Changeset 6661f09a2e6f822ef068c383527094aec7b7b5e4

Show
Ignore:
Timestamp:
09/08/11 10:05:26 (8 months ago)
Author:
Neutron Soutmun <neo.neutron@…>
Children:
5d2b232350232d3c7e8e8fd416c2d84bf9df27e6
Parents:
34a6ec5005b242b699dcd00b4ac1dae47ae806cf
git-author:
Neutron Soutmun <neo.neutron@…> (09/07/11 18:23:16)
git-committer:
Neutron Soutmun <neo.neutron@…> (09/08/11 10:05:26)
Message:

Prevent double login, invalid logout/update info

  • weblogin/rahu_radius.class.php (gen_session_id):
    • Keep the generated session_id in the session variable to prevent the double login with different session_id by mistake.
  • weblogin/rahu_radius.class.php (rahu_radius_acct):
    • Do not permit the requests that have no session_id.
Files:
1 modified

Legend:

Unmodified
Added
Removed

  • weblogin/rahu_radius.class.php

    r51ab753 r6661f09  
    187187 
    188188  function gen_session_id() { 
     189    if (!empty($_SESSION["login_session_id"]) && 
     190          $this->username == $_SESSION["login_username"]) { 
     191      return $_SESSION["login_session_id"]; 
     192    } 
     193 
    189194    $randno1 = rand(0,65535); 
    190195    $randno2 = rand(0,65535); 
     
    197202                str_pad(dechex($randno4), 4, "0", STR_PAD_LEFT)); 
    198203    $this->session_id = $randno; 
     204    $_SESSION["login_session_id"] = $randno; 
     205    $_SESSION["login_username"] = $this->username; 
    199206                                                      
    200207    return $this->session_id; 
     
    206213 
    207214  function acct($accttype, $param=NULL) { 
     215    if ($this->username == $_SESSION["login_username"] && 
     216          $accttype == "Start" && $_SESSION["login_lastacct"] == "Start" && 
     217          (time() - $_SESSION["login_lasttime"]) < 10) { 
     218      return -1; 
     219    } 
     220 
    208221    $classname = "Auth_RADIUS_Acct_" .$accttype; 
    209222    $racct = new $classname; 
     
    211224    $racct->username = $this->username; 
    212225    $racct->authentic = RADIUS_AUTH_LOCAL; 
    213     $racct->session_id = empty($this->session_id) ? $this->gen_session_id() : 
    214                                                     $this->session_id; 
     226 
     227    if (empty($this->session_id)) { 
     228      switch($accttype) { 
     229        case "Start": 
     230          $this->session_id = $this->gen_session_id(); 
     231          break; 
     232        case "Stop": 
     233          /* Fall-through */ 
     234        case "Update": 
     235          /* Do not permit the requests that have no session ID */ 
     236          return -1; 
     237          break; 
     238      } 
     239    } 
     240 
     241    $_SESSION["login_lastacct"] = $accttype; 
     242    $_SESSION["login_lasttime"] = time(); 
     243 
     244    $racct->session_id = $this->session_id; 
    215245    $racct->session_time = $this->get_session_time(); 
    216246    $racct->useStandardAttributes = 0;