-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathsession-transfer.php.txt
More file actions
139 lines (116 loc) · 4.38 KB
/
session-transfer.php.txt
File metadata and controls
139 lines (116 loc) · 4.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
<?php
/* On login requests (this should be determined on the remote host) eg. user visits a URL locally
on the control panel /login-enduser
1. Make a request in the background to session-transfer.php?api-key=<key>&username=<account>
If account is a valid email, no 'access' array needs to be POST'ed in this request
otherwide POST an access array
eg. array('mail' => array('user@example.com', 'alias@example.com'))
eg. array('domain' => array('example.com'))
2. The 'session' id returned by this file should be used to redirect the user
Location: session-transfer.php?session=<SESSION>
Simple example usage (be aware that a session is always created on the end-user regardless if the link
is visited or not.
<?php
function halon_generateLink($username, $domains)
{
// change these settings
$enduser = 'http://10.2.0.166/enduser/';
$apikey = 'secret'; // settings.php
$get = http_build_query(
array(
'username' => $username,
'api-key' => $apikey
)
);
$access = http_build_query(
array(
'access' => array('domain' => $domains)
)
);
$opts = array('http' =>
array(
'method' => 'POST',
'header' => 'Content-type: application/x-www-form-urlencoded',
'content' => $access
)
);
$context = stream_context_create($opts);
$result = json_decode(@file_get_contents($enduser.'session-transfer.php?'.$get, false, $context));
if (!$result || !isset($result->session))
return null;
return $enduser.'session-transfer.php?session='.$result->session;
}
$link = halon_generateLink('User Name', array('example.se', 'example.com'));
echo '<a href="'.$link.'">End-user</a>';
?>
*/
define('BASE', dirname(__FILE__));
require_once BASE.'/inc/core.php';
require_once BASE.'/inc/utils.php';
header('Content-Type: text/plain');
if (isset($_POST['session']))
{
if (isset($_GET['api-key']))
die('STOP! You should NOT include the api-key in this request!');
$session_name = $settings->getSessionName();
if ($session_name)
session_name($session_name);
session_id($_POST['session']);
session_start();
if (!isset($_SESSION['session_transfer'])) {
session_destroy();
die('Invalid session ID');
} else {
unset($_SESSION['session_transfer']);
}
session_regenerate_id(true);
if (isset($_POST['ff']) && isset($_POST['fo']) && isset($_POST['fv']))
addFilter($_POST['ff'], $_POST['fo'], $_POST['fv']);
$page = 'index';
$query = '';
if (isset($_POST['page']))
$page = $_POST['page'];
if (isset($_POST['search']))
$query .= '&search='.$_POST['search'];
header('Location: index.php?page='.$page.$query);
die();
}
if (count(Settings::Get()->getSessionTransferRestrictByIP()) > 0 && !in_array($_SERVER['REMOTE_ADDR'], Settings::Get()->getSessionTransferRestrictByIP()))
die(json_encode(array('error' => 'Access denied')));
if (!isset($_GET['api-key']) || $settings->getAPIKey() !== $_GET['api-key'])
die(json_encode(array('error' => 'Invalid API-key')));
if (!isset($_GET['username']))
die(json_encode(array('error' => 'No username given')));
session_start();
$_SESSION['timezone'] = isset($_GET['timezone']) ? $_GET['timezone'] : 0;
// convert tz min offset to ISO 8601 UTC
if (isset($_GET['timezone']) && intval($_GET['timezone'])) {
$tz = intval($_GET['timezone']);
$tzoffset = [
'hours' => sprintf('%02d' ,(int)abs($tz / 60)),
'minutes' => sprintf('%02d', abs($tz % 60))
];
$tzformat = '';
if ($tz < 0)
$tzformat = '+'.$tzoffset['hours'].':'.$tzoffset['minutes'];
else if ($tz > 0)
$tzformat = '-'.$tzoffset['hours'].':'.$tzoffset['minutes'];
else
$tzformat = 'Z';
$_SESSION['timezone_utc'] = $tzformat;
}
if (isset($_GET['locale']))
$_SESSION['locale'] = $_GET['locale'];
$_SESSION['session_transfer'] = true;
$_SESSION['username'] = $_GET['username'];
$_SESSION['source'] = 'external';
$_SESSION['access'] = isset($_POST['access']) ? $_POST['access'] : array('mail' => array($_GET['username']));
$_SESSION['authenticated'] = true;
$_SESSION['navbar_hide'] = $settings->getSessionNavbarHide();
$_SESSION['feature_access'] = [];
if (isset($_GET['textlog']) && $_GET['textlog'] === '1')
$_SESSION['feature_access'][] = 'textlog';
if (isset($_GET['report']) && $_GET['report'] === '1')
$_SESSION['feature_access'][] = 'report';
die(json_encode(array('session' => session_id())));
?>