steffen: server/kolab-webadmin/kolab-webadmin/php/admin/include auth.class.php, 1.1, 1.2

[cvs at intevation.de]

Author: steffen

Update of /kolabrepository/server/kolab-webadmin/kolab-webadmin/php/admin/include
In directory doto:/tmp/cvs-serv26090/kolab-webadmin/php/admin/include

Modified Files:
	auth.class.php 
Log Message:
reasonable default for homeServer. Check IP address when authenticating to make it more difficult to hijack a session

Index: auth.class.php
===================================================================
RCS file: /kolabrepository/server/kolab-webadmin/kolab-webadmin/php/admin/include/auth.class.php,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- auth.class.php	17 May 2004 15:24:26 -0000	1.1
+++ auth.class.php	24 May 2004 11:53:37 -0000	1.2
@@ -1,6 +1,6 @@
 <?php
 /*
- *  Copyright (c) 2004 Klarälvdalens Datakonsult AB
+ *  Copyright (c) 2004 Klarälvdalens Datakonsult AB
  *
  *    Written by Steffen Hansen <steffen at klaralvdalens-datakonsult.se>
  *
@@ -52,33 +52,34 @@
     if( !$bind_result ) {
       // Anon. bind first
       if( !$ldap->bind() ) {
-	$this->error_string = "Could not bind to LDAP server";
-	$this->gotoLoginPage(); 
+		$this->error_string = "Could not bind to LDAP server";
+		$this->gotoLoginPage(); 
       }
       // User not logged in, check login/password
       if( isset( $_POST['username'] ) && isset( $_POST['password'] ) ) {
-	$dn = $ldap->dnForUid( $_POST['username'] );
-	if( $dn ) {
-	  $bind_result = $ldap->bind( $dn, $_POST['password'] );
-	  if( $bind_result ) {
-	    // All OK!
-	    $_SESSION['auth_dn'] = $dn;
-	    $_SESSION['auth_user'] = $_POST['username'];
-	    $_SESSION['auth_pw'] = $_POST['password'];
-	    $_SESSION['auth_group'] = $ldap->groupForUid($_POST['username']);
-	    return true;
-	  } else {
-	    $this->error_string = "Wrong username or password";
-	    $this->gotoLoginPage(); 
-	  }
-	} else {
-	    $this->error_string = "Wrong username or password";
-	    //$this->error_string = "Dn not found";
-	    $this->gotoLoginPage(); 
-	}
+		$dn = $ldap->dnForUid( $_POST['username'] );
+		if( $dn ) {
+		  $bind_result = $ldap->bind( $dn, $_POST['password'] );
+		  if( $bind_result ) {
+			// All OK!
+			$_SESSION['auth_dn'] = $dn;
+			$_SESSION['auth_user'] = $_POST['username'];
+			$_SESSION['auth_pw'] = $_POST['password'];
+			$_SESSION['auth_group'] = $ldap->groupForUid($_POST['username']);
+			$_SESSION['remote_ip'] = $_SERVER['REMOTE_ADDR'];
+			return true;
+		  } else {
+			$this->error_string = "Wrong username or password";
+			$this->gotoLoginPage(); 
+		  }
+		} else {
+		  $this->error_string = "Wrong username or password";
+		  //$this->error_string = "Dn not found";
+		  $this->gotoLoginPage(); 
+		}
       } else {
-	$this->error_string = 'Please log in as a valid user';
-	$this->gotoLoginPage();
+		$this->error_string = 'Please log in as a valid user';
+		$this->gotoLoginPage();
       }
     } else {
       // All OK, user already logged in
@@ -125,7 +126,7 @@
   }
 
   function isAuthenticated() {
-    return isset( $_SESSION['auth_dn'] );
+    return isset( $_SESSION['auth_dn'] ) && $_SESSION['remote_ip'] == $_SERVER['REMOTE_ADDR'];
   }
 
   function dn() {