From 82cd6022de7483d9e05b8a8f02100e5adb4e9f6e Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Mon, 27 Feb 2017 22:33:25 +0100 Subject: phpsessionmanager, this helps starting and committing the php session preventing other requests from being blocked longer than required. --- src/etc/inc/auth.inc | 12 ++-- src/etc/inc/authgui.inc | 6 +- src/etc/inc/config.lib.inc | 12 ++-- src/etc/inc/phpsessionmanager.inc | 80 ++++++++++++++++++++++ src/etc/inc/priv.inc | 3 +- src/usr/local/www/csrf/csrf-magic.php | 4 +- src/usr/local/www/firewall_virtual_ip.php | 7 +- src/usr/local/www/guiconfig.inc | 10 ++- .../local/www/system_usermanager_passwordmg.php | 12 ++-- 9 files changed, 115 insertions(+), 31 deletions(-) create mode 100644 src/etc/inc/phpsessionmanager.inc (limited to 'src') diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 563987b..676283c 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -26,6 +26,7 @@ * NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP.php * file courtesy of Michael Retterklieber. */ +include_once('phpsessionmanager.inc'); if (!$do_not_include_config_gui_inc) { require_once("config.gui.inc"); } @@ -1747,12 +1748,11 @@ function session_auth() { true ); - if (!session_id()) { - session_start(); - } + phpsession_begin(); // Detect protocol change if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) { + phpsession_end(); return false; } @@ -1770,6 +1770,7 @@ function session_auth() { $_SESSION['user_radius_attributes'] = $attributes; $_SESSION['last_access'] = time(); $_SESSION['protocol'] = $config['system']['webgui']['protocol']; + phpsession_end(true); if (!isset($config['system']['webgui']['quietlogin'])) { log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); } @@ -1795,6 +1796,7 @@ function session_auth() { /* Show login page if they aren't logged in */ if (empty($_SESSION['Logged_In'])) { + phpsession_end(true); return false; } @@ -1842,7 +1844,7 @@ function session_auth() { } /* and destroy it */ - session_destroy(); + phpsession_destroy(); $scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]); $scriptElms = count($scriptName); @@ -1873,7 +1875,7 @@ function session_auth() { if ($_REQUEST['enable_ajax']) { unset($_SESSION['NO_AJAX']); } - + phpsession_end(true); return true; } diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index f0b7751..c7d3362 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -33,7 +33,7 @@ if (!session_auth()) { display_login_form(); exit; } - +phpsession_begin(); /* * Once here, the user has authenticated with the web server. * We give them access only to the appropriate pages based on @@ -90,9 +90,9 @@ if (!$_SESSION['Post_Login']) { /* * Close session data to allow other scripts from same host to come in. - * A session can be reactivated from calling session_start again + * A session can be reactivated from calling phpsession_begin again */ -session_commit(); +phpsession_end(true); /* * determine if the user is allowed access to the requested page diff --git a/src/etc/inc/config.lib.inc b/src/etc/inc/config.lib.inc index 21aeb11..252b3b2 100644 --- a/src/etc/inc/config.lib.inc +++ b/src/etc/inc/config.lib.inc @@ -443,21 +443,19 @@ function write_config($desc="Unknown", $backup = true, $write_config_only = fals global $config, $g; if (!empty($_SERVER['REMOTE_ADDR'])) { - if (!session_id()) { - @session_start(); - } + @phpsession_begin(); if (!empty($_SESSION['Username']) && ($_SESSION['Username'] != "admin")) { $user = getUserEntry($_SESSION['Username']); if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) { - session_commit(); + phpsession_end(true); return false; } } + if (!isset($argc)) { + phpsession_end(true); + } } - if (!isset($argc)) { - session_commit(); - } if ($backup) { backup_config(); diff --git a/src/etc/inc/phpsessionmanager.inc b/src/etc/inc/phpsessionmanager.inc new file mode 100644 index 0000000..b07caf1 --- /dev/null +++ b/src/etc/inc/phpsessionmanager.inc @@ -0,0 +1,80 @@ + 0) { + file_notice("sessionmanager", "PHPSESSION {$session_opencounter} open sessions left at shutdown script!".print_r($session_action_list, true)); + } +} + +register_shutdown_function('phpsession_cleanupcheck'); \ No newline at end of file diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index a2e2763..a80e383 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -275,6 +275,7 @@ function getAllowedPages($username, &$attributes = array()) { $allowed_pages = array(); $allowed_groups = array(); + phpsession_begin(); if ($_SESSION['remoteauth']) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); // cache auth results for a short time to ease load on auth services & logs @@ -331,7 +332,7 @@ function getAllowedPages($username, &$attributes = array()) { // log_error("debug: user {$username} pages = {$dbg_pages}"); $_SESSION['page-match'] = $allowed_pages; - + phpsession_end(true); return $allowed_pages; } diff --git a/src/usr/local/www/csrf/csrf-magic.php b/src/usr/local/www/csrf/csrf-magic.php index 58f4eba..77a55fb 100644 --- a/src/usr/local/www/csrf/csrf-magic.php +++ b/src/usr/local/www/csrf/csrf-magic.php @@ -13,6 +13,8 @@ * This library is PHP4 and PHP5 compatible. */ +include_once('phpsessionmanager.inc'); + // CONFIGURATION: /** @@ -348,7 +350,7 @@ function csrf_conf($key, $val) { */ function csrf_start() { if ($GLOBALS['csrf']['auto-session'] && !session_id()) { - session_start(); + phpsession_begin(); } } diff --git a/src/usr/local/www/firewall_virtual_ip.php b/src/usr/local/www/firewall_virtual_ip.php index d4ea401..6660e38 100644 --- a/src/usr/local/www/firewall_virtual_ip.php +++ b/src/usr/local/www/firewall_virtual_ip.php @@ -191,17 +191,16 @@ if ($_POST['act'] == "del") { } if (!$input_errors) { - if (!session_id()) { - session_start(); - } + phpsession_begin(); $user = getUserEntry($_SESSION['Username']); if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) { header("Location: firewall_virtual_ip.php"); + phpsession_end(); exit; } + phpsession_end(); - session_commit(); // Special case since every proxyarp vip is handled by the same daemon. if ($a_vip[$_POST['id']]['mode'] == "proxyarp") { diff --git a/src/usr/local/www/guiconfig.inc b/src/usr/local/www/guiconfig.inc index 2fa69fe..e477be3 100644 --- a/src/usr/local/www/guiconfig.inc +++ b/src/usr/local/www/guiconfig.inc @@ -25,6 +25,7 @@ /* Include authentication routines */ /* THIS MUST BE ABOVE ALL OTHER CODE */ +include_once('phpsessionmanager.inc'); if (!$nocsrf) { function csrf_startup() { global $config; @@ -33,6 +34,9 @@ if (!$nocsrf) { csrf_conf('expires', $timeout_minutes * 60); } require_once("csrf/csrf-magic.php"); + if ($_SERVER['REQUEST_METHOD'] == 'POST') { + phpsession_end(true); + } } /* make sure nothing is cached */ @@ -1212,18 +1216,20 @@ var_dump($content);die; } function set_flash_message($class, $msg) { - @session_start(); + @phpsession_begin(); $_SESSION['flash_messages'][$class][] = $msg; + @phpsession_end(true); } function get_flash_message() { - @session_start(); + @phpsession_begin(); if (isset($_SESSION['flash_messages']) && !empty($_SESSION['flash_messages'])) { foreach ($_SESSION['flash_messages'] as $class => $flash_message) { print_info_box(implode("
", $flash_message), $class); } unset($_SESSION['flash_messages']); } + @phpsession_end(true); } /* Retrieve GET or POST Value/State diff --git a/src/usr/local/www/system_usermanager_passwordmg.php b/src/usr/local/www/system_usermanager_passwordmg.php index 87cc791..9c81b02 100644 --- a/src/usr/local/www/system_usermanager_passwordmg.php +++ b/src/usr/local/www/system_usermanager_passwordmg.php @@ -45,16 +45,14 @@ if (isset($_POST['save'])) { } if (!$input_errors) { - if (!session_id()) { - session_start(); - } + phpsession_begin(); // all values are okay --> saving changes $userent =& $config['system']['user'][$userindex[$_SESSION['Username']]]; local_user_set_password($userent, $_POST['passwordfld1']); local_user_set($userent); unset($userent); - session_commit(); + phpsession_end(true); write_config(); @@ -62,9 +60,7 @@ if (isset($_POST['save'])) { } } -if (!session_id()) { - session_start(); -} +phpsession_begin(); /* determine if user is not local to system */ $islocal = false; @@ -74,7 +70,7 @@ foreach ($config['system']['user'] as $user) { } } -session_commit(); +phpsession_end(true); include("head.inc"); -- cgit v1.1 From dc064879358f43b1784137b01e296bdd6d3342b7 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Thu, 2 Mar 2017 23:14:31 +0100 Subject: phpsessionmanager, use syslog instead of file_notice --- src/etc/inc/phpsessionmanager.inc | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/etc/inc/phpsessionmanager.inc b/src/etc/inc/phpsessionmanager.inc index b07caf1..8f1a00e 100644 --- a/src/etc/inc/phpsessionmanager.inc +++ b/src/etc/inc/phpsessionmanager.inc @@ -19,8 +19,6 @@ * limitations under the License. */ -include_once('notices.inc'); - $session_opencounter = 0; $session_write = false; $session_action_list = array(); @@ -66,15 +64,15 @@ function phpsession_end($write = false) { } if ($session_opencounter < 0) { $session_opencounter = 0; - file_notice("sessionmanager", "PHPSESSION closed more often than opened!" . simplestacktrace()); + syslog(LOG_WARNING, "PHPSESSION closed more often than opened!" . simplestacktrace()); } } function phpsession_cleanupcheck() { global $session_opencounter, $session_action_list; if ($session_opencounter > 0) { - file_notice("sessionmanager", "PHPSESSION {$session_opencounter} open sessions left at shutdown script!".print_r($session_action_list, true)); + syslog(LOG_WARNING, "PHPSESSION {$session_opencounter} open sessions left at shutdown script!".print_r($session_action_list, true)); } } -register_shutdown_function('phpsession_cleanupcheck'); \ No newline at end of file +register_shutdown_function('phpsession_cleanupcheck'); -- cgit v1.1