diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2017-02-27 22:33:25 +0100 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2017-02-27 22:51:31 +0100 |
commit | 82cd6022de7483d9e05b8a8f02100e5adb4e9f6e (patch) | |
tree | 3e9fde7eda898aa73f385c6cec0a84b834b3c88e /src | |
parent | 69860ee4f5ff9f1e5b87bc6fdcb6dfea66062726 (diff) | |
download | pfsense-82cd6022de7483d9e05b8a8f02100e5adb4e9f6e.zip pfsense-82cd6022de7483d9e05b8a8f02100e5adb4e9f6e.tar.gz |
phpsessionmanager, this helps starting and committing the php session preventing other requests from being blocked longer than required.
Diffstat (limited to 'src')
-rw-r--r-- | src/etc/inc/auth.inc | 12 | ||||
-rw-r--r-- | src/etc/inc/authgui.inc | 6 | ||||
-rw-r--r-- | src/etc/inc/config.lib.inc | 12 | ||||
-rw-r--r-- | src/etc/inc/phpsessionmanager.inc | 80 | ||||
-rw-r--r-- | src/etc/inc/priv.inc | 3 | ||||
-rw-r--r-- | src/usr/local/www/csrf/csrf-magic.php | 4 | ||||
-rw-r--r-- | src/usr/local/www/firewall_virtual_ip.php | 7 | ||||
-rw-r--r-- | src/usr/local/www/guiconfig.inc | 10 | ||||
-rw-r--r-- | src/usr/local/www/system_usermanager_passwordmg.php | 12 |
9 files changed, 115 insertions, 31 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 563987b..676283c 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -26,6 +26,7 @@ * NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP.php * file courtesy of Michael Retterklieber. */ +include_once('phpsessionmanager.inc'); if (!$do_not_include_config_gui_inc) { require_once("config.gui.inc"); } @@ -1747,12 +1748,11 @@ function session_auth() { true ); - if (!session_id()) { - session_start(); - } + phpsession_begin(); // Detect protocol change if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) { + phpsession_end(); return false; } @@ -1770,6 +1770,7 @@ function session_auth() { $_SESSION['user_radius_attributes'] = $attributes; $_SESSION['last_access'] = time(); $_SESSION['protocol'] = $config['system']['webgui']['protocol']; + phpsession_end(true); if (!isset($config['system']['webgui']['quietlogin'])) { log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); } @@ -1795,6 +1796,7 @@ function session_auth() { /* Show login page if they aren't logged in */ if (empty($_SESSION['Logged_In'])) { + phpsession_end(true); return false; } @@ -1842,7 +1844,7 @@ function session_auth() { } /* and destroy it */ - session_destroy(); + phpsession_destroy(); $scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]); $scriptElms = count($scriptName); @@ -1873,7 +1875,7 @@ function session_auth() { if ($_REQUEST['enable_ajax']) { unset($_SESSION['NO_AJAX']); } - + phpsession_end(true); return true; } diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index f0b7751..c7d3362 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -33,7 +33,7 @@ if (!session_auth()) { display_login_form(); exit; } - +phpsession_begin(); /* * Once here, the user has authenticated with the web server. * We give them access only to the appropriate pages based on @@ -90,9 +90,9 @@ if (!$_SESSION['Post_Login']) { /* * Close session data to allow other scripts from same host to come in. - * A session can be reactivated from calling session_start again + * A session can be reactivated from calling phpsession_begin again */ -session_commit(); +phpsession_end(true); /* * determine if the user is allowed access to the requested page diff --git a/src/etc/inc/config.lib.inc b/src/etc/inc/config.lib.inc index 21aeb11..252b3b2 100644 --- a/src/etc/inc/config.lib.inc +++ b/src/etc/inc/config.lib.inc @@ -443,21 +443,19 @@ function write_config($desc="Unknown", $backup = true, $write_config_only = fals global $config, $g; if (!empty($_SERVER['REMOTE_ADDR'])) { - if (!session_id()) { - @session_start(); - } + @phpsession_begin(); if (!empty($_SESSION['Username']) && ($_SESSION['Username'] != "admin")) { $user = getUserEntry($_SESSION['Username']); if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) { - session_commit(); + phpsession_end(true); return false; } } + if (!isset($argc)) { + phpsession_end(true); + } } - if (!isset($argc)) { - session_commit(); - } if ($backup) { backup_config(); diff --git a/src/etc/inc/phpsessionmanager.inc b/src/etc/inc/phpsessionmanager.inc new file mode 100644 index 0000000..b07caf1 --- /dev/null +++ b/src/etc/inc/phpsessionmanager.inc @@ -0,0 +1,80 @@ +<?php +/* + * phpsessionmanager.inc + * + * part of pfSense (https://www.pfsense.org) + * Copyright (c) 2016 Rubicon Communications, LLC (Netgate) + * All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +include_once('notices.inc'); + +$session_opencounter = 0; +$session_write = false; +$session_action_list = array(); + +function simplestacktrace() { + $stack = debug_backtrace(); + $str = ""; + foreach($stack as $s) { + // $s['args'] + $str .= "\n{$s['function']}(..) - {$s['file']}:{$s['line']}"; + } + return $str; +} + +function phpsession_begin() { + global $session_opencounter, $session_action_list; + $session_action_list[] = "#### phpsession_begin ####" . simplestacktrace(); + if ($session_opencounter == 0) { + session_start(); + } + $session_opencounter++; +} + +function phpsession_destroy() { + global $session_opencounter, $session_action_list; + $session_action_list[] = "#### phpsession_destroy ####" . simplestacktrace(); + session_destroy(); + $session_opencounter = 0; +} + +function phpsession_end($write = false) { + global $session_opencounter, $session_write, $session_action_list; + $session_action_list[] = "#### phpsession_end ####" . simplestacktrace(); + $session_write |= $write; + $session_opencounter--; + if ($session_opencounter == 0) { + if ($session_write) { + session_commit(); + $session_write = false; + } else { + session_abort(); + } + } + if ($session_opencounter < 0) { + $session_opencounter = 0; + file_notice("sessionmanager", "PHPSESSION closed more often than opened!" . simplestacktrace()); + } +} + +function phpsession_cleanupcheck() { + global $session_opencounter, $session_action_list; + if ($session_opencounter > 0) { + file_notice("sessionmanager", "PHPSESSION {$session_opencounter} open sessions left at shutdown script!".print_r($session_action_list, true)); + } +} + +register_shutdown_function('phpsession_cleanupcheck');
\ No newline at end of file diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index a2e2763..a80e383 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -275,6 +275,7 @@ function getAllowedPages($username, &$attributes = array()) { $allowed_pages = array(); $allowed_groups = array(); + phpsession_begin(); if ($_SESSION['remoteauth']) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); // cache auth results for a short time to ease load on auth services & logs @@ -331,7 +332,7 @@ function getAllowedPages($username, &$attributes = array()) { // log_error("debug: user {$username} pages = {$dbg_pages}"); $_SESSION['page-match'] = $allowed_pages; - + phpsession_end(true); return $allowed_pages; } diff --git a/src/usr/local/www/csrf/csrf-magic.php b/src/usr/local/www/csrf/csrf-magic.php index 58f4eba..77a55fb 100644 --- a/src/usr/local/www/csrf/csrf-magic.php +++ b/src/usr/local/www/csrf/csrf-magic.php @@ -13,6 +13,8 @@ * This library is PHP4 and PHP5 compatible. */ +include_once('phpsessionmanager.inc'); + // CONFIGURATION: /** @@ -348,7 +350,7 @@ function csrf_conf($key, $val) { */ function csrf_start() { if ($GLOBALS['csrf']['auto-session'] && !session_id()) { - session_start(); + phpsession_begin(); } } diff --git a/src/usr/local/www/firewall_virtual_ip.php b/src/usr/local/www/firewall_virtual_ip.php index d4ea401..6660e38 100644 --- a/src/usr/local/www/firewall_virtual_ip.php +++ b/src/usr/local/www/firewall_virtual_ip.php @@ -191,17 +191,16 @@ if ($_POST['act'] == "del") { } if (!$input_errors) { - if (!session_id()) { - session_start(); - } + phpsession_begin(); $user = getUserEntry($_SESSION['Username']); if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) { header("Location: firewall_virtual_ip.php"); + phpsession_end(); exit; } + phpsession_end(); - session_commit(); // Special case since every proxyarp vip is handled by the same daemon. if ($a_vip[$_POST['id']]['mode'] == "proxyarp") { diff --git a/src/usr/local/www/guiconfig.inc b/src/usr/local/www/guiconfig.inc index 2fa69fe..e477be3 100644 --- a/src/usr/local/www/guiconfig.inc +++ b/src/usr/local/www/guiconfig.inc @@ -25,6 +25,7 @@ /* Include authentication routines */ /* THIS MUST BE ABOVE ALL OTHER CODE */ +include_once('phpsessionmanager.inc'); if (!$nocsrf) { function csrf_startup() { global $config; @@ -33,6 +34,9 @@ if (!$nocsrf) { csrf_conf('expires', $timeout_minutes * 60); } require_once("csrf/csrf-magic.php"); + if ($_SERVER['REQUEST_METHOD'] == 'POST') { + phpsession_end(true); + } } /* make sure nothing is cached */ @@ -1212,18 +1216,20 @@ var_dump($content);die; } function set_flash_message($class, $msg) { - @session_start(); + @phpsession_begin(); $_SESSION['flash_messages'][$class][] = $msg; + @phpsession_end(true); } function get_flash_message() { - @session_start(); + @phpsession_begin(); if (isset($_SESSION['flash_messages']) && !empty($_SESSION['flash_messages'])) { foreach ($_SESSION['flash_messages'] as $class => $flash_message) { print_info_box(implode("<br />", $flash_message), $class); } unset($_SESSION['flash_messages']); } + @phpsession_end(true); } /* Retrieve GET or POST Value/State diff --git a/src/usr/local/www/system_usermanager_passwordmg.php b/src/usr/local/www/system_usermanager_passwordmg.php index 87cc791..9c81b02 100644 --- a/src/usr/local/www/system_usermanager_passwordmg.php +++ b/src/usr/local/www/system_usermanager_passwordmg.php @@ -45,16 +45,14 @@ if (isset($_POST['save'])) { } if (!$input_errors) { - if (!session_id()) { - session_start(); - } + phpsession_begin(); // all values are okay --> saving changes $userent =& $config['system']['user'][$userindex[$_SESSION['Username']]]; local_user_set_password($userent, $_POST['passwordfld1']); local_user_set($userent); unset($userent); - session_commit(); + phpsession_end(true); write_config(); @@ -62,9 +60,7 @@ if (isset($_POST['save'])) { } } -if (!session_id()) { - session_start(); -} +phpsession_begin(); /* determine if user is not local to system */ $islocal = false; @@ -74,7 +70,7 @@ foreach ($config['system']['user'] as $user) { } } -session_commit(); +phpsession_end(true); include("head.inc"); |