admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
990431765dbca0545181e60e98f7382be6c887f4
Facilitor/APPL/Shared/Login.inc
Jos Groot Lipman 990431765d Merge 5.3.1 Gold C patches 
svn path=/Website/trunk/; revision=18165
2013-06-13 10:21:34 +00:00

536 lines
20 KiB
PHP
Raw Blame History

<% /*
$Revision$
$Id$
File: shared/login.inc
Description: Inlog functionaliteit
Parameters:
Context:
Note: LET OP: Dit bestand heeft een heel klein stukje VBScript in zich
Dat maakt dat je dit bestand *niet* meer overal (via common.inc
of zo) moet gaan includen
*/
// Elders is prs_key geauthenticeerd. Registreer die hier als de actieve gebruiker.
function doLogin(prs_key)
{
// Paranoia mode
var sql = "SELECT prs_perslid_login"
+ " FROM prs_perslid"
+ " WHERE prs_perslid_verwijder IS NULL"
+ " AND prs_perslid_key = " + prs_key;
var oRs = Oracle.Execute(sql);
if (oRs.Eof)
{
__DoLog("Niet bestaande of verwijderde persoon " + prs_key + " geweigerd in doLogin.")
eval("INTERNAL_ERROR_INVALID_LOGIN_" + prs_key);
}
oRs.Close();
/* global */ user_key = prs_key;
//user_lang = oRs(1).Value; // globale moet er nog uit!
if (typeof LCL_Disable == "undefined")
lcl.loadLCL();
Session("user_key") = user_key;
// http://www.owasp.org/index.php/Session_Fixation_Protection
var FACSESSIONID = shared.random(32); // genereer grote random string.
var ASPFIXATION = Session("customerId") + FACSESSIONID;
Response.Cookies("ASPFIXATION") = ASPFIXATION; // deze controleren we weer in default.inc
Response.Cookies("ASPFIXATION").Path = rooturl + "/"; // anders niet met ServerXMLHttp
//Response.Cookies("ASPFIXATION").Secure = true; // dan niet met ServerXMLHttp??
Session("ASPFIXATION") = ASPFIXATION; // deze controleren we weer in default.inc
Session("FACSESSIONID") = FACSESSIONID;
// Nu maar eens oudere opruimen. Effectief blijft altijd
// de laatste sessie van een gebruiker staan.
var sql = "DELETE FROM fac_session"
+ " WHERE prs_perslid_key = " + user_key
+ " AND FAC_SESSION_EXPIRE < SYSDATE";
Oracle.Execute(sql);
var sql = "INSERT INTO fac_session"
+ " (fac_session_sessionid, prs_perslid_key, fac_session_expire)"
+ " VALUES(" + safe.quoted_sql(FACSESSIONID) + ", " + user_key + ", SYSDATE+1)"; // 24 uur is genoeg
Oracle.Execute(sql);
var registersql = "UPDATE prs_perslid SET prs_perslid_login = SYSDATE"
+ " WHERE prs_perslid_key=" + user_key;
Oracle.Execute(registersql);
/* global */ user = new Perslid(user_key);
Session("user_lang") = user.dblang(); // Liever geen session maar m_connections heeft dit al nodig voor zijn fac.initsession
// Bovendien voorkomen we zo dat een simpele user.lang al een _require_prs_perslid triggert
return true;
}
// Inloggen via een fcltid-cookie of een session die met QR-code is gescand
function setUserFromSession (p_session)
{
var sql = "SELECT prs_perslid_key, fac_session_data "
+ " FROM fac_session "
+ " WHERE fac_session_expire > sysdate "
+ " AND fac_session_sessionid = " + safe.quoted_sql(p_session);
var oRs = Oracle.Execute( sql );
if (!oRs.eof)
{
doLogin(oRs("prs_perslid_key").Value);
var sessionData = oRs("fac_session_data").value;
// verwijder de huidige sessie
sql = "DELETE fac_session"
+ " WHERE prs_perslid_key = " + user_key // index-performance
+ " AND fac_session_sessionid = " + safe.quoted_sql(p_session);
Oracle.Execute(sql);
// makeSessionCookie(sessionData); aanroeper bepaalt maar of er een nieuwe sessie komt
}
oRs.Close();
}
function makeSessionCookie (sessionData)
{
var sessionId = shared.random(32);
// maak nieuwe sessie aan
sql = "INSERT INTO fac_session ( "
+ " fac_session_sessionid, "
+ " prs_perslid_key, "
+ " fac_session_data, "
+ " fac_session_expire) "
+ " VALUES ( "
+ safe.quoted_sql(sessionId) + ", "
+ user_key + ", "
+ safe.quoted_sql(sessionData) + ", "
+ " sysdate + " + S("login_remember_days") + " )" // sessie timeout op een half jaar.
Oracle.Execute(sql);
// set de nieuwe sessionID als cookie.
Response.Cookies("fcltid")=sessionId;
Response.Cookies("fcltid").Path = rooturl + "/";
VBexpireCookie("fcltid", "d", S("login_remember_days"));
// fcltcust is niet per se nodig voor Facilitor maar wel handig bij interne ontwikkeling
Response.Cookies("fcltcust") = customerId;
Response.Cookies("fcltcust").Path = rooturl + "/";
VBexpireCookie("fcltcust", "d", S("login_remember_days"));
}
function deleteSessionCookie (cookiename)
{
var session = String(Request.Cookies(cookiename));
if (session)
{
var sql = "DELETE fac_session"
+ " WHERE prs_perslid_key = " + user_key // index-performance
+ " AND fac_session_sessionid = " + safe.quoted_sql(session);
Oracle.Execute(sql);
}
// Cookie wissen
Response.Cookies(cookiename)="";
Response.Cookies(cookiename).Path = rooturl + "/";
VBexpireCookie(cookiename, "yyyy", -1);
}
//
// zet Session("user_key") als username en wachtwoord geldig zijn.
// Login na verzending via sms moet binnen 1 kwartier ingevuld zijn.
// resultaat: true bij succesvolle login, false bij niet succesvol
// drie username opties:
// - prs_perslid_oslogin
// - prs_perslid_oslogin2
// - upper(prs_perslid_email)
// drie wachtwoord opties
// - leeg (single-signon)
// - prs_perslid_wachtwoord (of eigenlijk: prs_perslid_salt en prs_perslid_wachtwoord_hash)
// - prs_perslid_authenticatie (en prs_perslid_authenticatie_exp > sysdate)
// de laatste wordt zowel gebruikt voor mobile/SMS als voor 'Wachtwoord vergeten'
// Bij 'Wachtwoord vergeten' wordt bij success prs_perslid_authenticatie overgenomen naar prs_perslid_wachtwoord_hash
/* global */ login_fail_reason = "";
function tryLogin(username, wachtwoord, mobile) {
if (username != '' && username != 'undefined') // indien login meegegeven
{
var logins = [];
if (S("login_use_email"))
logins.push(" upper(prs_perslid_email) = " + safe.quoted_sql_upper(username));
else
{
logins.push(" prs_perslid_oslogin = " + safe.quoted_sql_upper(username, 30));
logins.push(" prs_perslid_oslogin2 = " + safe.quoted_sql_upper(username, 30));
}
var sql = " SELECT prs_perslid_key, "
+ " prs_perslid_flags, "
+ " UPPER (COALESCE(prs_perslid_lang, fac_version_lang))"
+ " FROM prs_perslid, fac_version"
+ " WHERE prs_perslid_verwijder IS NULL"
+ " AND (" + logins.join(" OR ") + ")"
+ " AND BITAND(prs_perslid_flags, 1+4+8) = 0"; // 2==unconfirmed staan we nog heel even toe
var found = false;
if (wachtwoord==null) // SSO
{
var oRs = Oracle.Execute(sql);
found = !oRs.eof;
}
else
{
if (mobile==1 || S("email_password")==1) // Mobile 'verzonnen' wachtwoord of emailed password
{
var sql2 = sql + " AND (prs_perslid_authenticatie =" + safe.quoted_sql(wachtwoord)
+ " AND prs_perslid_authenticatie_exp > sysdate)";
var oRs = Oracle.Execute(sql2);
found = !oRs.eof;
if (found && !(mobile==1))
{
// maak het wachtwoord definitief
sql = "BEGIN prs.setpassword(" + oRs("prs_perslid_key").Value + ", " + safe.quoted_sql(wachtwoord) + "); END;";
Oracle.Execute(sql);
sql = "UPDATE prs_perslid"
+ " SET prs_perslid_authenticatie = null,"
+ " prs_perslid_authenticatie_exp = SYSDATE - 1"
+ " WHERE prs_perslid_key = " + oRs("prs_perslid_key").Value;
Oracle.Execute(sql);
}
}
if (!found) // gewoon wachtwoord
{
var sql2 = sql+ " AND prs.testpassword(prs_perslid_key, " + safe.quoted_sql(wachtwoord) + ") = 1"
var oRs = Oracle.Execute(sql2);
found = !oRs.eof;
}
}
if (found)
{
if ((oRs("prs_perslid_flags").Value & 2) == 2)
{
login_fail_reason = L("lcl_self_register_unconfirmed");
return false;
}
doLogin(oRs("prs_perslid_key").Value);
return true;
}
else
login_fail_reason = L("lcl_login_wrong");
// else blijven Session variabelen ongezet.
}
return false;
}
// function SecureSSO
// Verzorgt de secure Single Signon communicatie protocol
//
// ssoProps
// strSharedKey: afgesproken shared key
// onSuccess: functie die aangeroepen wordt bij success
// We kunnen hier nog via twee routes komen: oude stijl (cust/xxxx/sso.asp)
// en nieuwe stijl (xxxx.facilitor.nl?sso=1)
// In het laatste geval zal ssoProps.sso ook 1 of 2 zijn
function SecureSSO(ssoProps)
{
var strAction, strReturnURL, strKey, strGUID, strCTID
var strUserName, strDecryptedCode, strControlID, strControlDecryptedCode, strLengthCode
//'* variables *******************************************************
//'*******************************************************************
Response.Buffer=true
%>
<HTML>
<HEAD>
<script type="text/javascript">
function fnSubmit() {
window.document.form.submit();
return;
}
</SCRIPT>
</HEAD>
<%
strReturnURL = getFParam("returnurl", "");
strReturnURL= strReturnURL.replace("<", "");
strReturnURL= strReturnURL.replace(">", "");
strAction = getFParam("action", "");
if (!strAction && S("sso_advanced_url") && ssoProps.sso > 0) // we zijn begonnen in Facilitor
{
strReturnURL = ssoProps.sso==1?S("sso_advanced_url"):S("sso_advanced_url_alt");
strAction = "requestid";
Session("SSO_QUERYSTRING") = String(Request.ServerVariables("QUERY_STRING")); // Deze onthouden we
}
if (strAction == "requestid")
{
//* action = requestid *******************************************
%>
<BODY LANGUAGE="javascript" onload="return fnSubmit()">
<%
if (strReturnURL == "")
{
__DoLog("Secure SSO login error 1");
Response.write("Error: onvoldoende informatie ontvangen.")
Response.end
}
else
{
Response.write("Een moment aub..")
strGUID = GetGuid(64)
strCTID = GetGuid(strReturnURL.length)
// Save GUID
Session("GUID") = strGUID;
Session("CTID") = strCTID;
Session("GUIDEXPIRE") = (new Date()).valueOf()
+ (ssoProps.Timeout?ssoProps.Timeout:30)*1000;
if (Request.Form("Jumpto").Count>0) // Remember it (old style)
{
Session("FirstPage")=""+Request.Form("Jumpto")
}
%>
<form action='<%=strReturnURL%>' method="post" name="form" ID="Form1">
<input type="hidden" name="guid" value="<%=strGUID%>" ID="Hidden1">
<input type="hidden" name="ctid" value="<%=strCTID%>" ID="Hidden2">
<%
}
}
else if (strAction == "processcode")
{
// * action = processcode *****************************************
%>
<BODY>
<%
strUserName = String(Request.form("code"))
strControlID = String(Request.form("ctcode"))
strLengthCode = Request.form("ltcode")
strGUID = Session("GUID")
strCTID = Session("CTID")
var expire = Session("GUIDEXPIRE");
// Clean session memory
Session.Contents.Remove("GUID");
Session.Contents.Remove("CTID");
Session.Contents.Remove("GUIDEXPIRE");
if (typeof expire == "undefined" || !expire || (new Date()).valueOf() > expire ||
typeof strGUID == "undefined" || strUserName == "" || typeof strCTID == "undefined" || strControlID == "")
{
Session.Contents.Remove("FirstPage");
if (strReturnURL == "")
{
__DoLog("Secure SSO login error 2");
Response.write("Error: onvoldoende informatie ontvangen.")
Response.end
}
else
{
// FSN#25537 deze komt erg regelmatig voor maar oorzaak onbekend
__Log("Secure SSO login error 3");
Response.write("Error: onvoldoende informatie ontvangen.")
Response.End;
// Response.redirect(strReturnURL) kan oneindige loop geven
}
}
// Convert from ASC chars
strUserName = ConvertFromAsc(strUserName)
strControlID = ConvertFromAsc(strControlID)
//* decrypt ******************************************************
//First decoding phase
var strKey = (ssoProps.strSharedKey + strGUID).substr(0,strUserName.length);
strDecryptedCode = DeCrypt(strUserName)
//Second decoding phase
var strKey = strGUID.substr(0,strDecryptedCode.length);
strDecryptedCode = DeCrypt(strDecryptedCode)
// * decrypt Controlkey ********************************************
// First decoding phase
strKey = (ssoProps.strSharedKey + strCTID).substr(0,strControlID.length)
strControlDecryptedCode = DeCrypt(strControlID)
// Second decoding phase
strKey = strCTID.substr(0,strControlDecryptedCode.length)
strControlDecryptedCode = DeCrypt(strControlDecryptedCode)
// ltcode strLengthCode
if (strControlDecryptedCode == strReturnURL && parseInt(strLengthCode,10) == strDecryptedCode.length)
{
// For the ASP: User is authenticated, strDecryptedCode contains the validated Domain\Username
__Log("SSO Gebruikersnaam = " + strDecryptedCode)
if (ssoProps.fnparseName)
{
strDecryptedCode = ssoProps.fnparseName(strDecryptedCode)
//Response.write ("<p>Na fnparseName: " + strDecryptedCode)
}
if (tryLogin(strDecryptedCode, null))
{
if (ssoProps.fnonSuccess)
ssoProps.fnonSuccess(user_key);
else // Alles goed!
{
var sso_qs = Session("SSO_QUERYSTRING")||"";
Session.Contents.Remove("SSO_QUERYSTRING");
Response.Redirect(rooturl + "/default.asp" + (sso_qs?"?":"") + sso_qs);
}
}
else
{ // Automatisch naar het inlogscherm
__DoLog("Secure SSO login niet gevonden binnen Facilitor: " + strDecryptedCode);
Response.Redirect(rooturl + "/default.asp");
}
}
else
{
if (strReturnURL == "")
{
__DoLog("Secure SSO login error 4");
Response.write("Error: onvoldoende informatie ontvangen.")
Response.end
}
else
{
__DoLog("Secure SSO login error 5");
Response.Write("Decodeer fout");
Response.End;
Response.redirect(strReturnURL)
}
}
}
else
{
__DoLog("Secure SSO login error 6");
Response.Write("Foute aanroep");
Response.End;
}
//* Functions ********************************************************
function ConvertFromAsc(strAsc)
{
var iCount
var iChars
var sConvertFromAsc = ""
iCount = 0
do
{
iChars = parseInt(strAsc.substr(iCount,1))
iCount = iCount + 1
sConvertFromAsc = sConvertFromAsc + String.fromCharCode(parseInt(strAsc.substr(iCount,iChars)))
iCount = iCount + iChars
} while (iCount < strAsc.length);
return sConvertFromAsc;
}
function GetGuid(iDigits)
{
var lsGUID
var lsTemp
var TypeLib = Server.CreateObject("Scriptlet.TypeLib")
var lsTemp = ""
do
{
lsGUID = String(TypeLib.Guid).substr(0, 38)
lsTemp = lsTemp + lsGUID.substr(1,8) + lsGUID.substr(10,4) + lsGUID.substr(15,4) + lsGUID.substr(20,4) + lsGUID.substr(25,12)
} while (lsTemp.length < iDigits)
TypeLib = null
return lsTemp.substr(0,iDigits);
}
function DeCrypt(strEncrypted)
{
var strChar, iKeyChar, iStringChar, i
var strDecrypted = "";
for (i=0; i<strEncrypted.length; i++)
{
iKeyChar = strKey.charCodeAt(i);
iStringChar = strEncrypted.charCodeAt(i);
iDeCryptChar = iStringChar ^ iKeyChar
strDecrypted = strDecrypted + String.fromCharCode(iDeCryptChar);
}
return strDecrypted;
}
//*********************************************************************
%>
</form>
</BODY>
</HTML>
<%
Response.End;
}
var base64s = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
function decode_b64(encStr) {
var bits, decOut = '', i = 0;
for(; i<encStr.length; i += 4){
bits =
(base64s.indexOf(encStr.charAt(i)) & 0xff) <<18 |
(base64s.indexOf(encStr.charAt(i +1)) & 0xff) <<12 |
(base64s.indexOf(encStr.charAt(i +2)) & 0xff) << 6 |
base64s.indexOf(encStr.charAt(i +3)) & 0xff;
decOut += String.fromCharCode(
(bits & 0xff0000) >>16, (bits & 0xff00) >>8, bits & 0xff);
}
if(encStr.charCodeAt(i -2) == 61)
undecOut=decOut.substring(0, decOut.length -2);
else if(encStr.charCodeAt(i -1) == 61)
undecOut=decOut.substring(0, decOut.length -1);
else undecOut=decOut;
return unescape(undecOut); //line add for chinese char
}
function SimpleSSO()
{
var user = String(Session("UID_DEC"));
__Log('User#1 = '+user);
// facilitorplace SSO decoded/descripted login?
// Bij decoded login moet de setting "S("use_simple_sso")" aan staan
if (S("use_simple_sso") == 1 && user != '' && user!='undefined')
{
user = decode_b64(user).toUpperCase();
Session.Contents.Remove("UID_DEC"); // nooit twee keer
__Log('User#2a = '+user);
}
if (user !='' && user!='UNDEFINED') {
// Strip domain name
while( (i = user.indexOf('\\')) >= 0 ) {
l = user.length;
if( i < l-1 ) user = user.substring(i+1,l);
}
tryLogin(user,null);
}
}
function IntegratedSSO()
{
var user = String( Request.ServerVariables("REMOTE_USER") ).toUpperCase();
__Log('REMOTE_USER = '+user);
if (user =='' || user=='UNDEFINED')
{
user = String( Request.ServerVariables("HTTP_USER") ).toUpperCase();
__Log('HTTP_USER = '+user);
if (user =='' || user=='UNDEFINED')
{
user = String( Request.ServerVariables("HTTP_LOGIN") ).toUpperCase();
__Log('HTTP_LOGIN = '+user);
if (user =='' || user=='UNDEFINED')
{
// HTTP_LOGIN, REMOTE_USER or HTTP_USER is not (yet) set. Forcing Windows Authentication
Response.Status = "401 Unauthorized";
shared.simpel_page("os_logon is set, trying 401 Unautorized<br>If this page stays, check IIS if integrated authentication is turned on.");
Response.End(); // Reloads current file
}
}
}
if (user !='' && user!='UNDEFINED')
{
// Strip domain name
while( (i = user.indexOf('\\')) >= 0 ) {
l = user.length;
if( i < l-1 ) user = user.substring(i+1,l);
}
tryLogin(user,null);
}
}
%>
<script language="VBScript" runat="Server">
'' Met de beste wil van de wereld kreeg ik dit niet werkend met JScript
'' Op de SGF12 moest ik .Expires = '12/31/2012' doen
'' Op mijn Vista PC moest ik .Expires = '31/12/2012' doen
'' Daarom maar VBScript
Sub VBexpireCookie(cookiename, interval, number)
Dim datum
datum = DateAdd(interval, number, Now)
Response.Cookies(cookiename).Expires=datum
End Sub
</script>
View Git Blame Copy Permalink