diff options
| author | Bill Marquette <billm@pfsense.org> | 2008-04-07 01:21:33 +0000 |
|---|---|---|
| committer | Bill Marquette <billm@pfsense.org> | 2008-04-07 01:21:33 +0000 |
| commit | 5a6df9fae0575f1fed3628a21adea8e7717c5951 (patch) | |
| tree | bc25e437daad268907a4eb74aa982270dc006841 /etc/inc/auth.inc | |
| parent | 43e7c36ca7e730d87d4c5be3e09b5c15f416b346 (diff) | |
| download | pfsense-5a6df9fae0575f1fed3628a21adea8e7717c5951.zip pfsense-5a6df9fae0575f1fed3628a21adea8e7717c5951.tar.gz | |
Remove debug messages that gave away info on why the login failed
add failed and successful login messages to syslog
Diffstat (limited to 'etc/inc/auth.inc')
| -rw-r--r-- | etc/inc/auth.inc | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 3d0491d..42d3025 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -433,19 +433,22 @@ function session_auth($backing) { $_SESSION['Logged_In'] = "True";
$_SESSION['Username'] = $_POST['usernamefld'];
$_SESSION['last_access'] = time();
+ log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}"); } else {
/* give the user a more detailed error message */
if (isset($userindex[$_POST['usernamefld']])) {
- $_SESSION['Login_Error'] = "Wrong password";
- if(isAjax()) {
- echo "showajaxmessage('Wrong password');";
- return;
+ $_SESSION['Login_Error'] = "Username or Password incorrect"; + log_error("Wrong password entered for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}"); + if(isAjax()) { + echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return; }
} else {
- $_SESSION['Login_Error'] = "User does not exist";
- if(isAjax()) {
- echo "showajaxmessage('User does not exist');";
- return;
+ $_SESSION['Login_Error'] = "Username or Password incorrect"; + log_error("Attempted login for invalid user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}"); + if(isAjax()) { + echo "showajaxmessage('{$_SESSION['Login_Error']}');"; + return; }
}
}
@@ -467,15 +470,21 @@ function session_auth($backing) { $_SESSION['last_access'] = time();
else
/* Check for stale session */
- if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60)))
+ if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) { $_GET['logout'] = true;
- else
+ $_SESSION['Logout'] = true;
+ } else
/* only update if it wasn't ajax */
if (!isAjax())
$_SESSION['last_access'] = time();
/* user hit the logout button */
if (isset($_GET['logout'])) {
+ if ($_SESSION['Logout']) + log_error("Session timed out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}"); + else + log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}"); + if (hasLockAbility($_SESSION['Username'])) {
unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
}
|
