal error: Cannot use string offset as an array, which happens sometime in felamimail under php5.2
- some more docu"
2008-10-09 11:55:09 +00:00
Ralf Becker
d7f5835422 "fixed problem with lost password in session, when using session encryption" 2008-10-09 09:54:24 +00:00
Ralf Becker
94da0682cd re-added session encryption:
- it now also encrypts the egw object and egw_info array, stored in the session
- it no longer encrypts every egw_session::appsession() call, but the
  whole array at once when the egw_session object gets destroyed
- mcrypt algo and mode are currently hardcoded to tripledes and ecb, as
  we dont have the database connection, when they are needed. You can
  add it as egw_info[server][mcrypt_{algo|mode}] in the header.inc.php
- fixed a bug, which let the session grow around 400k(!) each request
- if mcrypt or the selected algo/mode is not availible the session
  encryption is switched off automatic, but an error is logged
2008-10-08 18:38:30 +00:00
Klaus Leithoff
5db4d77067 use the static function randomstring instead of the egw->common object (which may not be instanciated at the time) 2008-08-29 13:34:41 +00:00
Klaus Leithoff
755ba2245c after session_destroy, we need to (re-)load the eGW session-handler, as session_destroy unloads custom session-handlers 2008-08-29 13:00:18 +00:00
Ralf Becker
c475f86147 - get session list for session.save_handler='files' working again
- sessions are sorted by default with session_dla DESC (newest updated
  sessions first)
2008-08-19 11:54:35 +00:00
Ralf Becker
93e98f3e1a "egw_session::create(): generate new session-id, if not running SyncML (were is already happend in the Horde code)" 2008-08-16 06:00:34 +00:00
Ralf Becker
61df6f2a15 fixed bug reported by Martin Kramer on the German list 2008-08-15 14:37:34 +00:00
Ralf Becker
04ddf51d90 "fixed typo causing session list to contain all sessions" 2008-08-14 12:29:39 +00:00
Ralf Becker
8860cf8ea7 "list_sessions --> session_list" 2008-08-09 06:26:32 +00:00
Ralf Becker
666e6793a7 "added empty method delete_cache, as it get's called in some places - thought it does nothing" 2008-08-09 04:24:54 +00:00
Ralf Becker
1dcce48a46 "fixed typo causing posted froms to fail" 2008-08-08 06:32:16 +00:00
Ralf Becker
e50bd2e966 "re-added copyright and author of the old phpgwapi/inc/class.sessions(_php4).inc.php, I missed last night" 2008-08-08 06:02:45 +00:00
Ralf Becker
907e24d227 Refractured session handling in eGW:
- DONT UPDATE ON A PROCUDTION SYSTEM (for the next few days)!
- eGW support from now on only php session handling
- custom session handlers (like the memcache one) can now be
  implemented as classes and dont need to change any other code
- the class get's autoloaded and the name need to be configured 
  eg. in the header.inc.php as $egw_info[server][session_handler]
- session restore is now enabled by default (it's way faster and
  works well with php5.1+)
- a db-bases session handler follows soon
2008-08-07 21:12:44 +00:00