Commit 172aeaed authored by Kasper Skårhøj's avatar Kasper Skårhøj
Browse files

* Added to user authentication that the HTTP_USER_AGENT is hashed and a part of the session lookup (in other words, if the HTTP_USER_AGENT stays constant the session stays as well). Also added possibility of configuring that the IP adresse used to lock down sessions is only part 1,2,3 or 4 (all) used. Mainly this is easily configurable for frontend users (which has had the "security level" set to "2" now instead of disabled totally!). For backend users I didn't make configuration options in TYPO3_CONF_VARS - just wanted to know if people needed it there first (not to bloat options....)


git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@218 709f56b5-9817-0410-a4d7-c38de5d9e867
parent f9244a87
2004-04-23 Kasper Skårhøj,,, <kasper@typo3.com>
* Added to user authentication that the HTTP_USER_AGENT is hashed and a part of the session lookup (in other words, if the HTTP_USER_AGENT stays constant the session stays as well). Also added possibility of configuring that the IP adresse used to lock down sessions is only part 1,2,3 or 4 (all) used. Mainly this is easily configurable for frontend users (which has had the "security level" set to "2" now instead of disabled totally!). For backend users I didn't make configuration options in TYPO3_CONF_VARS - just wanted to know if people needed it there first (not to bloat options....)
2004-04-23 Kasper Skårhøj,,, <kasper@typo3.com>
* Added possibility of jumping directly to editing a page in the backend. You specify "alt_main.php?edit=[page id]" and you will be brought directly to the page edit module.
......
......@@ -132,7 +132,7 @@ class t3lib_DB {
// Debug:
var $debugOutput = FALSE; // Set "TRUE" if you want database errors outputted.
var $debugOutput = TRUE; // Set "TRUE" if you want database errors outputted.
var $debug_lastBuiltQuery = ''; // Internally: Set to last built query (not necessarily executed...)
// Default link identifier:
......
......@@ -1216,11 +1216,11 @@ class t3lib_sqlengine {
$result['TABLE'] = $this->nextPart($parseString, '^([[:alnum:]_]+)[[:space:]]+');
if ($result['TABLE']) {
if ($result['action'] = $this->nextPart($parseString, '^(CHANGE|DROP[[:space:]]+KEY|ADD[[:space:]]+KEY|ADD[[:space:]]+PRIMARY[[:space:]]+KEY|DROP|ADD|RENAME)([[:space:]]+|\()')) {
if ($result['action'] = $this->nextPart($parseString, '^(CHANGE|DROP[[:space:]]+KEY|DROP[[:space:]]+PRIMARY[[:space:]]+KEY|ADD[[:space:]]+KEY|ADD[[:space:]]+PRIMARY[[:space:]]+KEY|DROP|ADD|RENAME)([[:space:]]+|\()')) {
$actionKey = strtoupper(ereg_replace('[[:space:]]','',$result['action']));
// Getting field:
if ($actionKey=='ADDPRIMARYKEY' || $fieldKey = $this->nextPart($parseString, '^([[:alnum:]_]+)[[:space:]]+')) {
if (t3lib_div::inList('ADDPRIMARYKEY,DROPPRIMARYKEY',$actionKey) || $fieldKey = $this->nextPart($parseString, '^([[:alnum:]_]+)[[:space:]]+')) {
switch($actionKey) {
case 'ADD':
......@@ -1249,6 +1249,9 @@ class t3lib_sqlengine {
case 'DROPKEY':
$result['KEY'] = $fieldKey;
break;
case 'DROPPRIMARYKEY':
// ??? todo!
break;
}
} else return $this->parseError('No field name found',$parseString);
} else return $this->parseError('No action CHANGE, DROP or ADD found!',$parseString);
......
......@@ -37,26 +37,29 @@
*
*
*
* 86: class t3lib_userAuth
* 155: function start()
* 256: function check_authentication()
* 407: function redirect()
* 420: function logoff()
* 435: function gc()
* 449: function user_where_clause()
* 463: function ipLockClause()
* 481: function writeUC($variable='')
* 504: function writelog($type,$action,$error,$details_nr,$details,$data,$tablename,$recuid,$recpid)
* 513: function checkLogFailures()
* 522: function unpack_uc($theUC='')
* 538: function pushModuleData($module,$data,$noSave=0)
* 551: function getModuleData($module,$type='')
* 564: function getSessionData($key)
* 577: function setAndSaveSessionData($key,$data)
* 596: function setBeUserByUid($uid)
* 609: function setBeUserByName($name)
* 89: class t3lib_userAuth
* 158: function start()
* 260: function check_authentication()
* 412: function redirect()
* 425: function logoff()
* 440: function gc()
* 454: function user_where_clause()
* 468: function ipLockClause()
* 484: function ipLockClause_remoteIPNumber($parts)
* 505: function hashLockClause()
* 515: function hashLockClause_getHashInt()
* 527: function writeUC($variable='')
* 550: function writelog($type,$action,$error,$details_nr,$details,$data,$tablename,$recuid,$recpid)
* 559: function checkLogFailures()
* 568: function unpack_uc($theUC='')
* 584: function pushModuleData($module,$data,$noSave=0)
* 597: function getModuleData($module,$type='')
* 610: function getSessionData($key)
* 623: function setAndSaveSessionData($key,$data)
* 642: function setBeUserByUid($uid)
* 655: function setBeUserByName($name)
*
* TOTAL FUNCTIONS: 17
* TOTAL FUNCTIONS: 20
* (This index is automatically created/updated by the extension "extdeveval")
*
*/
......@@ -121,7 +124,8 @@ class t3lib_userAuth {
var $getFallBack = 0; // If this is set, authentication is also accepted by the HTTP_GET_VARS. Notice that the identification is NOT 128bit MD5 hash but reduced. This is done in order to minimize the size for mobile-devices, such as WAP-phones
var $hash_length = 32; // The ident-hash is normally 32 characters and should be! But if you are making sites for WAP-devices og other lowbandwidth stuff, you may shorten the length. Never let this value drop below 6. A length of 6 would give you more than 16 mio possibilities.
var $getMethodEnabled = 0; // Setting this flag true lets user-authetication happen from GET_VARS if POST_VARS are not set. Thus you may supply username/password from the URL.
var $lockIP = 1; // If set, will lock the session to the users IP address.
var $lockIP = 4; // If set, will lock the session to the users IP address (all four numbers. Reducing to 1-3 means that only first, second or third part of the IP address is used).
var $lockHashKeyWords = 'useragent'; // Keyword list (commalist with no spaces!): "useragent". Each keyword indicates some information that can be included in a integer hash made to lock down usersessions.
var $warningEmail = ''; // warning -emailaddress:
var $warningPeriod = 3600; // Period back in time (in seconds) in which number of failed logins are collected
......@@ -203,8 +207,10 @@ class t3lib_userAuth {
AND '.$this->session_table.'.ses_name = "'.$GLOBALS['TYPO3_DB']->quoteStr($this->name, $this->session_table).'"
AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
'.$this->ipLockClause().'
'.$this->hashLockClause().'
'.$this->user_where_clause()
);
if ($this->user = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
// A user was found
if (is_string($this->auth_timeout_field)) {
......@@ -336,7 +342,8 @@ class t3lib_userAuth {
$insertFields = array(
'ses_id' => $this->id,
'ses_name' => $this->name,
'ses_iplock' => $this->user['disableIPlock'] ? '[DISABLED]' : t3lib_div::getIndpEnv('REMOTE_ADDR'),
'ses_iplock' => $this->user['disableIPlock'] ? '[DISABLED]' : $this->ipLockClause_remoteIPNumber($this->lockIP),
'ses_hashlock' => $this->hashLockClause_getHashInt(),
'ses_userid' => $tempuser[$this->userid_column],
'ses_tstamp' => $GLOBALS['EXEC_TIME']
);
......@@ -463,13 +470,61 @@ class t3lib_userAuth {
function ipLockClause() {
if ($this->lockIP) {
$wherePart = 'AND (
'.$this->session_table.'.ses_iplock="'.$GLOBALS['TYPO3_DB']->quoteStr(t3lib_div::getIndpEnv('REMOTE_ADDR'),$this->session_table).'"
'.$this->session_table.'.ses_iplock="'.$GLOBALS['TYPO3_DB']->quoteStr($this->ipLockClause_remoteIPNumber($this->lockIP),$this->session_table).'"
OR '.$this->session_table.'.ses_iplock="[DISABLED]"
)';
return $wherePart;
}
}
/**
* Returns the IP address to lock to.
* The IP address may be partial based on $parts.
*
* @param integer 1-4: Indicates how many parts of the IP address to return. 4 means all, 1 means only first number.
* @return string (Partial) IP address for REMOTE_ADDR
* @access private
*/
function ipLockClause_remoteIPNumber($parts) {
$IP = t3lib_div::getIndpEnv('REMOTE_ADDR');
if ($parts>=4) {
return $IP;
} else {
$parts = t3lib_div::intInRange($parts,1,3);
$IPparts = explode('.',$IP);
for($a=4;$a>$parts;$a--) {
unset($IPparts[$a-1]);
}
return implode('.',$IPparts);
}
}
/**
* This returns the where-clause needed to lock a user to a hash integer
*
* @return string
* @access private
*/
function hashLockClause() {
$wherePart = 'AND '.$this->session_table.'.ses_hashlock='.intval($this->hashLockClause_getHashInt());
return $wherePart;
}
/**
* Creates hash integer to lock user to. Depends on configured keywords
*
* @return integer Hash integer
* @access private
*/
function hashLockClause_getHashInt() {
$hashStr = '';
if (t3lib_div::inList($this->lockHashKeyWords,'useragent')) $hashStr.=':'.t3lib_div::getIndpEnv('HTTP_USER_AGENT');
return t3lib_div::md5int($hashStr);
}
/**
* This writes $variable to the user-record. This is a way of providing session-data.
* You can fetch the data again through $this->uc in this class!
......
......@@ -104,9 +104,10 @@ $TYPO3_CONF_VARS = Array(
'warning_email_addr' => '', // Email-address that will receive a warning if there has been failed logins 4 times within an hour (all users).
'warning_mode' => '', // Bit 1: If set, warning_email_addr gets a mail everytime a user logs in. Bit 2: If set, a mail is sent if an ADMIN user logs in! Other bits reserved for future options.
'IPmaskList' => '', // String. Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function t3lib_div::cmpIP())
'adminOnly' => 0, // Boolean. If set (>=1), the only "admin" users can log in to the backend. If "<=-1" then the backend is totally shut down! For maintenance purposes.
'lockBeUserToDBmounts' => 1, // Boolean. If set, the backend user is allowed to work only within his page-mount. It's advisable to leave this on because it makes security easy to manage.
'lockSSL' => 0, // Int. 0,1,2: If set (1+2), the backend can only be operated from an ssl-encrypted connection (https). Set to 2 you will be redirected to the https admin-url supposed to be the http-url, but with https scheme instead.
'enabledBeUserIPLock' => 1, // Boolean. If set, the User/Group TSconfig option 'option.lockToIP' is enabled.
'adminOnly' => 0, // Boolean. If set (>=1), the only "admin" users can log in to the backend. If "<=-1" then the backend is totally shut down! For maintenance purposes.
'disable_exec_function' => 0, // Boolean. Don't use exec() function (except for ImageMagick which is disabled by [GFX][im]=0). If set, all fileoperations are done by the default PHP-functions. This is nescessary under windows! On UNIX the system commands by exec() can be used, unless this is disabled.
'usePHPFileFunctions' => 1, // Boolean. If set, all fileoperations are done by the default PHP-functions. Default on UNIX is using the system commands by exec(). You need to set this flag under safe_mode.
'compressionLevel' => 0, // Determines output compression. Requires zlib in your php4 install. Range 1-9, where 1 is least compression (approx. 50%) and 9 is greatest compression (approx 33%). 'true' as value will set the compression based on system load (works with Linux, freebsd). Good default value is 3. For more info, see class in t3lib/class.gzip_encode.php written by Sandy McArthur, Jr. <Leknor@Leknor.com>
......@@ -116,7 +117,6 @@ $TYPO3_CONF_VARS = Array(
'trackBeUser' => 0, // Boolean. If set, every invokation of a backend script is logged in sys_trackbeuser. This is used to get a view of the backend users behaviour. Mostly for debugging, support and user interaction analysis. Requires 'beuser_tracking' extension.
'defaultUserTSconfig' => '', // Enter lines of default backend user/group TSconfig.
'defaultPageTSconfig' => '', // Enter lines of default Page TSconfig.
'enabledBeUserIPLock' => 1, // Boolean. If set, the User/Group TSconfig option 'option.lockToIP' is enabled.
'defaultPermissions' => array ( // Default permissions set for new pages in t3lib/tce_main.php. Keys are 'show,edit,delete,new,editcontent'. Enter as comma-list
// 'user' => '', // default in tce_main is 'show,edit,delete,new,editcontent'. If this is set (uncomment), this value is used instead.
// 'group' => '', // default in tce_main is 'show,edit,new,editcontent'. If this is set (uncomment), this value is used instead.
......@@ -162,7 +162,7 @@ $TYPO3_CONF_VARS = Array(
'userFuncClassPrefix' => 'user_', // This prefix must be the first part of any function or class name called from TypoScript, for instance in the stdWrap function.
'addRootLineFields' => '', // Comma-list of fields from the 'pages'-table. These fields are added to the select query for fields in the rootline.
'checkFeUserPid' => 1, // Boolean. If set, the pid of fe_user logins must be sent in the form as the field 'pid' and then the user must be located in the pid. Default is 1 from Typo32+. If you unset this, you should change the fe_users.username eval-flag 'uniqueInPid' to 'unique' in $TCA. This will do: $TCA['fe_users']['columns']['username']['config']['eval']= 'nospace,lower,required,unique';
'lockIP' => 0, // Boolean. If set, fe_users are locked to their REMOTE_ADDR IP for their session. Enhances security but may throw off users that may change IP during their session.
'lockIP' => 2, // Integer (0-4). If >0, fe_users are locked to (a part of) their REMOTE_ADDR IP for their session. Enhances security but may throw off users that may change IP during their session (in which case you can lower it to 2 or 3). The integer indicates how many parts of the IP address to include in the check. Reducing to 1-3 means that only first, second or third part of the IP address is used. 4 is the FULL IP address and recommended. 0 (zero) disables checking of course.
'defaultUserTSconfig' => '', // Enter lines of default frontend user/group TSconfig.
'defaultTypoScript_constants' => '', // Enter lines of default TypoScript, constants-field.
'defaultTypoScript_constants.' => Array(), // Lines of TS to include after a static template with the uid = the index in the array (Constants)
......
......@@ -42,6 +42,7 @@ CREATE TABLE be_sessions (
ses_id varchar(32) DEFAULT '' NOT NULL,
ses_name varchar(32) DEFAULT '' NOT NULL,
ses_iplock varchar(15) DEFAULT '' NOT NULL,
ses_hashlock int(11) DEFAULT '0' NOT NULL,
ses_userid int(11) unsigned DEFAULT '0' NOT NULL,
ses_tstamp int(11) unsigned DEFAULT '0' NOT NULL,
ses_data blob NOT NULL,
......
......@@ -109,6 +109,7 @@ CREATE TABLE fe_sessions (
ses_id varchar(32) DEFAULT '' NOT NULL,
ses_name varchar(32) DEFAULT '' NOT NULL,
ses_iplock varchar(15) DEFAULT '' NOT NULL,
ses_hashlock int(11) DEFAULT '0' NOT NULL,
ses_userid int(11) unsigned DEFAULT '0' NOT NULL,
ses_tstamp int(11) unsigned DEFAULT '0' NOT NULL,
ses_data blob NOT NULL,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment