沙仕網 - Powered by Discuz! Board

標題: weberp這個session.inc源碼分析 [打印本頁]

作者: admin 時間: 2010-6-28 02:29 標題: weberp這個session.inc源碼分析

首先是這個session.inc,會話處理，在頁面跳轉的時候執行權限設定的，這個文件相當重要
/* $Revision: 1.48 $ */
//版本說明

if (!isset($PathPrefix)) {
$PathPrefix='';
}
//設置程序的路徑

include($PathPrefix . 'config.php');
//引入config.php配置文件

if (isset($SessionSavePath)){
session_save_path($SessionSavePath);
}
//如果有設置SessionSavePath,則將其賦給設置命令session_save_path

ini_set('session.gc_Maxlifetime',$SessionLifeTime);
ini_set('max_execution_time',$MaximumExecutionTime);
//同上

session_start();
//會話開始

include($PathPrefix . 'includes/LanguageSetup.php');
include($PathPrefix . 'includes/ConnectDB.inc');
include($PathPrefix . 'includes/DateFunctions.inc');
//將三個文件引入languagesetup.php為語言設置，connectdb.inc為數據庫連接，//datefuntions.inc為日期操作的相當函婁

// Un comment to turn off attempts counter
//$_SESSION['AttemptsCounter'] = 0;

if (!isset($_SESSION['AttemptsCounter'])){
$_SESSION['AttemptsCounter'] = 0;
}
//此處為邊接此數的初值，5次連接失敗后賬號就關閉

if (!isset($AllowAnyone)){ /* only do security checks if AllowAnyone is not true */
//此處為安檢
if (!isset($_SESSION['AccessLevel']) OR $_SESSION['AccessLevel'] == '' OR
(isset($_POST['UserNameEntryField']) AND $_POST['UserNameEntryField'] != '')) {

/* if not logged in */

$_SESSION['AccessLevel'] = '';
$_SESSION['CustomerID'] = '';
$_SESSION['UserBranch'] = '';
$_SESSION['Module'] = '';
$_SESSION['PageSize'] = '';
$_SESSION['UserStockLocation'] = '';
$_SESSION['AttemptsCounter']++;

$theme = 'professional';
//如果沒有登入，則將關鍵的幾個session置為空,此處的判斷的變量有兩個，一個為$_session['AccessLevel']此為登入成功后設置的session,而$_POST['UsernameEntryFeld']則為輸入的用戶名，當輸入用戶名點了login且用戶名不為空時或session中沒有值時，將相應的session清空。

// Show login screen
if (!isset($_POST['UserNameEntryField']) or $_POST['UserNameEntryField'] == '') {
include($PathPrefix . 'includes/Login.php');
exit;
}
//如果用戶名都沒有則顯示login畫面

$sql = "SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='" . DB_escape_string($_POST['UserNameEntryField']) . "'
AND (www_users.password='" . CryptPass(DB_escape_string($_POST['Password'])) . "'

OR www_users.password='" . DB_escape_string($_POST['Password']) . "')";
$Auth_Result = DB_query($sql, $db);
//以上為根據用戶名和密碼連到數據庫，取出記錄

// Populate session variables with data base results
if (DB_num_rows($Auth_Result) > 0) {
//如果有記錄，則將結果集賦給$myrow
$myrow = DB_fetch_row($Auth_Result);
if ($myrow[7]==1){
//the account is blocked
die(include($PathPrefix . 'includes/FailedLogin.php'));
}

//如果$myrow[7]為1，則表示該賬號已禁用，則退出
/*reset the attempts counter on successful login */
$_SESSION['AttemptsCounter'] = 0;
$_SESSION['AccessLevel'] = $myrow[0];
$_SESSION['CustomerID'] = $myrow[1];
$_SESSION['UserBranch'] = $myrow[5];
$_SESSION['DefaultPageSize'] = $myrow[3];
$_SESSION['UserStockLocation'] = $myrow[4];
$_SESSION['ModulesEnabled'] = explode(",", $myrow[6]);
$_SESSION['UsersRealName'] = $myrow[8];
$_SESSION['Theme'] = $myrow[9];
$_SESSION['UserID'] = $myrow[11];
$_SESSION['Language'] = $myrow[12];

if ($myrow[10] > 0) {
$_SESSION['DisplayRecordsMax'] = $myrow[10];
} else {
$_SESSION['DisplayRecordsMax'] = $_SESSION['DefaultDisplayRecordsMax']; // default comes from config.php
}
//將記錄集中的值賦給相應的session

$sql = "UPDATE www_users SET lastvisitdate='". date("Y-m-d H:i:s") ."'
WHERE www_users.userid='" . DB_escape_string($_POST['UserNameEntryField']) . "'
AND www_users.password='" . CryptPass(DB_escape_string($_POST['Password'])) ."'";
$Auth_Result = DB_query($sql, $db);
//將登入信息更新

/*get the security tokens that the user has access to */
$sql = 'SELECT tokenid FROM securitygroups
WHERE secroleid = ' . $_SESSION['AccessLevel'];
$Sec_Result = DB_query($sql, $db);

$_SESSION['AllowedPageSecurityTokens'] = array();
if (DB_num_rows($Sec_Result)==0){
$title = _('Account Error Report');
include($PathPrefix . 'includes/header.inc');
echo '

';
prnMsg(_('Your user role does not have any access defined for webERP. There is an error in the security setup for this user account'),'error');
include($PathPrefix . 'includes/footer.inc');
exit;
} else {
$i=0;
while ($myrow = DB_fetch_row($Sec_Result)){
$_SESSION['AllowedPageSecurityTokens'][$i] = $myrow[0];
$i++;
}
}

echo "

";
//根據$_session['accesslevel'],得到tokenid並賦給$_session['allowedpagesecuritytokens']
exit;
} else { // Incorrect password
// 5 login attempts, show failed login screen
if (!isset($_SESSION['AttemptsCounter'])) {
$_SESSION['AttemptsCounter'] = 0;
} elseif ($_SESSION['AttemptsCounter'] >= 5 AND isset($_POST['UserNameEntryField'])) {
/*User blocked from future accesses until sysadmin releases */
$sql = "UPDATE www_users
SET blocked=1
WHERE www_users.userid='" . $_POST['UserNameEntryField'] . "'";
$Auth_Result = DB_query($sql, $db);
die(include($PathPrefix . 'includes/FailedLogin.php'));
}
$demo_text = " . _('incorrect password') . '
' . _('The user/password combination') . '
' . _('is not a valid user of the system') . '';
die(include($PathPrefix . 'includes/Login.php'));
}
} // End of userid/password check
} /* only do security checks if AllowAnyone is not true */

/*User is logged in so get configuration parameters - save in session*/
include($PathPrefix . 'includes/GetConfig.php');

if(isset($_SESSION['DB_Maintenance'])){
if ($_SESSION['DB_Maintenance']!=0) {
if (DateDiff(Date($_SESSION['DefaultDateFormat']),
ConvertSQLDate($_SESSION['DB_Maintenance_LastRun'])
,'d') > $_SESSION['DB_Maintenance']){

/*Do the DB maintenance routing for the DB_type selected */
DB_Maintenance($db);
$_SESSION['DB_Maintenance_LastRun'] = Date('Y-m-d');
}
}
}

If (isset($_POST['Theme'])) {
$_SESSION['Theme'] = $_POST['Theme'];
$theme = $_POST['Theme'];
} elseif (!isset($_SESSION['Theme'])) {
$theme = $_SESSION['DefaultTheme'];
$_SESSION['Theme'] = $_SESSION['DefaultTheme'];

} else {
$theme = $_SESSION['Theme'];
}

if ($_SESSION['HTTPS_Only']==1){
if ($_SERVER['HTTPS']!='on'){
prnMsg(_('webERP is configured to allow only secure socket connections. Pages must be called with https://') . ' .....','error');
exit;
}
}

// Run with debugging messages for the system administrator(s) but not anyone else
if (in_array(15, $_SESSION['AllowedPageSecurityTokens'])) {
$debug = 1;
} else {
$debug = 0;
}

// Now check that the user as logged in has access to the page being called. The $PageSecurity
// value must be set in the script before header.inc is included. $SecurityGroups is an array of
// arrays defining access for each group of users. These definitions can be modified by a system admin under setup

if (!is_array($_SESSION['AllowedPageSecurityTokens']) AND !isset($AllowAnyone)) {
$title = _('Account Error Report');
include($PathPrefix . 'includes/header.inc');
echo '

';
prnMsg(_('Security settings have not been defined for your user account. Please advise your system administrator. It could also be that there is a session problem with your PHP web server'),'error');
include($PathPrefix . 'includes/footer.inc');
exit;
}

if (!isset($AllowAnyone)){
if ((!in_array($PageSecurity, $_SESSION['AllowedPageSecurityTokens']) OR !isset($PageSecurity))) {
$title = _('Security Permissions Problem');
include($PathPrefix . 'includes/header.inc');
echo '

';
echo '[size=+1] [size=+1]' . _('The security settings on your account do not permit you to access this function') . '';

echo '

';

include($PathPrefix . 'includes/footer.inc');
exit;
}

}

function CryptPass( $Password ) {
global $CryptFunction;
if ( $CryptFunction == 'sha1' ) {
return sha1($Password);
} elseif ( $CryptFunction == 'md5' ) {
return md5($Password);
} else {
return $Password;
}
}
?>

歡迎光臨沙仕網 (http://www.sas.tw/sas/)