3 files changed, 223 insertions, 71 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php
index 3162f507..08126bad 100644
--- a/inc/3rdparty/Session.class.php
+++ b/inc/3rdparty/Session.class.php
@@ -1,136 +1,279 @@
 <?php
 /**
 * Session management class
+ *
 * http://www.developpez.net/forums/d51943/php/langage/sessions/
 * http://sebsauvage.net/wiki/doku.php?id=php:session
 * http://sebsauvage.net/wiki/doku.php?id=php:shaarli
- *
+ * 
 * Features:
 * - Everything is stored on server-side (we do not trust client-side data,
 *   such as cookie expiration)
- * - IP addresses + user agent are checked on each access to prevent session
+ * - IP addresses are checked on each access to prevent session cookie hijacking
- *   cookie hijacking (such as Firesheep)
+ *   (such as Firesheep)
 * - Session expires on user inactivity (Session expiration date is
 *   automatically updated everytime the user accesses a page.)
 * - A unique secret key is generated on server-side for this session
- *   (and never sent over the wire) which can be used
+ *   (and never sent over the wire) which can be used to sign forms (HMAC)
- *   to sign forms (HMAC) (See $_SESSION['uid'] )
+ *   (See $_SESSION['uid'])
- * - Token management to prevent XSRF attacks.
+ * - Token management to prevent XSRF attacks
+ * - Brute force protection with ban management
 *
- * TODO:
+ * TODOs
- * - log login fail
+ * - Replace globals with variables in Session class
- * - prevent brute force (ban IP)
 *
- * HOWTOUSE:
+ * How to use:
- * - Just call Session::init(); to initialize session and
+ * - http://tontof.net/kriss/php5/session
- *   check if connected with Session::isLogged()
 */
 class Session
 {
+    // Personnalize PHP session name
+    public static $sessionName = '';
    // If the user does not access any page within this time,
-    // his/her session is considered expired (in seconds).
+    // his/her session is considered expired (3600 sec. = 1 hour)
-    public static $inactivity_timeout = 3600;
+    public static $inactivityTimeout = 3600;
-    private static $_instance;
+    // If you get disconnected often or if your IP address changes often.
+    // Let you disable session cookie hijacking protection
+    public static $disableSessionProtection = false;
+    // Ban IP after this many failures.
+    public static $banAfter = 4;
+    // Ban duration for IP address after login failures (in seconds).
+    // (1800 sec. = 30 minutes)
+    public static $banDuration = 1800;
+    // File storage for failures and bans. If empty, no ban management.
+    public static $banFile = '';
-    // constructor
+    /**
-    private function __construct()
+     * Initialize session
+     */
+    public static function init()
    {
+        // Force cookie path (but do not change lifetime)
+        $cookie = session_get_cookie_params();
+        // Default cookie expiration and path.
+        $cookiedir = '';
+        if (dirname($_SERVER['SCRIPT_NAME'])!='/') {
+            $cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/';
+        }
+        $ssl = false;
+        if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
+            $ssl = true;
+        }
+        session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl);
        // Use cookies to store session.
        ini_set('session.use_cookies', 1);
        // Force cookies for session  (phpsessionID forbidden in URL)
        ini_set('session.use_only_cookies', 1);
-        if (!session_id()){
+        if (!session_id()) {
            // Prevent php to use sessionID in URL if cookies are disabled.
            ini_set('session.use_trans_sid', false);
-            session_start('poche');
+            if (!empty(self::$sessionName)) {
+                session_name(self::$sessionName);
+            }
+            session_start();
        }
    }
-    // initialize session
+    /**
-    public static function init()
+     * Returns the IP address
+     * (Used to prevent session cookie hijacking.)
+     *
+     * @return string IP addresses
+     */
+    private static function _allIPs()
    {
-        if (!isset(self::$_instance)) {
+        $ip = $_SERVER["REMOTE_ADDR"];
-            self::$_instance = new Session();
+        $ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : '';
-        }
+        $ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : '';
-    }
-    // Returns the IP address, user agent and language of the client
+        return $ip;
-    // (Used to prevent session cookie hijacking.)
-    private static function _allInfos()
-    {
-        $infos = $_SERVER["REMOTE_ADDR"];
-        if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
-            $infos.=$_SERVER['HTTP_X_FORWARDED_FOR'];
-        }
-        if (isset($_SERVER['HTTP_CLIENT_IP'])) {
-            $infos.='_'.$_SERVER['HTTP_CLIENT_IP'];
-        }
-        $infos.='_'.$_SERVER['HTTP_USER_AGENT'];
-        $infos.='_'.$_SERVER['HTTP_ACCEPT_LANGUAGE'];
-        return sha1($infos);
    }
-    // Check that user/password is correct and init some SESSION variables.
+    /**
-    public static function login($login,$password,$login_test,$password_test,
+     * Check that user/password is correct and then init some SESSION variables.
-                                 $pValues = array())
+     *
+     * @param string $login        Login reference
+     * @param string $password     Password reference
+     * @param string $loginTest    Login to compare with login reference
+     * @param string $passwordTest Password to compare with password reference
+     * @param array  $pValues      Array of variables to store in SESSION
+     *
+     * @return true|false          True if login and password are correct, false
+     *                             otherwise
+     */
+    public static function login (
+        $login,
+        $password,
+        $loginTest,
+        $passwordTest,
+        $pValues = array())
    {
-        foreach ($pValues as $key => $value) {
+        self::banInit();
-            $_SESSION[$key] = $value;
+        if (self::banCanLogin()) {
-        }
+            if ($login === $loginTest && $password === $passwordTest) {
-        if ($login==$login_test && $password==$password_test){
+                self::banLoginOk();
-            // generate unique random number to sign forms (HMAC)
+                // Generate unique random number to sign forms (HMAC)
-            $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand());
+                $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
-            $_SESSION['info']=Session::_allInfos();
+                $_SESSION['ip'] = self::_allIPs();
-            $_SESSION['username']=$login;
+                $_SESSION['username'] = $login;
-            // Set session expiration.
+                // Set session expiration.
-            $_SESSION['expires_on']=time()+Session::$inactivity_timeout;
+                $_SESSION['expires_on'] = time() + self::$inactivityTimeout;
-            return true;
+                foreach ($pValues as $key => $value) {
+                    $_SESSION[$key] = $value;
+                }
+                return true;
+            }
+            self::banLoginFailed();
        }
        return false;
    }
-    // Force logout
+    /**
+     * Unset SESSION variable to force logout
+     */
    public static function logout()
    {
-        unset($_SESSION['uid'],$_SESSION['info'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);
+        unset($_SESSION['uid'], $_SESSION['ip'], $_SESSION['expires_on']);
    }
-    // Make sure user is logged in.
+    /**
+     * Make sure user is logged in.
+     *
+     * @return true|false True if user is logged in, false otherwise
+     */
    public static function isLogged()
    {
        if (!isset ($_SESSION['uid'])
-            || $_SESSION['info']!=Session::_allInfos()
+            || (self::$disableSessionProtection === false
-            || time()>=$_SESSION['expires_on']){
+                && $_SESSION['ip'] !== self::_allIPs())
-            Session::logout();
+            || time() >= $_SESSION['expires_on']) {
+            self::logout();
            return false;
        }
        // User accessed a page : Update his/her session expiration date.
-        $_SESSION['expires_on']=time()+Session::$inactivity_timeout;
+        $_SESSION['expires_on'] = time() + self::$inactivityTimeout;
+        if (!empty($_SESSION['longlastingsession'])) {
+                $_SESSION['expires_on'] += $_SESSION['longlastingsession'];
+        }
        return true;
    }
-    // Returns a token.
+    /**
-    public static function getToken()
+     * Create a token, store it in SESSION and return it
+     *
+     * @param string $salt to prevent birthday attack
+     *
+     * @return string Token created
+     */
+    public static function getToken($salt = '')
    {
-        if (!isset($_SESSION['tokens'])){
+        if (!isset($_SESSION['tokens'])) {
            $_SESSION['tokens']=array();
        }
        // We generate a random string and store it on the server side.
-        $rnd = sha1(uniqid('',true).'_'.mt_rand());
+        $rnd = sha1(uniqid('', true).'_'.mt_rand().$salt);
        $_SESSION['tokens'][$rnd]=1;
        return $rnd;
    }
-    // Tells if a token is ok. Using this function will destroy the token.
+    /**
-    // return true if token is ok.
+     * Tells if a token is ok. Using this function will destroy the token.
+     *
+     * @param string $token Token to test
+     *
+     * @return true|false   True if token is correct, false otherwise
+     */
    public static function isToken($token)
    {
-        if (isset($_SESSION['tokens'][$token]))
+        if (isset($_SESSION['tokens'][$token])) {
-        {
            unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
            return true; // Token is ok.
        }
        return false; // Wrong token, or already used.
    }
-}
-\ No newline at end of file
+    /**
+     * Signal a failed login. Will ban the IP if too many failures:
+     */
+    public static function banLoginFailed()
+    {
+        if (self::$banFile !== '') {
+            $ip = $_SERVER["REMOTE_ADDR"];
+            $gb = $GLOBALS['IPBANS'];
+            if (!isset($gb['FAILURES'][$ip])) {
+                $gb['FAILURES'][$ip] = 0;
+            }
+            $gb['FAILURES'][$ip]++;
+            if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) {
+                $gb['BANS'][$ip]= time() + self::$banDuration;
+            }
+            $GLOBALS['IPBANS'] = $gb;
+            file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
+        }
+    }
+    /**
+     * Signals a successful login. Resets failed login counter.
+     */
+    public static function banLoginOk()
+    {
+        if (self::$banFile !== '') {
+            $ip = $_SERVER["REMOTE_ADDR"];
+            $gb = $GLOBALS['IPBANS'];
+            unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]);
+            $GLOBALS['IPBANS'] = $gb;
+            file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
+        }
+    }
+    /**
+     * Ban init
+     */
+    public static function banInit()
+    {
+        if (self::$banFile !== '') {
+            if (!is_file(self::$banFile)) {
+                file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>");
+            }
+            include self::$banFile;
+        }
+    }
+    /**
+     * Checks if the user CAN login. If 'true', the user can try to login.
+     *
+     * @return boolean true if user is banned, false otherwise
+     */
+    public static function banCanLogin()
+    {
+        if (self::$banFile !== '') {
+            $ip = $_SERVER["REMOTE_ADDR"];
+            $gb = $GLOBALS['IPBANS'];
+            if (isset($gb['BANS'][$ip])) {
+                // User is banned. Check if the ban has expired:
+                if ($gb['BANS'][$ip] <= time()) {
+                    // Ban expired, user can try to login again.
+                    unset($gb['FAILURES'][$ip]);
+                    unset($gb['BANS'][$ip]);
+                    file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
+                    return true; // Ban has expired, user can login.
+                }
+                return false; // User is banned.
+            }
+        }
+        return true; // User is not banned.
+    }
+}
diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php
index 9db4a034..2f0f7038 100644
--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@@ -93,6 +93,7 @@ class Poche
    private function init() 
    {
        Tools::initPhp();
+        Session::$sessionName = 'poche'; 
        Session::init();
        if (isset($_SESSION['poche_user']) && $_SESSION['poche_user'] != array()) {
diff --git a/inc/poche/config.inc.php b/inc/poche/config.inc.php
index aaa26af8..9247c292 100755
--- a/inc/poche/config.inc.php
+++ b/inc/poche/config.inc.php
@@ -48,4 +48,12 @@ if (!ini_get('date.timezone') || !@date_default_timezone_set(ini_get('date.timez
    date_default_timezone_set('UTC');
 }
-$poche = new Poche();
-\ No newline at end of file
+$poche = new Poche();
+#XSRF protection with token
+if (!empty($_POST)) {
+    if (!Session::isToken($_POST['token'])) {
+        die(_('Wrong token'));
+    }
+    unset($_SESSION['tokens']);
+}
+\ No newline at end of file

diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php index 3162f507..08126bad 100644 --- a/inc/3rdparty/Session.class.php +++ b/inc/3rdparty/Session.class.php
@@ -1,136 +1,279 @@
1	<?php	1	<?php
2	/**	2	/**
3	* Session management class	3	* Session management class
		4	*
4	* http://www.developpez.net/forums/d51943/php/langage/sessions/	5	* http://www.developpez.net/forums/d51943/php/langage/sessions/
5	* http://sebsauvage.net/wiki/doku.php?id=php:session	6	* http://sebsauvage.net/wiki/doku.php?id=php:session
6	* http://sebsauvage.net/wiki/doku.php?id=php:shaarli	7	* http://sebsauvage.net/wiki/doku.php?id=php:shaarli
7	*	8	*
8	* Features:	9	* Features:
9	* - Everything is stored on server-side (we do not trust client-side data,	10	* - Everything is stored on server-side (we do not trust client-side data,
10	* such as cookie expiration)	11	* such as cookie expiration)
11	* - IP addresses + user agent are checked on each access to prevent session	12	* - IP addresses are checked on each access to prevent session cookie hijacking
12	* cookie hijacking (such as Firesheep)	13	* (such as Firesheep)
13	* - Session expires on user inactivity (Session expiration date is	14	* - Session expires on user inactivity (Session expiration date is
14	* automatically updated everytime the user accesses a page.)	15	* automatically updated everytime the user accesses a page.)
15	* - A unique secret key is generated on server-side for this session	16	* - A unique secret key is generated on server-side for this session
16	* (and never sent over the wire) which can be used	17	* (and never sent over the wire) which can be used to sign forms (HMAC)
17	* to sign forms (HMAC) (See $_SESSION['uid'] )	18	* (See $_SESSION['uid'])
18	* - Token management to prevent XSRF attacks.	19	* - Token management to prevent XSRF attacks
		20	* - Brute force protection with ban management
19	*	21	*
20	* TODO:	22	* TODOs
21	* - log login fail	23	* - Replace globals with variables in Session class
22	* - prevent brute force (ban IP)
23	*	24	*
24	* HOWTOUSE:	25	* How to use:
25	* - Just call Session::init(); to initialize session and	26	* - http://tontof.net/kriss/php5/session
26	* check if connected with Session::isLogged()
27	*/	27	*/
28
29	class Session	28	class Session
30	{	29	{
		30	// Personnalize PHP session name
		31	public static $sessionName = '';
31	// If the user does not access any page within this time,	32	// If the user does not access any page within this time,
32	// his/her session is considered expired (in seconds).	33	// his/her session is considered expired (3600 sec. = 1 hour)
33	public static $inactivity_timeout = 3600;	34	public static $inactivityTimeout = 3600;
34	private static $_instance;	35	// If you get disconnected often or if your IP address changes often.
		36	// Let you disable session cookie hijacking protection
		37	public static $disableSessionProtection = false;
		38	// Ban IP after this many failures.
		39	public static $banAfter = 4;
		40	// Ban duration for IP address after login failures (in seconds).
		41	// (1800 sec. = 30 minutes)
		42	public static $banDuration = 1800;
		43	// File storage for failures and bans. If empty, no ban management.
		44	public static $banFile = '';
35		45
36	// constructor	46	/**
37	private function __construct()	47	* Initialize session
		48	*/
		49	public static function init()
38	{	50	{
		51	// Force cookie path (but do not change lifetime)
		52	$cookie = session_get_cookie_params();
		53	// Default cookie expiration and path.
		54	$cookiedir = '';
		55	if (dirname($_SERVER['SCRIPT_NAME'])!='/') {
		56	$cookiedir = dirname($_SERVER["SCRIPT_NAME"]).'/';
		57	}
		58	$ssl = false;
		59	if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
		60	$ssl = true;
		61	}
		62	session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl);
39	// Use cookies to store session.	63	// Use cookies to store session.
40	ini_set('session.use_cookies', 1);	64	ini_set('session.use_cookies', 1);
41	// Force cookies for session (phpsessionID forbidden in URL)	65	// Force cookies for session (phpsessionID forbidden in URL)
42	ini_set('session.use_only_cookies', 1);	66	ini_set('session.use_only_cookies', 1);
43	if (!session_id()){	67	if (!session_id()) {
44	// Prevent php to use sessionID in URL if cookies are disabled.	68	// Prevent php to use sessionID in URL if cookies are disabled.
45	ini_set('session.use_trans_sid', false);	69	ini_set('session.use_trans_sid', false);
46	session_start('poche');	70	if (!empty(self::$sessionName)) {
		71	session_name(self::$sessionName);
		72	}
		73	session_start();
47	}	74	}
48	}	75	}
49		76
50	// initialize session	77	/**
51	public static function init()	78	* Returns the IP address
		79	* (Used to prevent session cookie hijacking.)
		80	*
		81	* @return string IP addresses
		82	*/
		83	private static function _allIPs()
52	{	84	{
53	if (!isset(self::$_instance)) {	85	$ip = $_SERVER["REMOTE_ADDR"];
54	self::$_instance = new Session();	86	$ip.= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? '_'.$_SERVER['HTTP_X_FORWARDED_FOR'] : '';
55	}	87	$ip.= isset($_SERVER['HTTP_CLIENT_IP']) ? '_'.$_SERVER['HTTP_CLIENT_IP'] : '';
56	}
57		88
58	// Returns the IP address, user agent and language of the client	89	return $ip;
59	// (Used to prevent session cookie hijacking.)
60	private static function _allInfos()
61	{
62	$infos = $_SERVER["REMOTE_ADDR"];
63	if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
64	$infos.=$_SERVER['HTTP_X_FORWARDED_FOR'];
65	}
66	if (isset($_SERVER['HTTP_CLIENT_IP'])) {
67	$infos.='_'.$_SERVER['HTTP_CLIENT_IP'];
68	}
69	$infos.='_'.$_SERVER['HTTP_USER_AGENT'];
70	$infos.='_'.$_SERVER['HTTP_ACCEPT_LANGUAGE'];
71	return sha1($infos);
72	}	90	}
73		91
74	// Check that user/password is correct and init some SESSION variables.	92	/**
75	public static function login($login,$password,$login_test,$password_test,	93	* Check that user/password is correct and then init some SESSION variables.
76	$pValues = array())	94	*
		95	* @param string $login Login reference
		96	* @param string $password Password reference
		97	* @param string $loginTest Login to compare with login reference
		98	* @param string $passwordTest Password to compare with password reference
		99	* @param array $pValues Array of variables to store in SESSION
		100	*
		101	* @return true\|false True if login and password are correct, false
		102	* otherwise
		103	*/
		104	public static function login (
		105	$login,
		106	$password,
		107	$loginTest,
		108	$passwordTest,
		109	$pValues = array())
77	{	110	{
78	foreach ($pValues as $key => $value) {	111	self::banInit();
79	$_SESSION[$key] = $value;	112	if (self::banCanLogin()) {
80	}	113	if ($login === $loginTest && $password === $passwordTest) {
81	if ($login==$login_test && $password==$password_test){	114	self::banLoginOk();
82	// generate unique random number to sign forms (HMAC)	115	// Generate unique random number to sign forms (HMAC)
83	$_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand());	116	$_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
84	$_SESSION['info']=Session::_allInfos();	117	$_SESSION['ip'] = self::_allIPs();
85	$_SESSION['username']=$login;	118	$_SESSION['username'] = $login;
86	// Set session expiration.	119	// Set session expiration.
87	$_SESSION['expires_on']=time()+Session::$inactivity_timeout;	120	$_SESSION['expires_on'] = time() + self::$inactivityTimeout;
88	return true;	121
		122	foreach ($pValues as $key => $value) {
		123	$_SESSION[$key] = $value;
		124	}
		125
		126	return true;
		127	}
		128	self::banLoginFailed();
89	}	129	}
		130
90	return false;	131	return false;
91	}	132	}
92		133
93	// Force logout	134	/**
		135	* Unset SESSION variable to force logout
		136	*/
94	public static function logout()	137	public static function logout()
95	{	138	{
96	unset($_SESSION['uid'],$_SESSION['info'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);	139	unset($_SESSION['uid'], $_SESSION['ip'], $_SESSION['expires_on']);
97	}	140	}
98		141
99	// Make sure user is logged in.	142	/**
		143	* Make sure user is logged in.
		144	*
		145	* @return true\|false True if user is logged in, false otherwise
		146	*/
100	public static function isLogged()	147	public static function isLogged()
101	{	148	{
102	if (!isset ($_SESSION['uid'])	149	if (!isset ($_SESSION['uid'])
103	\|\| $_SESSION['info']!=Session::_allInfos()	150	\|\| (self::$disableSessionProtection === false
104	\|\| time()>=$_SESSION['expires_on']){	151	&& $_SESSION['ip'] !== self::_allIPs())
105	Session::logout();	152	\|\| time() >= $_SESSION['expires_on']) {
		153	self::logout();
		154
106	return false;	155	return false;
107	}	156	}
108	// User accessed a page : Update his/her session expiration date.	157	// User accessed a page : Update his/her session expiration date.
109	$_SESSION['expires_on']=time()+Session::$inactivity_timeout;	158	$_SESSION['expires_on'] = time() + self::$inactivityTimeout;
		159	if (!empty($_SESSION['longlastingsession'])) {
		160	$_SESSION['expires_on'] += $_SESSION['longlastingsession'];
		161	}
		162
110	return true;	163	return true;
111	}	164	}
112		165
113	// Returns a token.	166	/**
114	public static function getToken()	167	* Create a token, store it in SESSION and return it
		168	*
		169	* @param string $salt to prevent birthday attack
		170	*
		171	* @return string Token created
		172	*/
		173	public static function getToken($salt = '')
115	{	174	{
116	if (!isset($_SESSION['tokens'])){	175	if (!isset($_SESSION['tokens'])) {
117	$_SESSION['tokens']=array();	176	$_SESSION['tokens']=array();
118	}	177	}
119	// We generate a random string and store it on the server side.	178	// We generate a random string and store it on the server side.
120	$rnd = sha1(uniqid('',true).'_'.mt_rand());	179	$rnd = sha1(uniqid('', true).'_'.mt_rand().$salt);
121	$_SESSION['tokens'][$rnd]=1;	180	$_SESSION['tokens'][$rnd]=1;
		181
122	return $rnd;	182	return $rnd;
123	}	183	}
124		184
125	// Tells if a token is ok. Using this function will destroy the token.	185	/**
126	// return true if token is ok.	186	* Tells if a token is ok. Using this function will destroy the token.
		187	*
		188	* @param string $token Token to test
		189	*
		190	* @return true\|false True if token is correct, false otherwise
		191	*/
127	public static function isToken($token)	192	public static function isToken($token)
128	{	193	{
129	if (isset($_SESSION['tokens'][$token]))	194	if (isset($_SESSION['tokens'][$token])) {
130	{
131	unset($_SESSION['tokens'][$token]); // Token is used: destroy it.	195	unset($_SESSION['tokens'][$token]); // Token is used: destroy it.
		196
132	return true; // Token is ok.	197	return true; // Token is ok.
133	}	198	}
		199
134	return false; // Wrong token, or already used.	200	return false; // Wrong token, or already used.
135	}	201	}
136	} \ No newline at end of file	202
		203	/**
		204	* Signal a failed login. Will ban the IP if too many failures:
		205	*/
		206	public static function banLoginFailed()
		207	{
		208	if (self::$banFile !== '') {
		209	$ip = $_SERVER["REMOTE_ADDR"];
		210	$gb = $GLOBALS['IPBANS'];
		211
		212	if (!isset($gb['FAILURES'][$ip])) {
		213	$gb['FAILURES'][$ip] = 0;
		214	}
		215	$gb['FAILURES'][$ip]++;
		216	if ($gb['FAILURES'][$ip] > (self::$banAfter - 1)) {
		217	$gb['BANS'][$ip]= time() + self::$banDuration;
		218	}
		219
		220	$GLOBALS['IPBANS'] = $gb;
		221	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
		222	}
		223	}
		224
		225	/**
		226	* Signals a successful login. Resets failed login counter.
		227	*/
		228	public static function banLoginOk()
		229	{
		230	if (self::$banFile !== '') {
		231	$ip = $_SERVER["REMOTE_ADDR"];
		232	$gb = $GLOBALS['IPBANS'];
		233	unset($gb['FAILURES'][$ip]); unset($gb['BANS'][$ip]);
		234	$GLOBALS['IPBANS'] = $gb;
		235	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
		236	}
		237	}
		238
		239	/**
		240	* Ban init
		241	*/
		242	public static function banInit()
		243	{
		244	if (self::$banFile !== '') {
		245	if (!is_file(self::$banFile)) {
		246	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(), 'BANS'=>array()), true).";\n?>");
		247	}
		248	include self::$banFile;
		249	}
		250	}
		251
		252	/**
		253	* Checks if the user CAN login. If 'true', the user can try to login.
		254	*
		255	* @return boolean true if user is banned, false otherwise
		256	*/
		257	public static function banCanLogin()
		258	{
		259	if (self::$banFile !== '') {
		260	$ip = $_SERVER["REMOTE_ADDR"];
		261	$gb = $GLOBALS['IPBANS'];
		262	if (isset($gb['BANS'][$ip])) {
		263	// User is banned. Check if the ban has expired:
		264	if ($gb['BANS'][$ip] <= time()) {
		265	// Ban expired, user can try to login again.
		266	unset($gb['FAILURES'][$ip]);
		267	unset($gb['BANS'][$ip]);
		268	file_put_contents(self::$banFile, "<?php\n\$GLOBALS['IPBANS']=".var_export($gb, true).";\n?>");
		269
		270	return true; // Ban has expired, user can login.
		271	}
		272
		273	return false; // User is banned.
		274	}
		275	}
		276
		277	return true; // User is not banned.
		278	}
		279	}


diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index 9db4a034..2f0f7038 100644 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php
@@ -93,6 +93,7 @@ class Poche
93	private function init()	93	private function init()
94	{	94	{
95	Tools::initPhp();	95	Tools::initPhp();
		96	Session::$sessionName = 'poche';
96	Session::init();	97	Session::init();
97		98
98	if (isset($_SESSION['poche_user']) && $_SESSION['poche_user'] != array()) {	99	if (isset($_SESSION['poche_user']) && $_SESSION['poche_user'] != array()) {


diff --git a/inc/poche/config.inc.php b/inc/poche/config.inc.php index aaa26af8..9247c292 100755 --- a/inc/poche/config.inc.php +++ b/inc/poche/config.inc.php
@@ -48,4 +48,12 @@ if (!ini_get('date.timezone') \|\| !@date_default_timezone_set(ini_get('date.timez
48	date_default_timezone_set('UTC');	48	date_default_timezone_set('UTC');
49	}	49	}
50		50
51	$poche = new Poche(); \ No newline at end of file	51	$poche = new Poche();
		52
		53	#XSRF protection with token
		54	if (!empty($_POST)) {
		55	if (!Session::isToken($_POST['token'])) {
		56	die(_('Wrong token'));
		57	}
		58	unset($_SESSION['tokens']);
		59	} \ No newline at end of file