security.inc
This file includes functions to perform several security checks on each page load.
Tags
Interfaces, Classes, Traits and Enums
- LamTemporaryFilesManager
- Manages temporary files.
Table of Contents
- lam_start_session() : mixed
- Starts a session and sets the cookie options.
- lamDefaultCookieOptions() : array<string|int, mixed>
- startSecureSession() : bool
- Starts a session and checks the environment.
- isFileBasedSession() : bool
- Returns if the session uses files storage.
- checkClientIP() : mixed
- Checks if the client's IP address is on the list of allowed IPs.
- logoffAndBackToLoginPage() : void
- Logs off the user and displays the login page.
- isDebugLoggingEnabled() : bool
- Returns if debug messages are to be logged.
- logNewMessage() : void
- Puts a new message in the log file.
- checkIfWriteAccessIsAllowed() : bool
- Checks if write access to LDAP is allowed.
- checkIfPasswordChangeIsAllowed() : bool
- Checks if passwords may be changed.
- checkIfNewEntriesAreAllowed() : bool
- Checks if it is allowed to create new LDAP entries of the given type.
- checkIfDeleteEntriesIsAllowed() : bool
- Checks if it is allowed to delete LDAP entries of the given type.
- checkPasswordStrength() : mixed
- Checks if the password fulfills the password policies.
- checkPwdWithExternalPasswordService() : bool
- Checks the password against the external password service.
- checkIfToolIsActive() : mixed
- Checks if the given tool is active.
- isLoggedIn() : bool
- Returns if the user is logged in.
- getClientIPForLogging() : string
- Returns the client IP and comma separated proxy IPs if any (HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP).
- getLamLdapUser() : string
- Returns the login dn of the current user.
- addSecurityTokenToSession() : void
- Adds a security token to the session to prevent CSRF attacks.
- validateSecurityToken() : mixed
- Checks if the security token from SESSION matches POST data.
- addSecurityTokenToMetaHTML() : mixed
- Adds a hidden input field to the given meta HTML table.
- getSecurityTokenName() : string
- Returns the name of the security token parameter.
- getSecurityTokenValue() : string
- Returns the value of the security token parameter.
- setLAMHeaders() : mixed
- Sets the X-Frame-Options and Content-Security-Policy header to prevent clickjacking.
- lamEncrypt() : object
- Encrypts a string
- lamDecrypt() : string
- Decrypts a string
- lamEncryptionAlgo() : string
- Returns the encryption algorithm to use.
- lamLogRemoteMessage() : mixed
- Logs a message to a remote logging service.
Functions
lam_start_session()
Starts a session and sets the cookie options.
lam_start_session() : mixed
Return values
mixed —lamDefaultCookieOptions()
lamDefaultCookieOptions() : array<string|int, mixed>
Return values
array<string|int, mixed> —startSecureSession()
Starts a session and checks the environment.
startSecureSession([bool $redirectToLogin = true ][, bool $initSecureData = false ]) : bool
The script is stopped if one of the checks fail (timeout redirection may be overridden).
Parameters
- $redirectToLogin : bool = true
-
redirect user to login page (default: true)
- $initSecureData : bool = false
-
init verification data like session ID and client IP (default: false)
Return values
bool —true if all ok, false if session expired
isFileBasedSession()
Returns if the session uses files storage.
isFileBasedSession() : bool
Return values
bool —file based session
checkClientIP()
Checks if the client's IP address is on the list of allowed IPs.
checkClientIP() : mixed
The script is stopped if the host is not valid.
Return values
mixed —logoffAndBackToLoginPage()
Logs off the user and displays the login page.
logoffAndBackToLoginPage() : void
Return values
void —isDebugLoggingEnabled()
Returns if debug messages are to be logged.
isDebugLoggingEnabled() : bool
Return values
bool —debug enabled
logNewMessage()
Puts a new message in the log file.
logNewMessage(string $level, string $message) : void
Parameters
- $level : string
-
log level (LOG_DEBUG, LOG_NOTICE, LOG_WARNING, LOG_ERR)
- $message : string
-
log message
Return values
void —checkIfWriteAccessIsAllowed()
Checks if write access to LDAP is allowed.
checkIfWriteAccessIsAllowed([string $scope = null ]) : bool
Parameters
- $scope : string = null
-
account type (e.g. user)
Return values
bool —true, if allowed
checkIfPasswordChangeIsAllowed()
Checks if passwords may be changed.
checkIfPasswordChangeIsAllowed() : bool
Return values
bool —true, if allowed
checkIfNewEntriesAreAllowed()
Checks if it is allowed to create new LDAP entries of the given type.
checkIfNewEntriesAreAllowed(string $scope) : bool
This also checks if general write access is enabled.
Parameters
- $scope : string
-
account type (e.g. 'user')
Return values
bool —true, if new entries are allowed
checkIfDeleteEntriesIsAllowed()
Checks if it is allowed to delete LDAP entries of the given type.
checkIfDeleteEntriesIsAllowed(string $scope) : bool
Parameters
- $scope : string
-
account type (e.g. 'user')
Return values
bool —true, if entries may be deleted
checkPasswordStrength()
Checks if the password fulfills the password policies.
checkPasswordStrength(string $password, string|array<string|int, mixed> $userNames, array<string|int, mixed> $otherUserAttrs) : mixed
Parameters
- $password : string
-
password
- $userNames : string|array<string|int, mixed>
-
user name(s)
- $otherUserAttrs : array<string|int, mixed>
-
user's first/last name
Return values
mixed —true if ok, string with error message if not valid
checkPwdWithExternalPasswordService()
Checks the password against the external password service.
checkPwdWithExternalPasswordService(LAMCfgMain $cfg, string $password) : bool
Parameters
- $cfg : LAMCfgMain
-
main configuration
- $password : string
-
password
Return values
bool —password accepted as secure
checkIfToolIsActive()
Checks if the given tool is active.
checkIfToolIsActive(string $tool) : mixed
Otherwise, an error message is logged and the execution is stopped (die()).
Parameters
- $tool : string
-
tool class name (e.g. toolFileUpload)
Return values
mixed —isLoggedIn()
Returns if the user is logged in.
isLoggedIn() : bool
Return values
bool —is logged in
getClientIPForLogging()
Returns the client IP and comma separated proxy IPs if any (HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP).
getClientIPForLogging() : string
Return values
string —client IP (e.g. 10.10.10.10,11.11.11.11)
getLamLdapUser()
Returns the login dn of the current user.
getLamLdapUser() : string
Return values
string —user DN
addSecurityTokenToSession()
Adds a security token to the session to prevent CSRF attacks.
addSecurityTokenToSession([bool $overwrite = true ]) : void
Parameters
- $overwrite : bool = true
-
overwrite existing token
Return values
void —validateSecurityToken()
Checks if the security token from SESSION matches POST data.
validateSecurityToken() : mixed
Return values
mixed —addSecurityTokenToMetaHTML()
Adds a hidden input field to the given meta HTML table.
addSecurityTokenToMetaHTML(htmlTable|htmlGroup|htmlResponsiveRow &$container) : mixed
Should be used to add token at the end of table.
Parameters
- $container : htmlTable|htmlGroup|htmlResponsiveRow
-
table
Return values
mixed —getSecurityTokenName()
Returns the name of the security token parameter.
getSecurityTokenName() : string
Return values
string —name
getSecurityTokenValue()
Returns the value of the security token parameter.
getSecurityTokenValue() : string
Return values
string —value
setLAMHeaders()
Sets the X-Frame-Options and Content-Security-Policy header to prevent clickjacking.
setLAMHeaders() : mixed
Return values
mixed —lamEncrypt()
Encrypts a string
lamEncrypt(string $data[, string $prefix = '' ]) : object
Parameters
- $data : string
-
string to encrypt
- $prefix : string = ''
-
prefix for cookie names
Return values
object —encrypted string
lamDecrypt()
Decrypts a string
lamDecrypt(object $data[, string $prefix = '' ]) : string
Parameters
- $data : object
-
string to decrypt
- $prefix : string = ''
-
prefix for cookie names
Return values
string —decrypted string
lamEncryptionAlgo()
Returns the encryption algorithm to use.
lamEncryptionAlgo() : string
Return values
string —algorithm name
lamLogRemoteMessage()
Logs a message to a remote logging service.
lamLogRemoteMessage(int $level, string $message, LAMCfgMain $cfgMain) : mixed
Parameters
- $level : int
-
log level
- $message : string
-
log message
- $cfgMain : LAMCfgMain
-
main configuration