1<?php
2
3//print_r($_SERVER);
4
5/**
6 * Observium
7 *
8 *   This file is part of Observium.
9 *
10 * @package    observium
11 * @subpackage authentication
12 * @copyright  (C) 2006-2013 Adam Armstrong, (C) 2013-2019 Observium Limited
13 *
14 */
15
16// All simple, OBS_API set to TRUE only in API index.php
17if (!defined('OBS_API'))
18{
19  define('OBS_API', FALSE);
20}
21
22$debug_auth = FALSE; // Do not use this debug unless you Observium Developer ;)
23
24if (version_compare(PHP_VERSION, '7.1.0', '<'))
25{
26  // Use sha1 to generate the session ID (option removed in php 7.1)
27  // session.sid_length (Number of session ID characters - 22 to 256.
28  // session.sid_bits_per_character (Bits used per character - 4 to 6.
29  @ini_set('session.hash_function', '1');
30}
31@ini_set('session.referer_check', '');     // This config was causing so much trouble with Chrome
32@ini_set('session.name', 'OBSID');         // Session name
33@ini_set('session.use_cookies', '1');      // Use cookies to store the session id on the client side
34@ini_set('session.use_only_cookies', '1'); // This prevents attacks involved passing session ids in URLs
35@ini_set('session.use_trans_sid', '0');    // Disable SID (no session id in url)
36
37$currenttime     = time();
38$lifetime        = 60*60*24;                   // Session lifetime (default one day)
39$cookie_expire   = $currenttime + 60*60*24*14; // Cookies expire time (14 days)
40$cookie_path     = '/';                        // Cookie path
41$cookie_domain   = '';                         // RFC 6265, to have a "host-only" cookie is to NOT set the domain attribute.
42/// FIXME. Some old browsers not supports secure/httponly cookies params.
43$cookie_https    = is_ssl();
44$cookie_httponly = TRUE;
45
46// Use custom session lifetime
47if (is_numeric($GLOBALS['config']['web_session_lifetime']) && $GLOBALS['config']['web_session_lifetime'] >= 0)
48{
49  $lifetime = intval($GLOBALS['config']['web_session_lifetime']);
50}
51
52@ini_set('session.gc_maxlifetime',  $lifetime); // Session lifetime (for non "remember me" sessions)
53session_set_cookie_params($lifetime, $cookie_path, $cookie_domain, $cookie_https, $cookie_httponly);
54//session_cache_limiter('private');
55
56//register_shutdown_function('session_commit'); // This already done at end of script run
57if (!session_is_active())
58{
59  //logfile('debug_auth.log', 'session_start() called at '.$currenttime);
60  session_commit(); // Write and close current session
61
62  //session_start(); // session starts in session_regenerate too!
63  session_regenerate(); // Note, use this function after session_start() and before next session_commit()!
64  /*
65  if (isset($_SESSION['starttime']))
66  {
67    if ($currenttime - $_SESSION['starttime'] >= $lifetime_id && !is_graph())
68    {
69      logfile('debug_auth.log', 'session_regenerate_id() called at '.$currenttime);
70      // ID Lifetime expired, regenerate
71      session_regenerate_id(TRUE);
72      // Clean cache from _SESSION first, this cache used in ajax calls
73      if (isset($_SESSION['cache'])) { unset($_SESSION['cache']); }
74      $_SESSION['starttime'] = $currenttime;
75    }
76  } else {
77    $_SESSION['starttime']   = $currenttime;
78  }
79  */
80
81  //if (!is_graph())
82  //{
83  //  print_vars($vars); print_vars($_SESSION); print_vars($_COOKIE);
84  //}
85}
86
87// Fallback to MySQL auth as default - FIXME do this in sqlconfig file?
88if (!isset($config['auth_mechanism']))
89{
90  $config['auth_mechanism'] = "mysql";
91}
92
93// Trust Apache authenticated user, if configured to do so and username is available
94if ($config['auth']['remote_user'] && $_SERVER['REMOTE_USER'] != '')
95{
96  session_set_var('username', $_SERVER['REMOTE_USER']);
97}
98
99$auth_file = $config['html_dir'].'/includes/authentication/' . $config['auth_mechanism'] . '.inc.php';
100if (is_file($auth_file))
101{
102  if (isset($_SESSION['auth_mechanism']) && $_SESSION['auth_mechanism'] != $config['auth_mechanism'])
103  {
104    // Logout if AUTH mechanism changed
105    session_logout();
106    reauth_with_message('Authentication mechanism changed, please log in again!');
107  } else {
108    session_set_var('auth_mechanism', $config['auth_mechanism']);
109  }
110
111  // Always load mysql as backup
112  include($config['html_dir'].'/includes/authentication/mysql.inc.php');
113
114  // Load primary module if not mysql
115  if ($config['auth_mechanism'] != 'mysql') { include($auth_file); }
116
117  // Include base auth functions calls
118  include($config['html_dir'].'/includes/authenticate-functions.inc.php');
119} else {
120  session_logout();
121  reauth_with_message('Invalid auth_mechanism defined, please correct your configuration!');
122}
123
124// Check logout
125if ($_SESSION['authenticated'] && str_starts(ltrim($_SERVER['REQUEST_URI'], '/'), 'logout'))
126{
127  // Do not use $vars and get_vars here!
128  //print_vars($_SERVER['REQUEST_URI']);
129  if (auth_can_logout())
130  {
131    // No need for a feedback message if user requested a logout
132    session_logout(function_exists('auth_require_login'));
133
134    $redirect = auth_logout_url();
135    if ($redirect)
136    {
137      redirect_to_url($redirect);
138      exit();
139    }
140  }
141  redirect_to_url($config['base_url']);
142  exit();
143}
144
145$user_unique_id = session_unique_id(); // Get unique user id and check if IP changed (if required by config)
146
147// Store logged remote IP with real proxied IP (if configured and avialable)
148$remote_addr = get_remote_addr();
149$remote_addr_header = get_remote_addr(TRUE); // Remote addr by http header
150if ($remote_addr_header && $remote_addr != $remote_addr_header)
151{
152  $remote_addr = $remote_addr_header . ' (' . $remote_addr . ')';
153}
154
155// Check if allowed auth by CIDR
156$auth_allow_cidr = TRUE;
157if (isset($config['web_session_cidr']) && count($config['web_session_cidr']))
158{
159  $auth_allow_cidr = match_network(get_remote_addr($config['web_session_ip_by_header']), $config['web_session_cidr']);
160}
161
162if (!$_SESSION['authenticated'] && isset($_GET['username']) && isset($_GET['password']))
163{
164  session_set_var('username', $_GET['username']);
165  $auth_password        = $_GET['password'];
166}
167else if (!$_SESSION['authenticated'] && isset($_POST['username']) && isset($_POST['password']))
168{
169  session_set_var('username', $_POST['username']);
170  $auth_password        = $_POST['password'];
171}
172else if (!$_SESSION['authenticated'] && isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
173{
174  session_set_var('username', $_SERVER['PHP_AUTH_USER']);
175  $auth_password        = $_SERVER['PHP_AUTH_PW'];
176}
177else if (OBS_ENCRYPT && !$_SESSION['authenticated'] && isset($_COOKIE['ckey']))
178{
179    ///DEBUG
180    if ($debug_auth)
181    {
182      $debug_log = $GLOBALS['config']['log_dir'].'/debug_cookie_'.date("Y-m-d_H:i:s").'.log';
183      file_put_contents($debug_log, var_export($_SERVER,  TRUE), FILE_APPEND);
184      file_put_contents($debug_log, var_export($_SESSION, TRUE), FILE_APPEND);
185      file_put_contents($debug_log, var_export($_COOKIE,  TRUE), FILE_APPEND);
186    }
187
188  $ckey = dbFetchRow("SELECT * FROM `users_ckeys` WHERE `user_uniq` = ? AND `user_ckey` = ? LIMIT 1",
189                          array($user_unique_id, $_COOKIE['ckey']));
190  if (is_array($ckey))
191  {
192    if ($ckey['expire'] > $currenttime && $auth_allow_cidr)
193    {
194      session_set_var('username', $ckey['username']);
195      $auth_password            = decrypt($ckey['user_encpass'], $_COOKIE['dkey']);
196
197      // Store encrypted password
198      session_encrypt_password($auth_password, $user_unique_id);
199
200      // If userlevel == 0 - user disabled an can not be logon
201      if (auth_user_level($ckey['username']) < 1)
202      {
203        session_logout(FALSE, 'User disabled');
204	reauth_with_message('User login disabled');
205      }
206
207      session_set_var('user_ckey_id', $ckey['user_ckey_id']);
208      session_set_var('cookie_auth', TRUE);
209      dbInsert(array('user'       => $_SESSION['username'],
210                     'address'    => $remote_addr,
211                     'user_agent' => $_SERVER['HTTP_USER_AGENT'],
212                     'result'     => 'Logged In (cookie)'), 'authlog');
213
214    }
215  }
216}
217
218if ($_COOKIE['password']) { setcookie("password", NULL); }
219if ($_COOKIE['username']) { setcookie("username", NULL); }
220if ($_COOKIE['user_id'] ) { setcookie("user_id",  NULL); }
221
222$auth_success = FALSE; // Variable for check if just logged
223
224if (isset($_SESSION['username']))
225{
226  // Check for allowed by CIDR range
227  if (!$auth_allow_cidr)
228  {
229    session_logout(FALSE, 'Remote IP not allowed in CIDR ranges');
230    reauth_with_message('Remote IP not allowed in CIDR ranges');
231  }
232
233  // Auth from COOKIEs
234  if ($_SESSION['cookie_auth'])
235  {
236    @session_start();
237    $_SESSION['authenticated'] = TRUE;
238    $auth_success              = TRUE;
239    dbUpdate(array('expire' => $cookie_expire), 'users_ckeys', '`user_ckey_id` = ?', array($_SESSION['user_ckey_id']));
240    unset($_SESSION['user_ckey_id'], $_SESSION['cookie_auth']);
241    session_commit();
242  }
243
244  // Auth from ...
245  if (!$_SESSION['authenticated'] && (authenticate($_SESSION['username'], $auth_password) ||                       // login/password
246                                     (auth_usermanagement() && auth_user_level($_SESSION['origusername']) >= 10))) // FIXME?
247  {
248    // If we get here, it means the password for the user was correct (authenticate() called)
249    // Store encrypted password
250    session_encrypt_password($auth_password, $user_unique_id);
251
252
253    // If userlevel == 0 - user disabled and can not log in
254    if (auth_user_level($_SESSION['username']) < 1)
255    {
256      session_logout(FALSE, 'User disabled');
257      reauth_with_message('User login disabled');
258      exit();
259    }
260
261    session_set_var('authenticated', TRUE);
262    $auth_success              = TRUE;
263    dbInsert(array('user'       => $_SESSION['username'],
264                   'address'    => $remote_addr,
265                   'user_agent' => $_SERVER['HTTP_USER_AGENT'],
266                   'result'     => 'Logged In'), 'authlog');
267    // Generate keys for cookie auth
268    if (isset($_POST['remember']) && OBS_ENCRYPT)
269    {
270      $ckey = md5(strgen());
271      $dkey = md5(strgen());
272      $encpass = encrypt($auth_password, $dkey);
273      dbDelete('users_ckeys', "`username` = ? AND `expire` < ?", array($_SESSION['username'], $currenttime - 3600)); // Remove old ckeys from DB
274      dbInsert(array('user_encpass' => $encpass,
275                     'expire'       => $cookie_expire,
276                     'username'     => $_SESSION['username'],
277                     'user_uniq'    => $user_unique_id,
278                     'user_ckey'    => $ckey), 'users_ckeys');
279      setcookie("ckey", $ckey, $cookie_expire, $cookie_path, $cookie_domain, $cookie_https, $cookie_httponly);
280      setcookie("dkey", $dkey, $cookie_expire, $cookie_path, $cookie_domain, $cookie_https, $cookie_httponly);
281      session_unset_var('user_ckey_id');
282    }
283  }
284  else if (!$_SESSION['authenticated'])
285  {
286    // Not authenticated
287    session_set_var('auth_message', 'Authentication Failed');
288    session_logout(function_exists('auth_require_login'));
289  }
290
291  // Retrieve user ID and permissions
292  if ($_SESSION['authenticated'])
293  {
294    @session_start();
295    if (!is_numeric($_SESSION['userlevel']) || !is_numeric($_SESSION['user_id']))
296    {
297      $_SESSION['userlevel'] = auth_user_level($_SESSION['username']);
298      $_SESSION['user_id']   = auth_user_id($_SESSION['username']);
299    }
300
301    $level_permissions = auth_user_level_permissions($_SESSION['userlevel']);
302    // If userlevel == 0 - user disabled an can not be logon
303    if (!$level_permissions['permission_access'])
304    {
305      session_logout(FALSE, 'User disabled');
306      reauth_with_message('User login disabled');
307      exit();
308    }
309    else if (!isset($_SESSION['user_limited']) || $_SESSION['user_limited'] != $level_permissions['limited'])
310    {
311      // Store user limited flag, required for quick permissions list generate
312      $_SESSION['user_limited'] = $level_permissions['limited'];
313    }
314    session_commit();
315
316    // Generate a CSRF Token
317    // https://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php
318    // For validate use: request_token_valid($vars['requesttoken'])
319    if (empty($_SESSION['requesttoken']))
320    {
321      session_set_var('requesttoken', bin2hex(random_bytes(32)));
322    }
323
324    // Now we can enable debug if user is privileged (Global Secure Read and greater)
325    if (!defined('OBS_DEBUG')) // OBS_DEBUG not defined by default for unprivileged users in definitions
326    {
327      if ($_SESSION['userlevel'] < 7 || !$debug_web_requested) // && !$config['permit_user_debug']) // Note, use $config['web_debug_unprivileged'] = TRUE;
328      {
329        // DO NOT ALLOW show debug output for users with privilege level less than "Global Secure Read"
330        define('OBS_DEBUG', 0);
331        ini_set('display_errors', 0);
332        ini_set('display_startup_errors', 0);
333        //ini_set('error_reporting', 0); // Use default php config
334      } else {
335        define('OBS_DEBUG', 1);
336
337        ini_set('display_errors', 1);
338        ini_set('display_startup_errors', 1);
339        //ini_set('error_reporting', E_ALL ^ E_NOTICE);
340        ini_set('error_reporting', E_ALL ^ E_NOTICE ^ E_WARNING);
341      }
342    }
343
344    //$a = utime();
345    $permissions = permissions_cache($_SESSION['user_id']);
346    //echo utime() - $a . 's for permissions cache';
347
348
349    // Add feeds & api keys after first auth
350    if (OBS_ENCRYPT && !get_user_pref($_SESSION['user_id'], 'atom_key'))
351    {
352      // Generate unique token
353      do
354      {
355        $atom_key = md5(strgen());
356      }
357      //while (dbFetchCell("SELECT COUNT(*) FROM `users_prefs` WHERE `pref` = ? AND `value` = ?;", array('atom_key', $atom_key)) > 0);
358      while (dbExist('users_prefs', '`pref` = ? AND `value` = ?', array('atom_key', $atom_key)));
359      set_user_pref($_SESSION['user_id'], 'atom_key', $atom_key);
360    }
361  }
362
363  if ($auth_success && !OBS_API)
364  {
365    // If just logged in go to request uri, unless we're debugging or in API,
366    // in which case we want to see authentication module output first.
367    if (!OBS_DEBUG)
368    {
369      redirect_to_url($_SERVER['REQUEST_URI']);
370    } else {
371      print_message("Debugging mode has disabled redirect to front page; please click <a href=\"" . $_SERVER['REQUEST_URI'] . "\">here</a> to continue.");
372    }
373    exit();
374  }
375}
376
377///r($_SESSION);
378///r($_COOKIE);
379///r($permissions);
380
381//logfile('debug_auth.log', 'auth session_commit() called at '.time());
382//session_commit(); // Write and unblock current session (use session_set_var() and session_unset_var() for write to session variables!)
383
384/* Session manager specific functions */
385
386// DOCME needs phpdoc block
387function session_is_active()
388{
389  if (!is_cli())
390  {
391    if (version_compare(PHP_VERSION, '5.4.0', '>='))
392    {
393      return session_status() === PHP_SESSION_ACTIVE ? TRUE : FALSE;
394    } else {
395      return session_id() === '' ? FALSE : TRUE;
396    }
397  }
398  return FALSE;
399}
400
401/**
402 * Generate unique id for current user/browser, based on some unique params
403 *
404 * @return string
405 */
406function session_unique_id()
407{
408  global $debug_auth;
409
410  $id  = $_SERVER['HTTP_USER_AGENT']; // User agent
411  //$id .= $_SERVER['HTTP_ACCEPT'];     // Browser accept headers // WTF, this header different for main and js/ajax queries
412  // Less entropy than HTTP_ACCEPT, but stable!
413  $id .= $_SERVER['HTTP_ACCEPT_ENCODING'];
414  $id .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
415
416  if ($GLOBALS['config']['web_session_ip'])
417  {
418    $remote_addr = get_remote_addr($config['web_session_ip_by_header']); // Remote address by header if configured
419    $id .= $remote_addr;   // User IP address
420
421    // Force reauth if remote IP changed
422    if ($_SESSION['authenticated'])
423    {
424      if (isset($_SESSION['PREV_REMOTE_ADDR']) && $remote_addr != $_SESSION['PREV_REMOTE_ADDR'])
425      {
426        unset($_SESSION['authenticated'],
427              $_SESSION['user_id'],
428              $_SESSION['username'],
429              $_SESSION['user_encpass'], $_SESSION['password'],
430              $_SESSION['userlevel']);
431      }
432      session_set_var('PREV_REMOTE_ADDR', $remote_addr); // Store current remote IP
433    }
434  }
435
436  // Next required JS cals:
437  // resolution = screen.width+"x"+screen.height+"x"+screen.colorDepth;
438  // timezone   = new Date().getTimezoneOffset();
439  if ($debug_auth)
440  {
441    $debug_log_array = array(md5($id), $remote_addr, $_SERVER['HTTP_USER_AGENT'],
442                             $_SERVER['HTTP_ACCEPT_ENCODING'], $_SERVER['HTTP_ACCEPT_LANGUAGE'],
443                             $_COOKIE['OBSID']);
444    logfile('debug_auth.log', json_encode($debug_log_array));
445  }
446
447  return md5($id);
448}
449
450/**
451 * Store encrypted password in $_SESSION['user_encpass'], required for some auth mechanism, ie ldap
452 *
453 * @param  string $auth_password Plain password
454 * @param  string $key           Key for password encrypt
455 * @return string                Encrypted password
456 */
457function session_encrypt_password($auth_password, $key)
458{
459  // Store encrypted password
460  if ($GLOBALS['config']['auth_mechanism'] == 'ldap' &&
461      !($GLOBALS['config']['auth_ldap_bindanonymous'] || strlen($GLOBALS['config']['auth_ldap_binddn'].$GLOBALS['config']['auth_ldap_bindpw'])))
462  {
463    if (OBS_ENCRYPT)
464    {
465      if (OBS_ENCRYPT_MODULE == 'mcrypt')
466      {
467        $key .= get_unique_id();
468      }
469      // For some admin LDAP functions required store encrypted password in session (userslist)
470      session_set_var('user_encpass', encrypt($auth_password, $key));
471    } else {
472      //session_set_var('user_encpass', base64_encode($auth_password));
473      session_set_var('encrypt_required', 1);
474    }
475  }
476
477  return $_SESSION['user_encpass'];
478}
479
480// DOCME needs phpdoc block
481function session_logout($relogin = FALSE, $message = NULL)
482{
483  global $debug_auth;
484
485  // Save auth failure message for later re-use
486  $auth_message = $_SESSION['auth_message'];
487
488  if ($_SESSION['authenticated'])
489  {
490    $auth_log = 'Logged Out';
491  } else {
492    $auth_log = 'Authentication Failure';
493  }
494  if ($message)
495  {
496    $auth_log .= ' (' . $message . ')';
497  }
498  if ($debug_auth)
499  {
500    $debug_log = $GLOBALS['config']['log_dir'].'/'.date("Y-m-d_H:i:s").'.log';
501    file_put_contents($debug_log, var_export($_SERVER,  TRUE), FILE_APPEND);
502    file_put_contents($debug_log, var_export($_SESSION, TRUE), FILE_APPEND);
503    file_put_contents($debug_log, var_export($_COOKIE,  TRUE), FILE_APPEND);
504  }
505
506  // Store logged remote IP with real proxied IP (if configured and avialable)
507  $remote_addr = get_remote_addr();
508  $remote_addr_header = get_remote_addr(TRUE); // Remote addr by http header
509  if ($remote_addr_header && $remote_addr != $remote_addr_header)
510  {
511    $remote_addr = $remote_addr_header . ' (' . $remote_addr . ')';
512  }
513  dbInsert(array('user'       => $_SESSION['username'],
514                 'address'    => $remote_addr,
515                 'user_agent' => $_SERVER['HTTP_USER_AGENT'],
516                 'result'     => $auth_log), 'authlog');
517  if (isset($_COOKIE['ckey'])) dbDelete('users_ckeys', "`username` = ? AND `user_ckey` = ?", array($_SESSION['username'], $_COOKIE['ckey'])); // Remove old ckeys from DB
518  // Unset cookies
519  $cookie_params = session_get_cookie_params();
520  $past = time() - 3600;
521  foreach ($_COOKIE as $cookie => $value)
522  {
523    if (empty($cookie_params['domain']))
524    {
525      setcookie($cookie, '', $past, $cookie_params['path']);
526    } else {
527      setcookie($cookie, '', $past, $cookie_params['path'], $cookie_params['domain']);
528    }
529  }
530  unset($_COOKIE);
531
532  // Clean cache if possible
533  $cache_tags = array('__anonymous');
534  if ($_SESSION['authenticated'])
535  {
536    $cache_tags = array('__username='.$_SESSION['username']);
537  }
538  del_cache_items($cache_tags);
539
540  // Unset session
541  @session_start();
542  if ($relogin)
543  {
544    // Reset session and relogin (for example: HTTP auth)
545    $_SESSION['relogin'] = TRUE;
546    unset($_SESSION['authenticated'],
547          $_SESSION['user_id'],
548          $_SESSION['username'],
549          $_SESSION['user_encpass'], $_SESSION['password'],
550          $_SESSION['userlevel']);
551    session_commit();
552    session_regenerate_id(TRUE);
553  } else {
554    // Kill current session, as authentication failed
555    unset($_SESSION);
556    session_unset();
557    session_destroy();
558    session_commit();
559    //setcookie(session_name(),'',0,'/');
560    session_regenerate_id(TRUE);
561    // Re-set auth failure message for use on login page
562    //session_start();
563    $_SESSION['auth_message'] = $message;
564  }
565}
566
567/**
568 * Regenerate session ID for prevent attacks session hijacking and session fixation.
569 * Note, use this function after session_start() and before next session_commit()!
570 *
571 * @param int $lifetime_id Time in seconds for next regenerate session ID (default 30 min)
572 */
573function session_regenerate($lifetime_id = 1800)
574{
575  session_start();
576
577  $currenttime   = time();
578  if ($lifetime_id != 1800 && is_numeric($lifetime_id) && $lifetime_id >= 300)
579  {
580    $lifetime_id = intval($lifetime_id);
581  } else {
582    $lifetime_id = 1800;
583  }
584
585  if (isset($_SESSION['starttime']))
586  {
587    if ($currenttime - $_SESSION['starttime'] >= $lifetime_id && !is_graph())
588    {
589      //logfile('debug_auth.log', 'session_regenerate_id() called at '.$currenttime);
590      // ID Lifetime expired, regenerate
591      session_regenerate_id(TRUE);
592      // Clean cache from _SESSION first, this cache used in ajax calls
593      if (isset($_SESSION['cache'])) { unset($_SESSION['cache']); }
594      $_SESSION['starttime'] = $currenttime;
595    }
596  } else {
597    $_SESSION['starttime']   = $currenttime;
598  }
599
600  session_commit();
601}
602
603/**
604 * Use this function for write to $_SESSION global var.
605 * And prevent session blocking.
606 * If value is NULL, this session variable will unset
607 *
608 * @param string $var
609 * @param mixed $value
610 */
611function session_set_var($var, $value)
612{
613  //logfile('debug_auth.log', 'session_set_var() called at '.time());
614  if (isset($_SESSION[$var]) && $_SESSION[$var] === $value) { return; } // Just return if session var unchanged
615
616  @session_start(); // Unblock session again
617
618  if (is_null($value))
619  {
620    unset($_SESSION[$var]);
621  } else {
622    $_SESSION[$var] = $value;
623  }
624
625  session_commit(); // Write and block session
626}
627
628function session_unset_var($var)
629{
630  session_set_var($var, NULL);
631}
632
633/**
634 * Redirects to the front page with the specified authentication failure message.
635 * In the case of 'remote', no redirect is performed (as this would create an infinite loop,
636 * as there is no way to logout), so the message is simply printed.
637 *
638 * @param string $message Message to display to the user
639 */
640
641function reauth_with_message($message)
642{
643  global $config;
644
645  if ($config['auth_mechanism'] == 'remote')
646  {
647    print('<h1>' . $message . '</h1>');
648  } else {
649    session_set_var('auth_message', $message);
650    redirect_to_url($config['base_url']);
651  }
652  exit();
653}
654
655// EOF
656