1<?php 2 3//print_r($_SERVER); 4 5/** 6 * Observium 7 * 8 * This file is part of Observium. 9 * 10 * @package observium 11 * @subpackage authentication 12 * @copyright (C) 2006-2013 Adam Armstrong, (C) 2013-2019 Observium Limited 13 * 14 */ 15 16// All simple, OBS_API set to TRUE only in API index.php 17if (!defined('OBS_API')) 18{ 19 define('OBS_API', FALSE); 20} 21 22$debug_auth = FALSE; // Do not use this debug unless you Observium Developer ;) 23 24if (version_compare(PHP_VERSION, '7.1.0', '<')) 25{ 26 // Use sha1 to generate the session ID (option removed in php 7.1) 27 // session.sid_length (Number of session ID characters - 22 to 256. 28 // session.sid_bits_per_character (Bits used per character - 4 to 6. 29 @ini_set('session.hash_function', '1'); 30} 31@ini_set('session.referer_check', ''); // This config was causing so much trouble with Chrome 32@ini_set('session.name', 'OBSID'); // Session name 33@ini_set('session.use_cookies', '1'); // Use cookies to store the session id on the client side 34@ini_set('session.use_only_cookies', '1'); // This prevents attacks involved passing session ids in URLs 35@ini_set('session.use_trans_sid', '0'); // Disable SID (no session id in url) 36 37$currenttime = time(); 38$lifetime = 60*60*24; // Session lifetime (default one day) 39$cookie_expire = $currenttime + 60*60*24*14; // Cookies expire time (14 days) 40$cookie_path = '/'; // Cookie path 41$cookie_domain = ''; // RFC 6265, to have a "host-only" cookie is to NOT set the domain attribute. 42/// FIXME. Some old browsers not supports secure/httponly cookies params. 43$cookie_https = is_ssl(); 44$cookie_httponly = TRUE; 45 46// Use custom session lifetime 47if (is_numeric($GLOBALS['config']['web_session_lifetime']) && $GLOBALS['config']['web_session_lifetime'] >= 0) 48{ 49 $lifetime = intval($GLOBALS['config']['web_session_lifetime']); 50} 51 52@ini_set('session.gc_maxlifetime', $lifetime); // Session lifetime (for non "remember me" sessions) 53session_set_cookie_params($lifetime, $cookie_path, $cookie_domain, $cookie_https, $cookie_httponly); 54//session_cache_limiter('private'); 55 56//register_shutdown_function('session_commit'); // This already done at end of script run 57if (!session_is_active()) 58{ 59 //logfile('debug_auth.log', 'session_start() called at '.$currenttime); 60 session_commit(); // Write and close current session 61 62 //session_start(); // session starts in session_regenerate too! 63 session_regenerate(); // Note, use this function after session_start() and before next session_commit()! 64 /* 65 if (isset($_SESSION['starttime'])) 66 { 67 if ($currenttime - $_SESSION['starttime'] >= $lifetime_id && !is_graph()) 68 { 69 logfile('debug_auth.log', 'session_regenerate_id() called at '.$currenttime); 70 // ID Lifetime expired, regenerate 71 session_regenerate_id(TRUE); 72 // Clean cache from _SESSION first, this cache used in ajax calls 73 if (isset($_SESSION['cache'])) { unset($_SESSION['cache']); } 74 $_SESSION['starttime'] = $currenttime; 75 } 76 } else { 77 $_SESSION['starttime'] = $currenttime; 78 } 79 */ 80 81 //if (!is_graph()) 82 //{ 83 // print_vars($vars); print_vars($_SESSION); print_vars($_COOKIE); 84 //} 85} 86 87// Fallback to MySQL auth as default - FIXME do this in sqlconfig file? 88if (!isset($config['auth_mechanism'])) 89{ 90 $config['auth_mechanism'] = "mysql"; 91} 92 93// Trust Apache authenticated user, if configured to do so and username is available 94if ($config['auth']['remote_user'] && $_SERVER['REMOTE_USER'] != '') 95{ 96 session_set_var('username', $_SERVER['REMOTE_USER']); 97} 98 99$auth_file = $config['html_dir'].'/includes/authentication/' . $config['auth_mechanism'] . '.inc.php'; 100if (is_file($auth_file)) 101{ 102 if (isset($_SESSION['auth_mechanism']) && $_SESSION['auth_mechanism'] != $config['auth_mechanism']) 103 { 104 // Logout if AUTH mechanism changed 105 session_logout(); 106 reauth_with_message('Authentication mechanism changed, please log in again!'); 107 } else { 108 session_set_var('auth_mechanism', $config['auth_mechanism']); 109 } 110 111 // Always load mysql as backup 112 include($config['html_dir'].'/includes/authentication/mysql.inc.php'); 113 114 // Load primary module if not mysql 115 if ($config['auth_mechanism'] != 'mysql') { include($auth_file); } 116 117 // Include base auth functions calls 118 include($config['html_dir'].'/includes/authenticate-functions.inc.php'); 119} else { 120 session_logout(); 121 reauth_with_message('Invalid auth_mechanism defined, please correct your configuration!'); 122} 123 124// Check logout 125if ($_SESSION['authenticated'] && str_starts(ltrim($_SERVER['REQUEST_URI'], '/'), 'logout')) 126{ 127 // Do not use $vars and get_vars here! 128 //print_vars($_SERVER['REQUEST_URI']); 129 if (auth_can_logout()) 130 { 131 // No need for a feedback message if user requested a logout 132 session_logout(function_exists('auth_require_login')); 133 134 $redirect = auth_logout_url(); 135 if ($redirect) 136 { 137 redirect_to_url($redirect); 138 exit(); 139 } 140 } 141 redirect_to_url($config['base_url']); 142 exit(); 143} 144 145$user_unique_id = session_unique_id(); // Get unique user id and check if IP changed (if required by config) 146 147// Store logged remote IP with real proxied IP (if configured and avialable) 148$remote_addr = get_remote_addr(); 149$remote_addr_header = get_remote_addr(TRUE); // Remote addr by http header 150if ($remote_addr_header && $remote_addr != $remote_addr_header) 151{ 152 $remote_addr = $remote_addr_header . ' (' . $remote_addr . ')'; 153} 154 155// Check if allowed auth by CIDR 156$auth_allow_cidr = TRUE; 157if (isset($config['web_session_cidr']) && count($config['web_session_cidr'])) 158{ 159 $auth_allow_cidr = match_network(get_remote_addr($config['web_session_ip_by_header']), $config['web_session_cidr']); 160} 161 162if (!$_SESSION['authenticated'] && isset($_GET['username']) && isset($_GET['password'])) 163{ 164 session_set_var('username', $_GET['username']); 165 $auth_password = $_GET['password']; 166} 167else if (!$_SESSION['authenticated'] && isset($_POST['username']) && isset($_POST['password'])) 168{ 169 session_set_var('username', $_POST['username']); 170 $auth_password = $_POST['password']; 171} 172else if (!$_SESSION['authenticated'] && isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) 173{ 174 session_set_var('username', $_SERVER['PHP_AUTH_USER']); 175 $auth_password = $_SERVER['PHP_AUTH_PW']; 176} 177else if (OBS_ENCRYPT && !$_SESSION['authenticated'] && isset($_COOKIE['ckey'])) 178{ 179 ///DEBUG 180 if ($debug_auth) 181 { 182 $debug_log = $GLOBALS['config']['log_dir'].'/debug_cookie_'.date("Y-m-d_H:i:s").'.log'; 183 file_put_contents($debug_log, var_export($_SERVER, TRUE), FILE_APPEND); 184 file_put_contents($debug_log, var_export($_SESSION, TRUE), FILE_APPEND); 185 file_put_contents($debug_log, var_export($_COOKIE, TRUE), FILE_APPEND); 186 } 187 188 $ckey = dbFetchRow("SELECT * FROM `users_ckeys` WHERE `user_uniq` = ? AND `user_ckey` = ? LIMIT 1", 189 array($user_unique_id, $_COOKIE['ckey'])); 190 if (is_array($ckey)) 191 { 192 if ($ckey['expire'] > $currenttime && $auth_allow_cidr) 193 { 194 session_set_var('username', $ckey['username']); 195 $auth_password = decrypt($ckey['user_encpass'], $_COOKIE['dkey']); 196 197 // Store encrypted password 198 session_encrypt_password($auth_password, $user_unique_id); 199 200 // If userlevel == 0 - user disabled an can not be logon 201 if (auth_user_level($ckey['username']) < 1) 202 { 203 session_logout(FALSE, 'User disabled'); 204 reauth_with_message('User login disabled'); 205 } 206 207 session_set_var('user_ckey_id', $ckey['user_ckey_id']); 208 session_set_var('cookie_auth', TRUE); 209 dbInsert(array('user' => $_SESSION['username'], 210 'address' => $remote_addr, 211 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 212 'result' => 'Logged In (cookie)'), 'authlog'); 213 214 } 215 } 216} 217 218if ($_COOKIE['password']) { setcookie("password", NULL); } 219if ($_COOKIE['username']) { setcookie("username", NULL); } 220if ($_COOKIE['user_id'] ) { setcookie("user_id", NULL); } 221 222$auth_success = FALSE; // Variable for check if just logged 223 224if (isset($_SESSION['username'])) 225{ 226 // Check for allowed by CIDR range 227 if (!$auth_allow_cidr) 228 { 229 session_logout(FALSE, 'Remote IP not allowed in CIDR ranges'); 230 reauth_with_message('Remote IP not allowed in CIDR ranges'); 231 } 232 233 // Auth from COOKIEs 234 if ($_SESSION['cookie_auth']) 235 { 236 @session_start(); 237 $_SESSION['authenticated'] = TRUE; 238 $auth_success = TRUE; 239 dbUpdate(array('expire' => $cookie_expire), 'users_ckeys', '`user_ckey_id` = ?', array($_SESSION['user_ckey_id'])); 240 unset($_SESSION['user_ckey_id'], $_SESSION['cookie_auth']); 241 session_commit(); 242 } 243 244 // Auth from ... 245 if (!$_SESSION['authenticated'] && (authenticate($_SESSION['username'], $auth_password) || // login/password 246 (auth_usermanagement() && auth_user_level($_SESSION['origusername']) >= 10))) // FIXME? 247 { 248 // If we get here, it means the password for the user was correct (authenticate() called) 249 // Store encrypted password 250 session_encrypt_password($auth_password, $user_unique_id); 251 252 253 // If userlevel == 0 - user disabled and can not log in 254 if (auth_user_level($_SESSION['username']) < 1) 255 { 256 session_logout(FALSE, 'User disabled'); 257 reauth_with_message('User login disabled'); 258 exit(); 259 } 260 261 session_set_var('authenticated', TRUE); 262 $auth_success = TRUE; 263 dbInsert(array('user' => $_SESSION['username'], 264 'address' => $remote_addr, 265 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 266 'result' => 'Logged In'), 'authlog'); 267 // Generate keys for cookie auth 268 if (isset($_POST['remember']) && OBS_ENCRYPT) 269 { 270 $ckey = md5(strgen()); 271 $dkey = md5(strgen()); 272 $encpass = encrypt($auth_password, $dkey); 273 dbDelete('users_ckeys', "`username` = ? AND `expire` < ?", array($_SESSION['username'], $currenttime - 3600)); // Remove old ckeys from DB 274 dbInsert(array('user_encpass' => $encpass, 275 'expire' => $cookie_expire, 276 'username' => $_SESSION['username'], 277 'user_uniq' => $user_unique_id, 278 'user_ckey' => $ckey), 'users_ckeys'); 279 setcookie("ckey", $ckey, $cookie_expire, $cookie_path, $cookie_domain, $cookie_https, $cookie_httponly); 280 setcookie("dkey", $dkey, $cookie_expire, $cookie_path, $cookie_domain, $cookie_https, $cookie_httponly); 281 session_unset_var('user_ckey_id'); 282 } 283 } 284 else if (!$_SESSION['authenticated']) 285 { 286 // Not authenticated 287 session_set_var('auth_message', 'Authentication Failed'); 288 session_logout(function_exists('auth_require_login')); 289 } 290 291 // Retrieve user ID and permissions 292 if ($_SESSION['authenticated']) 293 { 294 @session_start(); 295 if (!is_numeric($_SESSION['userlevel']) || !is_numeric($_SESSION['user_id'])) 296 { 297 $_SESSION['userlevel'] = auth_user_level($_SESSION['username']); 298 $_SESSION['user_id'] = auth_user_id($_SESSION['username']); 299 } 300 301 $level_permissions = auth_user_level_permissions($_SESSION['userlevel']); 302 // If userlevel == 0 - user disabled an can not be logon 303 if (!$level_permissions['permission_access']) 304 { 305 session_logout(FALSE, 'User disabled'); 306 reauth_with_message('User login disabled'); 307 exit(); 308 } 309 else if (!isset($_SESSION['user_limited']) || $_SESSION['user_limited'] != $level_permissions['limited']) 310 { 311 // Store user limited flag, required for quick permissions list generate 312 $_SESSION['user_limited'] = $level_permissions['limited']; 313 } 314 session_commit(); 315 316 // Generate a CSRF Token 317 // https://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php 318 // For validate use: request_token_valid($vars['requesttoken']) 319 if (empty($_SESSION['requesttoken'])) 320 { 321 session_set_var('requesttoken', bin2hex(random_bytes(32))); 322 } 323 324 // Now we can enable debug if user is privileged (Global Secure Read and greater) 325 if (!defined('OBS_DEBUG')) // OBS_DEBUG not defined by default for unprivileged users in definitions 326 { 327 if ($_SESSION['userlevel'] < 7 || !$debug_web_requested) // && !$config['permit_user_debug']) // Note, use $config['web_debug_unprivileged'] = TRUE; 328 { 329 // DO NOT ALLOW show debug output for users with privilege level less than "Global Secure Read" 330 define('OBS_DEBUG', 0); 331 ini_set('display_errors', 0); 332 ini_set('display_startup_errors', 0); 333 //ini_set('error_reporting', 0); // Use default php config 334 } else { 335 define('OBS_DEBUG', 1); 336 337 ini_set('display_errors', 1); 338 ini_set('display_startup_errors', 1); 339 //ini_set('error_reporting', E_ALL ^ E_NOTICE); 340 ini_set('error_reporting', E_ALL ^ E_NOTICE ^ E_WARNING); 341 } 342 } 343 344 //$a = utime(); 345 $permissions = permissions_cache($_SESSION['user_id']); 346 //echo utime() - $a . 's for permissions cache'; 347 348 349 // Add feeds & api keys after first auth 350 if (OBS_ENCRYPT && !get_user_pref($_SESSION['user_id'], 'atom_key')) 351 { 352 // Generate unique token 353 do 354 { 355 $atom_key = md5(strgen()); 356 } 357 //while (dbFetchCell("SELECT COUNT(*) FROM `users_prefs` WHERE `pref` = ? AND `value` = ?;", array('atom_key', $atom_key)) > 0); 358 while (dbExist('users_prefs', '`pref` = ? AND `value` = ?', array('atom_key', $atom_key))); 359 set_user_pref($_SESSION['user_id'], 'atom_key', $atom_key); 360 } 361 } 362 363 if ($auth_success && !OBS_API) 364 { 365 // If just logged in go to request uri, unless we're debugging or in API, 366 // in which case we want to see authentication module output first. 367 if (!OBS_DEBUG) 368 { 369 redirect_to_url($_SERVER['REQUEST_URI']); 370 } else { 371 print_message("Debugging mode has disabled redirect to front page; please click <a href=\"" . $_SERVER['REQUEST_URI'] . "\">here</a> to continue."); 372 } 373 exit(); 374 } 375} 376 377///r($_SESSION); 378///r($_COOKIE); 379///r($permissions); 380 381//logfile('debug_auth.log', 'auth session_commit() called at '.time()); 382//session_commit(); // Write and unblock current session (use session_set_var() and session_unset_var() for write to session variables!) 383 384/* Session manager specific functions */ 385 386// DOCME needs phpdoc block 387function session_is_active() 388{ 389 if (!is_cli()) 390 { 391 if (version_compare(PHP_VERSION, '5.4.0', '>=')) 392 { 393 return session_status() === PHP_SESSION_ACTIVE ? TRUE : FALSE; 394 } else { 395 return session_id() === '' ? FALSE : TRUE; 396 } 397 } 398 return FALSE; 399} 400 401/** 402 * Generate unique id for current user/browser, based on some unique params 403 * 404 * @return string 405 */ 406function session_unique_id() 407{ 408 global $debug_auth; 409 410 $id = $_SERVER['HTTP_USER_AGENT']; // User agent 411 //$id .= $_SERVER['HTTP_ACCEPT']; // Browser accept headers // WTF, this header different for main and js/ajax queries 412 // Less entropy than HTTP_ACCEPT, but stable! 413 $id .= $_SERVER['HTTP_ACCEPT_ENCODING']; 414 $id .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; 415 416 if ($GLOBALS['config']['web_session_ip']) 417 { 418 $remote_addr = get_remote_addr($config['web_session_ip_by_header']); // Remote address by header if configured 419 $id .= $remote_addr; // User IP address 420 421 // Force reauth if remote IP changed 422 if ($_SESSION['authenticated']) 423 { 424 if (isset($_SESSION['PREV_REMOTE_ADDR']) && $remote_addr != $_SESSION['PREV_REMOTE_ADDR']) 425 { 426 unset($_SESSION['authenticated'], 427 $_SESSION['user_id'], 428 $_SESSION['username'], 429 $_SESSION['user_encpass'], $_SESSION['password'], 430 $_SESSION['userlevel']); 431 } 432 session_set_var('PREV_REMOTE_ADDR', $remote_addr); // Store current remote IP 433 } 434 } 435 436 // Next required JS cals: 437 // resolution = screen.width+"x"+screen.height+"x"+screen.colorDepth; 438 // timezone = new Date().getTimezoneOffset(); 439 if ($debug_auth) 440 { 441 $debug_log_array = array(md5($id), $remote_addr, $_SERVER['HTTP_USER_AGENT'], 442 $_SERVER['HTTP_ACCEPT_ENCODING'], $_SERVER['HTTP_ACCEPT_LANGUAGE'], 443 $_COOKIE['OBSID']); 444 logfile('debug_auth.log', json_encode($debug_log_array)); 445 } 446 447 return md5($id); 448} 449 450/** 451 * Store encrypted password in $_SESSION['user_encpass'], required for some auth mechanism, ie ldap 452 * 453 * @param string $auth_password Plain password 454 * @param string $key Key for password encrypt 455 * @return string Encrypted password 456 */ 457function session_encrypt_password($auth_password, $key) 458{ 459 // Store encrypted password 460 if ($GLOBALS['config']['auth_mechanism'] == 'ldap' && 461 !($GLOBALS['config']['auth_ldap_bindanonymous'] || strlen($GLOBALS['config']['auth_ldap_binddn'].$GLOBALS['config']['auth_ldap_bindpw']))) 462 { 463 if (OBS_ENCRYPT) 464 { 465 if (OBS_ENCRYPT_MODULE == 'mcrypt') 466 { 467 $key .= get_unique_id(); 468 } 469 // For some admin LDAP functions required store encrypted password in session (userslist) 470 session_set_var('user_encpass', encrypt($auth_password, $key)); 471 } else { 472 //session_set_var('user_encpass', base64_encode($auth_password)); 473 session_set_var('encrypt_required', 1); 474 } 475 } 476 477 return $_SESSION['user_encpass']; 478} 479 480// DOCME needs phpdoc block 481function session_logout($relogin = FALSE, $message = NULL) 482{ 483 global $debug_auth; 484 485 // Save auth failure message for later re-use 486 $auth_message = $_SESSION['auth_message']; 487 488 if ($_SESSION['authenticated']) 489 { 490 $auth_log = 'Logged Out'; 491 } else { 492 $auth_log = 'Authentication Failure'; 493 } 494 if ($message) 495 { 496 $auth_log .= ' (' . $message . ')'; 497 } 498 if ($debug_auth) 499 { 500 $debug_log = $GLOBALS['config']['log_dir'].'/'.date("Y-m-d_H:i:s").'.log'; 501 file_put_contents($debug_log, var_export($_SERVER, TRUE), FILE_APPEND); 502 file_put_contents($debug_log, var_export($_SESSION, TRUE), FILE_APPEND); 503 file_put_contents($debug_log, var_export($_COOKIE, TRUE), FILE_APPEND); 504 } 505 506 // Store logged remote IP with real proxied IP (if configured and avialable) 507 $remote_addr = get_remote_addr(); 508 $remote_addr_header = get_remote_addr(TRUE); // Remote addr by http header 509 if ($remote_addr_header && $remote_addr != $remote_addr_header) 510 { 511 $remote_addr = $remote_addr_header . ' (' . $remote_addr . ')'; 512 } 513 dbInsert(array('user' => $_SESSION['username'], 514 'address' => $remote_addr, 515 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 516 'result' => $auth_log), 'authlog'); 517 if (isset($_COOKIE['ckey'])) dbDelete('users_ckeys', "`username` = ? AND `user_ckey` = ?", array($_SESSION['username'], $_COOKIE['ckey'])); // Remove old ckeys from DB 518 // Unset cookies 519 $cookie_params = session_get_cookie_params(); 520 $past = time() - 3600; 521 foreach ($_COOKIE as $cookie => $value) 522 { 523 if (empty($cookie_params['domain'])) 524 { 525 setcookie($cookie, '', $past, $cookie_params['path']); 526 } else { 527 setcookie($cookie, '', $past, $cookie_params['path'], $cookie_params['domain']); 528 } 529 } 530 unset($_COOKIE); 531 532 // Clean cache if possible 533 $cache_tags = array('__anonymous'); 534 if ($_SESSION['authenticated']) 535 { 536 $cache_tags = array('__username='.$_SESSION['username']); 537 } 538 del_cache_items($cache_tags); 539 540 // Unset session 541 @session_start(); 542 if ($relogin) 543 { 544 // Reset session and relogin (for example: HTTP auth) 545 $_SESSION['relogin'] = TRUE; 546 unset($_SESSION['authenticated'], 547 $_SESSION['user_id'], 548 $_SESSION['username'], 549 $_SESSION['user_encpass'], $_SESSION['password'], 550 $_SESSION['userlevel']); 551 session_commit(); 552 session_regenerate_id(TRUE); 553 } else { 554 // Kill current session, as authentication failed 555 unset($_SESSION); 556 session_unset(); 557 session_destroy(); 558 session_commit(); 559 //setcookie(session_name(),'',0,'/'); 560 session_regenerate_id(TRUE); 561 // Re-set auth failure message for use on login page 562 //session_start(); 563 $_SESSION['auth_message'] = $message; 564 } 565} 566 567/** 568 * Regenerate session ID for prevent attacks session hijacking and session fixation. 569 * Note, use this function after session_start() and before next session_commit()! 570 * 571 * @param int $lifetime_id Time in seconds for next regenerate session ID (default 30 min) 572 */ 573function session_regenerate($lifetime_id = 1800) 574{ 575 session_start(); 576 577 $currenttime = time(); 578 if ($lifetime_id != 1800 && is_numeric($lifetime_id) && $lifetime_id >= 300) 579 { 580 $lifetime_id = intval($lifetime_id); 581 } else { 582 $lifetime_id = 1800; 583 } 584 585 if (isset($_SESSION['starttime'])) 586 { 587 if ($currenttime - $_SESSION['starttime'] >= $lifetime_id && !is_graph()) 588 { 589 //logfile('debug_auth.log', 'session_regenerate_id() called at '.$currenttime); 590 // ID Lifetime expired, regenerate 591 session_regenerate_id(TRUE); 592 // Clean cache from _SESSION first, this cache used in ajax calls 593 if (isset($_SESSION['cache'])) { unset($_SESSION['cache']); } 594 $_SESSION['starttime'] = $currenttime; 595 } 596 } else { 597 $_SESSION['starttime'] = $currenttime; 598 } 599 600 session_commit(); 601} 602 603/** 604 * Use this function for write to $_SESSION global var. 605 * And prevent session blocking. 606 * If value is NULL, this session variable will unset 607 * 608 * @param string $var 609 * @param mixed $value 610 */ 611function session_set_var($var, $value) 612{ 613 //logfile('debug_auth.log', 'session_set_var() called at '.time()); 614 if (isset($_SESSION[$var]) && $_SESSION[$var] === $value) { return; } // Just return if session var unchanged 615 616 @session_start(); // Unblock session again 617 618 if (is_null($value)) 619 { 620 unset($_SESSION[$var]); 621 } else { 622 $_SESSION[$var] = $value; 623 } 624 625 session_commit(); // Write and block session 626} 627 628function session_unset_var($var) 629{ 630 session_set_var($var, NULL); 631} 632 633/** 634 * Redirects to the front page with the specified authentication failure message. 635 * In the case of 'remote', no redirect is performed (as this would create an infinite loop, 636 * as there is no way to logout), so the message is simply printed. 637 * 638 * @param string $message Message to display to the user 639 */ 640 641function reauth_with_message($message) 642{ 643 global $config; 644 645 if ($config['auth_mechanism'] == 'remote') 646 { 647 print('<h1>' . $message . '</h1>'); 648 } else { 649 session_set_var('auth_message', $message); 650 redirect_to_url($config['base_url']); 651 } 652 exit(); 653} 654 655// EOF 656