admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

AAIT#35647 Inloggen als

Browse Source 
FSN#34780 Moeilijker bookmark misbruik voor inloggen als

svn path=/Website/trunk/; revision=28495
This commit is contained in:
Jos Groot Lipman
2016-03-16 10:20:47 +00:00
parent f92f457ce2
commit a89b21e349
7 changed files with 138 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
APPL/FAC/Facilitor.asp
View File

@@ -12,13 +12,17 @@
<!--#include file="../shared/iface.inc"-->
<!--#include file="fac_menu.inc" -->
<!--#include file="header.inc" -->
<!--#include file="../Shared/login.inc" -->
<!--#include file="../Shared/json2.js" -->
<%
// Als we hier komen hebben we gegarandeerd een user_key > 0
user.auth_required_or_abort(!user.isGroupedUser()); // Die hebben hier niets te zoeken.
user.auth_required_or_abort(!Session("login_by_fallback"));
if (user.isGroupedUser() || Session("login_by_fallback"))
{
doLogoff();
shared.simpel_page(L("lcl_no_auth"));
}
FCLTHeader.Requires({ plugins: ["jQuery"],
js: ["jquery-ui.js"]}); // css voor header.asp

23
APPL/FAC/header.inc
View File

@@ -48,7 +48,16 @@ function generateHeader()
</script>
<div id="headerblok" style='height:100%'>
<div id="headerprefix"><%=otap+" "+L("lcl_facilitor_header_prefix")%></div>
<%
if (Session("org_user_key") > 0)
{
var other_key = parseInt(Session("org_user_key"), 10);
var other = new Perslid(other_key);
Response.Write("<div id='userimperson'>U bent eigenlijk {0}</div>".format(other.naam()));
}
else
Response.Write("<div id='headerprefix'>" + otap+" "+L("lcl_facilitor_header_prefix") + "</div>");
%>
<div id="headerdate" title="<%=L("lcl_facilitor_appl")+' '+facilitorversion%>"><%=todayString()%></div>
<%
@@ -118,15 +127,7 @@ function generateHeaderFunctions (params)
function logOffCallback(json, textStatus)
{
if (textStatus == "success")
{
if (json && json.message)
alert(json.message);
else
parent.location.href="<%=S("logoff_return_url")%>";
}
else
alert(textStatus);
parent.location.href="<%=S("logoff_return_url")%>";
};
function logOff()
@@ -135,7 +136,7 @@ function generateHeaderFunctions (params)
<% protectRequest.dataToken("data"); %>
$.post("../shared/LogOff.asp",
data,
logOffCallback,
FcltCallbackAndThen(logOffCallback),
"json");
}

3
APPL/Localscripts/FcltMgr.js
View File

@@ -1005,7 +1005,8 @@ try
if (this.userId && !String(this.userId).match(/\/\-1$/)
&& parent && parent.userId && !String(parent.userId).match(/\/\-1$/)
&& this.userId != parent.userId)
alert("Unexpected change from user " + parent.userId + " to " + this.userId);
if (confirm("Unexpected change from user " + parent.userId + " to " + this.userId + "\nReload FACILITOR?"))
top.location.reload();
if (parent && parent.FcltMgr && parent.FcltMgr != FcltMgr)
{

1
APPL/PRS/pchange_save.asp
View File

@@ -66,6 +66,7 @@ if (!clearpassword)
}
// alle oude fac_session opruimen gebeurt door een trigger op PRS_PERSLID
shared.trackaction("PRSLOG", theUser_key, L("lcl_pwd_success"));
setpassword(theUser_key, newPassword);
deleteSessionCookie("fcltid"); // Die is nu toch ongeldig

24
APPL/PRS/prs_show_perslid.asp
View File

@@ -169,6 +169,22 @@ var prs_user = new Perslid(prs_key);
var url = "appl/facmgtVB/fac_persoongroeprecord.asp?prs_perslid_key=<%=prs_key%>";
FcltMgr.openDetail(url, "<%=L("lcl_mgt_aut_group")%>");
}
function impersCallback(json, textStatus)
{
window.top.location.href = "<%=rooturl%>";
};
function prs_impersonate()
{
if (confirm("<%=safe.jsstring("Wilt U testen als {0} {1}?\nDit wordt getrackt.".format(prs_vrnaam, prs_naam))%>"))
{
var data = { prs_key: <%=prs_key%> };
<% protectRequest.dataToken("data"); %>
$.post("prs_impersonate.asp",
data,
FcltCallbackAndThen(impersCallback),
"json");
}
}
<%
if (prs_user.prs_perslid_apikey() && prsauthparams.writesys)
{
@@ -217,6 +233,10 @@ var prs_user = new Perslid(prs_key);
if (prs_user.prs_perslid_apikey()&& prsauthparams.writesys) {
buttons.push({ title: L("lcl_prs_apiuser"), icon: "key.png", action: "prs_apikey()", id: "bapikey" });
}
if (S("prs_allow_impersonate") && prsauthparams.writesys && prs_key != user_key && typeof Session("org_user_key") == "undefined") {
buttons.push({ title: L("lcl_prs_impersonate"), icon: "key.png", action: "prs_impersonate()", id: "bimpers" });
}
}
IFRAMER_HEADER(L("lcl_prs_persoon_frame"), buttons);
%>
@@ -381,9 +401,9 @@ var prs_user = new Perslid(prs_key);
<label><span><%=L("lcl_no_noti_prsvoorkeur")%></span></label>
</td>
</tr>
<%}
<%}
BLOCK_END();
}
}
BLOCK_START("prsFlex"+(S("prs_flexcolumns")!=1?"2":""), L("lcl_prs_flexblok"));
generateFlexKenmerkCode ({

32
APPL/Shared/LogOff.asp
View File

@@ -10,20 +10,32 @@ var JSON_Result = true;
%>
<!-- #include file="../Shared/common.inc" -->
<!-- #include file="../Shared/save2db.inc" -->
<!-- #include file="../Shared/json2.js" -->
<!-- #include file="../Shared/login.inc" -->
<%
// Session.Abondon is gevaarlijk: dan verlies je ook CustomerID etc.
// Bovendien krijg je met IIS dan nog steeds geen nieuwe ASPSESSIONID
protectRequest.validateToken();
Session("no_sso") = 1; // Voorkom autosso
Session.Contents.Remove("user_key");
Session.Contents.Remove("ASPFIXATION");
Session.Contents.Remove("must_reset_password");
deleteSessionCookie("fcltid");
Response.Write(JSON.stringify({ success: true }));
var result = { success: true };
if (Session("org_user_key") > 0)
{
var was_key = user_key;
var other_key = parseInt(Session("org_user_key"), 10);
var other_naam = user.naam();
doLogin(other_key);
var since = new Date(Session("org_user_key_ts"));
result.message = "U gaat weer verder als {0}".format(user.naam());
shared.trackaction("PRSLOG", was_key, "Uitloggen sessie van {0}".format(toDateTimeString(since))); // TODO: Betere tracking code?
Session.Contents.Remove("org_user_key");
Session.Contents.Remove("org_user_key_ts");
}
else
{
Session("no_sso") = 1; // Voorkom autosso
Session.Contents.Remove("user_key");
Session.Contents.Remove("ASPFIXATION");
Session.Contents.Remove("must_reset_password");
deleteSessionCookie("fcltid");
}
Response.Write(JSON.stringify(result));
Response.End;
%>

111
APPL/Shared/Login.inc
View File

@@ -133,6 +133,18 @@ function doLogin(prs_key, params)
return true;
}
// Session.Abondon is gevaarlijk: dan verlies je ook CustomerID etc.
// Bovendien krijg je met IIS dan nog steeds geen nieuwe ASPSESSIONID
function doLogoff()
{
Session("no_sso") = 1; // Voorkom autosso
Session.Contents.Remove("user_key");
Session.Contents.Remove("ASPFIXATION");
Session.Contents.Remove("must_reset_password");
Session.Contents.Remove("login_by_fallback");
deleteSessionCookie("fcltid");
}
// Inloggen via een fcltid-cookie of een session die met QR-code is gescand
function setUserFromSession (p_session)
{
@@ -296,8 +308,6 @@ function testpassword(prs_key, wachtwoord, pmobile)
+ " , prs_perslid_authenticatie_exp"
+ " , prs_perslid_salt"
+ " , prs_perslid_wachtwoord_hash"
+ " , prs_perslid_otpsecret"
+ " , prs_perslid_otpcounter"
+ " , prs_perslid_oslogin"
+ " , prs_perslid_apikey"
+ " FROM prs_perslid"
@@ -308,45 +318,10 @@ function testpassword(prs_key, wachtwoord, pmobile)
var passhash = oRs("prs_perslid_wachtwoord_hash").Value;
var mobauth = oRs("prs_perslid_authenticatie").Value;
var mobauthexp = new Date(oRs("prs_perslid_authenticatie_exp").Value);
var otpsecret = oRs("prs_perslid_otpsecret").Value;
var otpcounter = oRs("prs_perslid_otpcounter").Value || -1;
var apikey = oRs("prs_perslid_apikey").Value;
var oslogin = oRs("prs_perslid_oslogin").Value;
oRs.Close();
if (otpsecret) // Die eerst maar eens controleren
{
var otpresult = otpcodes(otpsecret);
var otprequest = wachtwoord.substr(wachtwoord.length - otpresult.otpsize); // Door gebruiker achteraan wachtwoord getikt
__Log("Otprequest: " + otprequest);
var otp_oke = false;
if (otprequest.length == otpresult.otpsize && otprequest.match(/^[0-9]*$/)) // quick check exact 6 cijfers
{
wachtwoord = wachtwoord.substr(0, wachtwoord.length - otpresult.otpsize);
for (var i = 0; i < otpresult.codes.length && !otp_oke; i++)
{
var code = otpresult.codes[i];
__Log(code);
if (code.counter > otpcounter) // Hij mag niet eerder toegepast zijn
{
var otpshould = code.otpshould;
if (otprequest == code.otpshould)
{
otp_oke = true;
otpcounter = code.counter;
}
}
}
}
if (!otp_oke)
{
__Log("OTP check failed");
__Log(otpresult);
return false;
}
// else zorgen dat straks bij succesvolle login otpcounter wordt gezet
}
if (pmobile==1) // Mobile 'verzonnen' wachtwoord
{
if (mobauth == wachtwoord && mobauthexp && new Date() <= mobauthexp)
@@ -420,6 +395,7 @@ function testpassword(prs_key, wachtwoord, pmobile)
return true;
}
function setpassword(prs_key, wachtwoord)
{
if (S("prs_password_hash_factor") == 0) // Old style
@@ -440,6 +416,52 @@ function setpassword(prs_key, wachtwoord)
}
}
function testotp (user_key, otprequest)
{
var sql = " SELECT prs_perslid_otpsecret"
+ " , prs_perslid_otpcounter"
+ " FROM prs_perslid"
+ " WHERE prs_perslid_key = " + user_key;
var oRs = Oracle.Execute(sql);
var otpsecret = oRs("prs_perslid_otpsecret").Value;
var otpcounter = oRs("prs_perslid_otpcounter").Value || -1;
oRs.Close()
if (otpsecret) // Die eerst maar eens controleren
{
var otpresult = otpcodes(otpsecret);
__Log("Otprequest: " + otprequest);
var otp_oke = false;
if (otprequest.length == otpresult.otpsize && otprequest.match(/^[0-9]*$/)) // quick check exact 6 cijfers
{
for (var i = 0; i < otpresult.codes.length && !otp_oke; i++)
{
var code = otpresult.codes[i];
__Log(code);
if (code.counter > otpcounter) // Hij mag niet eerder toegepast zijn
{
var otpshould = code.otpshould;
if (otprequest == code.otpshould)
{
otp_oke = true;
otpcounter = code.counter;
}
}
}
}
if (!otp_oke)
{
__Log("OTP check failed");
__Log(otpresult);
return false;
}
// else zorgen dat straks bij succesvolle login otpcounter wordt gezet
}
return otp_oke;
}
//
// zet Session("user_key") als username en wachtwoord geldig zijn.
// Login na verzending via sms moet binnen 1 kwartier ingevuld zijn.
@@ -457,6 +479,8 @@ function setpassword(prs_key, wachtwoord)
/* global */ login_fail_reason = L("lcl_login_wrong");
function tryLogin(username, wachtwoord, pmobile) {
Session.Contents.Remove("otp_user_key");
if (!username || username == 'undefined')
return false;
@@ -477,6 +501,8 @@ function tryLogin(username, wachtwoord, pmobile) {
}
var sql = " SELECT prs_perslid_key, "
+ " prs_perslid_flags"
+ " , prs_perslid_otpsecret"
+ " , prs_perslid_otpcounter"
+ " FROM prs_perslid"
+ " WHERE prs_perslid_verwijder IS NULL"
+ " AND (" + logins.join(" OR ") + ")"
@@ -486,6 +512,9 @@ function tryLogin(username, wachtwoord, pmobile) {
if (oRs.Eof)
return false; // Gebruikersnaam niet eens gevonden
var otpsecret = oRs("prs_perslid_otpsecret").Value;
var otpcounter = oRs("prs_perslid_otpcounter").Value || -1;
var found = false;
if (wachtwoord == null) // SSO
found = true; // En zijn we verder wel klaar
@@ -500,7 +529,13 @@ function tryLogin(username, wachtwoord, pmobile) {
login_fail_reason = L("lcl_self_register_unconfirmed");
return false;
}
doLogin(oRs("prs_perslid_key").Value);
if (!otpsecret || !wachtwoord)
doLogin(oRs("prs_perslid_key").Value);
else
Session("otp_user_key") = oRs("prs_perslid_key").Value;
oRs.Close();
return true;
}