diff --git a/application/loginwebpage.class.inc.php b/application/loginwebpage.class.inc.php index 16195c513..430b98ac8 100644 --- a/application/loginwebpage.class.inc.php +++ b/application/loginwebpage.class.inc.php @@ -75,21 +75,50 @@ h1 { } // Finally, destroy the session. session_destroy(); + } + + static function SecureConnectionRequired() + { + $oConfig = new Config(ITOP_CONFIG_FILE); + return $oConfig->GetSecureConnectionRequired(); + } + + static function IsConnectionSecure() + { + $bSecured = false; + + if ( !empty($_SERVER['HTTPS']) && ($_SERVER['HTTPS']!= 'off') ) + { + $bSecured = true; + } + return $bSecured; } static function DoLogin() { - $operation = utils::ReadParam('loginop', ''); + if (self::SecureConnectionRequired() && !self::IsConnectionSecure()) + { + // Non secured URL... redirect to a secured one + $sUrl = Utils::GetAbsoluteUrl(true /* query string */, true /* force HTTPS */); + header("Location: $sUrl"); + exit; + } + $operation = utils::ReadParam('loginop', ''); session_start(); if ($operation == 'logoff') { self::ResetSession(); } - + if (!isset($_SESSION['auth_user']) || !isset($_SESSION['auth_pwd'])) { - if ($operation == 'login') + if ($operation == 'loginurl') + { + $sAuthUser = utils::ReadParam('auth_user', '', 'get'); + $sAuthPwd = utils::ReadParam('auth_pwd', '', 'get'); + } + else if ($operation == 'login') { $sAuthUser = utils::ReadParam('auth_user', '', 'post'); $sAuthPwd = utils::ReadParam('auth_pwd', '', 'post'); @@ -106,9 +135,9 @@ h1 { { $sAuthUser = $_SESSION['auth_user']; $sAuthPwd = $_SESSION['auth_pwd']; - } + } if (!UserRights::Login($sAuthUser, $sAuthPwd)) - { + { self::ResetSession(); $oPage = new LoginWebPage(); $oPage->DisplayLoginForm( true /* failed attempt */); @@ -119,8 +148,8 @@ h1 { { $_SESSION['auth_user'] = $sAuthUser ; $_SESSION['auth_pwd'] = $sAuthPwd; - - } + + } } } // End of class ?> diff --git a/application/utils.inc.php b/application/utils.inc.php index 6eb172280..ecf2d11c0 100644 --- a/application/utils.inc.php +++ b/application/utils.inc.php @@ -153,18 +153,26 @@ class utils * @param $bQueryString bool True to also get the query string, false otherwise * @return string The absolute URL to the current page */ - static public function GetAbsoluteUrl($bQueryString = true) + static public function GetAbsoluteUrl($bQueryString = true, $bForceHTTPS = false) { // Build an absolute URL to this page on this server/port - $sServerName = $_SERVER['SERVER_NAME']; - $sProtocol = isset($_SERVER['HTTPS']) ? 'https' : 'http'; - if ($sProtocol == 'http') - { - $sPort = ($_SERVER['SERVER_PORT'] == 80) ? '' : ':'.$_SERVER['SERVER_PORT']; + $sServerName = $_SERVER['SERVER_NAME']; + if ($bForceHTTPS) + { + $sProtocol = 'https'; + $sPort = ''; } - else - { - $sPort = ($_SERVER['SERVER_PORT'] == 443) ? '' : ':'.$_SERVER['SERVER_PORT']; + else + { + $sProtocol = isset($_SERVER['HTTPS']) ? 'https' : 'http'; + if ($sProtocol == 'http') + { + $sPort = ($_SERVER['SERVER_PORT'] == 80) ? '' : ':'.$_SERVER['SERVER_PORT']; + } + else + { + $sPort = ($_SERVER['SERVER_PORT'] == 443) ? '' : ':'.$_SERVER['SERVER_PORT']; + } } // $_SERVER['REQUEST_URI'] is empty when running on IIS // Let's use Ivan Tcholakov's fix (found on www.dokeos.com) diff --git a/core/config.class.inc.php b/core/config.class.inc.php index 7f32ff615..cc57e0cb3 100644 --- a/core/config.class.inc.php +++ b/core/config.class.inc.php @@ -20,6 +20,7 @@ define ('DEFAULT_MIN_DISPLAY_LIMIT', 10); define ('DEFAULT_MAX_DISPLAY_LIMIT', 15); define ('DEFAULT_STANDARD_RELOAD_INTERVAL', 5*60); define ('DEFAULT_FAST_RELOAD_INTERVAL', 1*60); +define ('DEFAULT_SECURE_CONNECTION_REQUIRED', false); class Config { @@ -54,6 +55,11 @@ class Config */ protected $m_iFastReloadInterval; + /** + * @var boolean Whether or not a secure connection is required for using the application + */ + protected $m_bSecureConnectionRequired; + public function __construct($sConfigFile, $bLoadConfig = true) { $this->m_sFile = $sConfigFile; @@ -70,6 +76,7 @@ class Config $this->m_iMaxDisplayLimit = DEFAULT_MAX_DISPLAY_LIMIT; $this->m_iStandardReloadInterval = DEFAULT_STANDARD_RELOAD_INTERVAL; $this->m_iFastReloadInterval = DEFAULT_FAST_RELOAD_INTERVAL; + $this->m_bSecureConnectionRequired = DEFAULT_SECURE_CONNECTION_REQUIRED; if ($bLoadConfig) { $this->Load($sConfigFile); @@ -151,6 +158,7 @@ class Config $this->m_iMaxDisplayLimit = isset($MySettings['max_display_limit']) ? trim($MySettings['max_display_limit']) : DEFAULT_MAX_DISPLAY_LIMIT; $this->m_iStandardReloadInterval = isset($MySettings['standard_reload_interval']) ? trim($MySettings['standard_reload_interval']) : DEFAULT_STANDARD_RELOAD_INTERVAL; $this->m_iFastReloadInterval = isset($MySettings['fast_reload_interval']) ? trim($MySettings['fast_reload_interval']) : DEFAULT_FAST_RELOAD_INTERVAL; + $this->m_bSecureConnectionRequired = isset($MySettings['secure_connection_required']) ? trim($MySettings['secure_connection_required']) : DEFAULT_SECURE_CONNECTION_REQUIRED; } protected function Verify() @@ -229,6 +237,11 @@ class Config return $this->m_iFastReloadInterval; } + public function GetSecureConnectionRequired() + { + return $this->m_bSecureConnectionRequired; + } + public function SetDBHost($sDBHost) { $this->m_sDBHost = $sDBHost; @@ -274,6 +287,11 @@ class Config $this->m_iFastReloadInterval = $iFastReloadInterval; } + public function SetSecureConnectionRequired($bSecureConnectionRequired) + { + $this->m_bSecureConnectionRequired = $bSecureConnectionRequired; + } + public function FileIsWritable() { return is_writable($this->m_sFile); @@ -315,6 +333,7 @@ class Config fwrite($hFile, "\t'max_display_limit' => {$this->m_iMaxDisplayLimit},\n"); fwrite($hFile, "\t'standard_reload_interval' => {$this->m_iStandardReloadInterval},\n"); fwrite($hFile, "\t'fast_reload_interval' => {$this->m_iFastReloadInterval},\n"); + fwrite($hFile, "\t'secure_connection_required' => ".($this->m_bSecureConnectionRequired ? 'true' : 'false').",\n"); fwrite($hFile, ");\n"); fwrite($hFile, "\n/**\n");