cacert-webdb/includes/loggedin.php

<? /*
    LibreSSL - CAcert web application
    Copyright (C) 2004-2008  CAcert Inc.

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; version 2 of the License.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
*/

	include_once("../includes/lib/general.php");
	require_once("../includes/lib/l10n.php");
	include_once("../includes/mysql.php");
	require_once('../includes/notary.inc.php');

	if(!isset($_SESSION['profile']) || !is_array($_SESSION['profile'])) {
		$_SESSION['profile'] = array( 'id' => 0, 'loggedin' => 0 );
	}
	if(!isset($_SESSION['profile']['id']) || !isset($_SESSION['profile']['loggedin'])) {
		$_SESSION['profile']['id'] = 0;
		$_SESSION['profile']['loggedin'] = 0;
	}

	if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && $_SESSION['profile']['id'] > 0 && $_SESSION['profile']['loggedin'] != 0)
	{
		$uid = $_SESSION['profile']['id'];
		$_SESSION['profile']['loggedin'] = 0;
		$_SESSION['profile'] = "";
		foreach($_SESSION as $key => $value)
		{
			if($key == '_config' || $key == 'mconn' || 'csrf_' == substr($key, 0, 5))
				continue;
			if(is_int($key) || is_string($key))
				unset($_SESSION[$key]);
			unset($$key);
			//session_unregister($key);
		}

		$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($uid)."'"));
		if($_SESSION['profile']['locked'] == 0)
			$_SESSION['profile']['loggedin'] = 1;
		else
			unset($_SESSION['profile']);
	}

	if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && ($_SESSION['profile']['id'] == 0 || $_SESSION['profile']['loggedin'] == 0))
	{
		$user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],
				$_SERVER['SSL_CLIENT_I_DN_CN'], get_email_addresses_from_client_cert());

		if($user_id >= 0)
		{
			$_SESSION['profile']['loggedin'] = 0;
			$_SESSION['profile'] = "";
			foreach($_SESSION as $key => $value)
			{
				if($key == '_config' || $key == 'mconn' || 'csrf_' == substr($key, 0, 5))
					continue;
				if(is_int($key) || is_string($key))
					unset($_SESSION[$key]);
				unset($$key);
				//session_unregister($key);
			}

			$_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
					"select * from `users` where `id`='".intval($user_id)."'"));
			if($_SESSION['profile']['locked'] == 0)
				$_SESSION['profile']['loggedin'] = 1;
			else
				unset($_SESSION['profile']);
		} else {
			$_SESSION['profile']['loggedin'] = 0;
			$_SESSION['profile'] = "";
			foreach($_SESSION as $key => $value)
			{
				if($key == '_config' || $key == 'mconn' || 'csrf_' == substr($key, 0, 5))
					continue;
				unset($_SESSION[$key]);
				unset($$key);
				//session_unregister($key);
			}

			$_SESSION['_config']['oldlocation'] = $_SERVER['REQUEST_URI'];
			header("Location: https://{$_SESSION['_config']['securehostname']}/index.php?id=4");
			exit;
		}
	}

	if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && ($_SESSION['profile']['id'] <= 0 || $_SESSION['profile']['loggedin'] == 0))
	{
		header("Location: https://{$_SESSION['_config']['normalhostname']}");
		exit;
	}

	if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && $_SESSION['profile']['id'] > 0 && $_SESSION['profile']['loggedin'] > 0)
	{
		$query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`";
		$res = mysql_query($query);
		$row = mysql_fetch_assoc($res);
		$_SESSION['profile']['points'] = $row['total'];

		if($_SESSION['profile']['language'] == "")
		{
			$query = "update `users` set `language`='".L10n::get_translation()."'
							where `id`='".intval($_SESSION['profile']['id'])."'";
			mysql_query($query);
		} else {
			L10n::set_translation($_SESSION['profile']['language']);
			L10n::init_gettext();
		}
	}

	if(array_key_exists("id",$_REQUEST) && $_REQUEST['id'] == "logout")
	{
		$normalhost=$_SESSION['_config']['normalhostname'];
		$_SESSION['profile']['loggedin'] = 0;
		$_SESSION['profile'] = "";
		foreach($_SESSION as $key => $value)
		{
			unset($_SESSION[$key]);
			unset($$key);
			//session_unregister($key);
		}

		header("Location: https://{$normalhost}/index.php");
		exit;
	}

	if($_SESSION['profile']['loggedin'] < 1)
	{
		$_SESSION['_config']['oldlocation'] = $_SERVER['REQUEST_URI'];
		header("Location: https://{$_SERVER['HTTP_HOST']}/index.php?id=4");
		exit;
	}

	if (!isset($_SESSION['profile']['ccaagreement']) || !$_SESSION['profile']['ccaagreement']) {
		$_SESSION['profile']['ccaagreement']=get_user_agreement_status($_SESSION['profile']['id'],'CCA');
		if (!$_SESSION['profile']['ccaagreement']) {
			$_SESSION['_config']['oldlocation'] = $_SERVER['REQUEST_URI'];
			header("Location: https://{$_SERVER['HTTP_HOST']}/index.php?id=52");
			exit;
		}
	}
?>
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`<? /*`
Changed license to GPLv2 2008-04-06 19:45:09 +00:00			`LibreSSL - CAcert web application`
			`Copyright (C) 2004-2008 CAcert Inc.`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00
Changed license to GPLv2 2008-04-06 19:45:09 +00:00			`This program is free software; you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation; version 2 of the License.`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00
Changed license to GPLv2 2008-04-06 19:45:09 +00:00			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00
Changed license to GPLv2 2008-04-06 19:45:09 +00:00			`You should have received a copy of the GNU General Public License`
			`along with this program; if not, write to the Free Software`
			`Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`*/`

Fix for https://bugs.cacert.org/view.php?id=841 (Problems on cert login with "duplicate" serial numbers) 2011-09-07 10:30:32 +00:00			`include_once("../includes/lib/general.php");`
Fix for https://bugs.cacert.org/view.php?id=985 "Move from translingo to pootle" 2012-01-24 14:26:05 +00:00			`require_once("../includes/lib/l10n.php");`
Fix for http://bugs.cacert.org/view.php?id=1176 fix deprecation messages due to PHP update. 2013-07-15 08:32:06 +00:00			`include_once("../includes/mysql.php");`
Fix for https://bugs.cacert.org/view.php?id=1192 "Check on log into the account if user aggreed to CCA, if not prompt him an acception form" 2014-11-24 09:54:09 +00:00			`require_once('../includes/notary.inc.php');`
Fix for http://bugs.cacert.org/view.php?id=1176 fix deprecation messages due to PHP update. 2013-07-15 08:32:06 +00:00
			`if(!isset($_SESSION['profile']) \|\| !is_array($_SESSION['profile'])) {`
			`$_SESSION['profile'] = array( 'id' => 0, 'loggedin' => 0 );`
			`}`
			`if(!isset($_SESSION['profile']['id']) \|\| !isset($_SESSION['profile']['loggedin'])) {`
			`$_SESSION['profile']['id'] = 0;`
			`$_SESSION['profile']['loggedin'] = 0;`
			`}`
Added the feature to disable certificate-login for certain client certificates 2008-02-19 23:09:11 +00:00
updates 2005-07-14 19:56:28 +00:00			`if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && $_SESSION['profile']['id'] > 0 && $_SESSION['profile']['loggedin'] != 0)`
added sql schema + bug fixes 2004-12-06 14:02:02 +00:00			`{`
bug fixes 2006-08-03 13:20:55 +00:00			`$uid = $_SESSION['profile']['id'];`
			`$_SESSION['profile']['loggedin'] = 0;`
			`$_SESSION['profile'] = "";`
Fix for http://bugs.cacert.org/view.php?id=1176 fix deprecation messages due to PHP update. 2013-07-15 08:32:06 +00:00			`foreach($_SESSION as $key => $value)`
bug fixes 2006-08-03 13:20:55 +00:00			`{`
Fix for http://bugs.cacert.org/view.php?id=1176 fix deprecation messages due to PHP update. 2013-07-15 08:32:06 +00:00			`if($key == '_config' \|\| $key == 'mconn' \|\| 'csrf_' == substr($key, 0, 5))`
bug fixes 2006-08-04 22:05:11 +00:00			`continue;`
			`if(is_int($key) \|\| is_string($key))`
Combined fixes for - https://bugs.cacert.org/view.php?id=413 "Add a web page indicating the certificate request is still pending" - https://bugs.cacert.org/view.php?id=1138 "Implement to log the SE activity" - https://bugs.cacert.org/view.php?id=1221 "Inconsistency in Assurance Management" 2014-06-07 09:16:26 +00:00			`unset($_SESSION[$key]);`
			`unset($$key);`
			`//session_unregister($key);`
bug fixes 2006-08-03 13:20:55 +00:00			`}`

Combined fixes for - https://bugs.cacert.org/view.php?id=413 "Add a web page indicating the certificate request is still pending" - https://bugs.cacert.org/view.php?id=1138 "Implement to log the SE activity" - https://bugs.cacert.org/view.php?id=1221 "Inconsistency in Assurance Management" 2014-06-07 09:16:26 +00:00			$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".intval($uid)."'"));
bug #80 2006-08-16 05:56:39 +00:00			`if($_SESSION['profile']['locked'] == 0)`
			`$_SESSION['profile']['loggedin'] = 1;`
			`else`
			`unset($_SESSION['profile']);`
added sql schema + bug fixes 2004-12-06 14:02:02 +00:00			`}`
Combined fixes for - https://bugs.cacert.org/view.php?id=413 "Add a web page indicating the certificate request is still pending" - https://bugs.cacert.org/view.php?id=1138 "Implement to log the SE activity" - https://bugs.cacert.org/view.php?id=1221 "Inconsistency in Assurance Management" 2014-06-07 09:16:26 +00:00
updates 2005-07-14 19:56:28 +00:00			`if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && ($_SESSION['profile']['id'] == 0 \|\| $_SESSION['profile']['loggedin'] == 0))`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`{`
Fix for https://bugs.cacert.org/view.php?id=841 (Problems on cert login with "duplicate" serial numbers) 2011-09-07 10:30:32 +00:00			`$user_id = get_user_id_from_cert($_SERVER['SSL_CLIENT_M_SERIAL'],`
Fix client certificate login This change fixes the client certificate login for cases where duplicate serial numbers have been issued and recorded in the emailcerts table. Email addresses from the client certificate are used as an additional matching parameter. - includes/lib/general.php got a new function get_email_addresses_from_client_cert to create an array of email addresses from the environment variables set by Apache httpd - includes/loggedin.php and www/index.php use the new function to pass email addresses to the get_user_id_from_cert function - get_user_id_from_cert in includes/lib/general.php has been enhanced to use a JOIN over the emailcerts, root_certs and email tables. All parameters are escaped via mysql_real_escape_string - SQL errors in get_user_id_from_cert are now handled - a match from get_user_id_from_cert is only returned when there is exactly one row in the result set The code and the used query have been tested with Apache 2.4.10 and PHP 5.6 from Debian Jessie and a MariaDB 10.11 in strict mode using a container based test setup to match the current production setup as close as possible. 2024-05-05 17:59:53 +00:00			`$_SERVER['SSL_CLIENT_I_DN_CN'], get_email_addresses_from_client_cert());`
Added the feature to disable certificate-login for certain client certificates 2008-02-19 23:09:11 +00:00
Fix for https://bugs.cacert.org/view.php?id=841 (Problems on cert login with "duplicate" serial numbers) 2011-09-07 10:30:32 +00:00			`if($user_id >= 0)`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`{`
bug fixes 2006-08-03 13:20:55 +00:00			`$_SESSION['profile']['loggedin'] = 0;`
			`$_SESSION['profile'] = "";`
Fix for http://bugs.cacert.org/view.php?id=1176 fix deprecation messages due to PHP update. 2013-07-15 08:32:06 +00:00			`foreach($_SESSION as $key => $value)`
bug fixes 2006-08-03 13:20:55 +00:00			`{`
Fix for http://bugs.cacert.org/view.php?id=1176 fix deprecation messages due to PHP update. 2013-07-15 08:32:06 +00:00			`if($key == '_config' \|\| $key == 'mconn' \|\| 'csrf_' == substr($key, 0, 5))`
bug fixes 2006-08-04 22:05:11 +00:00			`continue;`
			`if(is_int($key) \|\| is_string($key))`
Combined fixes for - https://bugs.cacert.org/view.php?id=413 "Add a web page indicating the certificate request is still pending" - https://bugs.cacert.org/view.php?id=1138 "Implement to log the SE activity" - https://bugs.cacert.org/view.php?id=1221 "Inconsistency in Assurance Management" 2014-06-07 09:16:26 +00:00			`unset($_SESSION[$key]);`
			`unset($$key);`
			`//session_unregister($key);`
bug fixes 2006-08-03 13:20:55 +00:00			`}`

Fix for https://bugs.cacert.org/view.php?id=841 (Problems on cert login with "duplicate" serial numbers) 2011-09-07 10:30:32 +00:00			`$_SESSION['profile'] = mysql_fetch_assoc(mysql_query(`
Combined fixes for - https://bugs.cacert.org/view.php?id=413 "Add a web page indicating the certificate request is still pending" - https://bugs.cacert.org/view.php?id=1138 "Implement to log the SE activity" - https://bugs.cacert.org/view.php?id=1221 "Inconsistency in Assurance Management" 2014-06-07 09:16:26 +00:00			"select * from `users` where `id`='".intval($user_id)."'"));
bug #80 2006-08-16 05:56:39 +00:00			`if($_SESSION['profile']['locked'] == 0)`
			`$_SESSION['profile']['loggedin'] = 1;`
			`else`
			`unset($_SESSION['profile']);`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`} else {`
			`$_SESSION['profile']['loggedin'] = 0;`
bug fixes 2006-08-03 13:20:55 +00:00			`$_SESSION['profile'] = "";`
Fix for http://bugs.cacert.org/view.php?id=1176 fix deprecation messages due to PHP update. 2013-07-15 08:32:06 +00:00			`foreach($_SESSION as $key => $value)`
bug fixes 2006-08-03 13:20:55 +00:00			`{`
Fix for http://bugs.cacert.org/view.php?id=1176 fix deprecation messages due to PHP update. 2013-07-15 08:32:06 +00:00			`if($key == '_config' \|\| $key == 'mconn' \|\| 'csrf_' == substr($key, 0, 5))`
bug fixes 2006-08-04 22:05:11 +00:00			`continue;`
Combined fixes for - https://bugs.cacert.org/view.php?id=413 "Add a web page indicating the certificate request is still pending" - https://bugs.cacert.org/view.php?id=1138 "Implement to log the SE activity" - https://bugs.cacert.org/view.php?id=1221 "Inconsistency in Assurance Management" 2014-06-07 09:16:26 +00:00			`unset($_SESSION[$key]);`
			`unset($$key);`
			`//session_unregister($key);`
bug fixes 2006-08-03 13:20:55 +00:00			`}`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00
Fix for https://bugs.cacert.org/view.php?id=1192 "Check on log into the account if user aggreed to CCA, if not prompt him an acception form" 2014-11-24 09:54:09 +00:00			`$_SESSION['_config']['oldlocation'] = $_SERVER['REQUEST_URI'];`
			`header("Location: https://{$_SESSION['_config']['securehostname']}/index.php?id=4");`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`exit;`
			`}`
			`}`

removed hard path configs 2004-12-06 21:53:35 +00:00			`if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && ($_SESSION['profile']['id'] <= 0 \|\| $_SESSION['profile']['loggedin'] == 0))`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`{`
Fix for https://bugs.cacert.org/view.php?id=1192 "Check on log into the account if user aggreed to CCA, if not prompt him an acception form" 2014-11-24 09:54:09 +00:00			`header("Location: https://{$_SESSION['_config']['normalhostname']}");`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`exit;`
			`}`

updates 2005-07-14 19:56:28 +00:00			`if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] && $_SESSION['profile']['id'] > 0 && $_SESSION['profile']['loggedin'] > 0)`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`{`
Combined fixes for - https://bugs.cacert.org/view.php?id=413 "Add a web page indicating the certificate request is still pending" - https://bugs.cacert.org/view.php?id=1138 "Implement to log the SE activity" - https://bugs.cacert.org/view.php?id=1221 "Inconsistency in Assurance Management" 2014-06-07 09:16:26 +00:00			$query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted` = 0 group by `to`";
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`$res = mysql_query($query);`
			`$row = mysql_fetch_assoc($res);`
			`$_SESSION['profile']['points'] = $row['total'];`

			`if($_SESSION['profile']['language'] == "")`
			`{`
Fix for https://bugs.cacert.org/view.php?id=985 "Move from translingo to pootle" 2012-01-24 14:26:05 +00:00			$query = "update `users` set `language`='".L10n::get_translation()."'
Combined fixes for - https://bugs.cacert.org/view.php?id=413 "Add a web page indicating the certificate request is still pending" - https://bugs.cacert.org/view.php?id=1138 "Implement to log the SE activity" - https://bugs.cacert.org/view.php?id=1221 "Inconsistency in Assurance Management" 2014-06-07 09:16:26 +00:00			where `id`='".intval($_SESSION['profile']['id'])."'";
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`mysql_query($query);`
			`} else {`
Fix for https://bugs.cacert.org/view.php?id=985 "Move from translingo to pootle" 2012-01-24 14:26:05 +00:00			`L10n::set_translation($_SESSION['profile']['language']);`
			`L10n::init_gettext();`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`}`
			`}`

Improved register_globals handling 2008-08-17 23:25:30 +00:00			`if(array_key_exists("id",$_REQUEST) && $_REQUEST['id'] == "logout")`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`{`
Redirected logout to www.cacert.org 2008-06-09 09:48:51 +00:00			`$normalhost=$_SESSION['_config']['normalhostname'];`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`$_SESSION['profile']['loggedin'] = 0;`
update 2006-02-03 18:45:23 +00:00			`$_SESSION['profile'] = "";`
Fix for https://bugs.cacert.org/view.php?id=963 (Logout Session not completely reset) 2011-08-03 10:11:39 +00:00			`foreach($_SESSION as $key => $value)`
update 2006-02-03 18:45:23 +00:00			`{`
Combined fixes for - https://bugs.cacert.org/view.php?id=413 "Add a web page indicating the certificate request is still pending" - https://bugs.cacert.org/view.php?id=1138 "Implement to log the SE activity" - https://bugs.cacert.org/view.php?id=1221 "Inconsistency in Assurance Management" 2014-06-07 09:16:26 +00:00			`unset($_SESSION[$key]);`
			`unset($$key);`
			`//session_unregister($key);`
update 2006-02-03 18:45:23 +00:00			`}`
new code + updates and bug fixes 2005-03-12 19:40:24 +00:00
Fix for https://bugs.cacert.org/view.php?id=1192 "Check on log into the account if user aggreed to CCA, if not prompt him an acception form" 2014-11-24 09:54:09 +00:00			`header("Location: https://{$normalhost}/index.php");`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`exit;`
			`}`

			`if($_SESSION['profile']['loggedin'] < 1)`
			`{`
Fix for https://bugs.cacert.org/view.php?id=1192 "Check on log into the account if user aggreed to CCA, if not prompt him an acception form" 2014-11-24 09:54:09 +00:00			`$_SESSION['_config']['oldlocation'] = $_SERVER['REQUEST_URI'];`
			`header("Location: https://{$_SERVER['HTTP_HOST']}/index.php?id=4");`
			`exit;`
			`}`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00
Fix for https://bugs.cacert.org/view.php?id=1192 "Check on log into the account if user aggreed to CCA, if not prompt him an acception form" 2014-11-24 09:54:09 +00:00			`if (!isset($_SESSION['profile']['ccaagreement']) \|\| !$_SESSION['profile']['ccaagreement']) {`
			`$_SESSION['profile']['ccaagreement']=get_user_agreement_status($_SESSION['profile']['id'],'CCA');`
			`if (!$_SESSION['profile']['ccaagreement']) {`
			`$_SESSION['_config']['oldlocation'] = $_SERVER['REQUEST_URI'];`
			`header("Location: https://{$_SERVER['HTTP_HOST']}/index.php?id=52");`
			`exit;`
some gpg code added + bug fixes etc 2004-11-10 06:12:43 +00:00			`}`
			`}`
			`?>`