2 /* vim: set expandtab sw=4 ts=4 sts=4: */
4 * Set of functions used to run cookie based authentication.
6 * @package phpMyAdmin-Auth-Cookie
9 if (! defined('PHPMYADMIN')) {
14 * Swekey authentication functions.
16 require './libraries/auth/swekey/swekey.auth.lib.php';
18 if (function_exists('mcrypt_encrypt')) {
20 * Uses faster mcrypt library if available
21 * (as this is not called from anywhere else, put the code in-line
22 * for faster execution)
27 * Store the initialization vector because it will be needed for
28 * further decryption. I don't think necessary to have one iv
29 * per server so I don't put the server number in the cookie name.
31 if (empty($_COOKIE['pma_mcrypt_iv'])
32 ||
false === ($iv = base64_decode($_COOKIE['pma_mcrypt_iv'], true))) {
33 srand((double) microtime() * 1000000);
34 $td = mcrypt_module_open(MCRYPT_BLOWFISH
, '', MCRYPT_MODE_CBC
, '');
36 PMA_warnMissingExtension('mcrypt');
38 $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND
);
39 $GLOBALS['PMA_Config']->setCookie('pma_mcrypt_iv', base64_encode($iv));
43 * Encryption using blowfish algorithm (mcrypt)
45 * @param string original data
46 * @param string the secret
48 * @return string the encrypted result
53 function PMA_blowfish_encrypt($data, $secret)
56 return base64_encode(mcrypt_encrypt(MCRYPT_BLOWFISH
, $secret, $data, MCRYPT_MODE_CBC
, $iv));
60 * Decryption using blowfish algorithm (mcrypt)
62 * @param string encrypted data
63 * @param string the secret
65 * @return string original data
70 function PMA_blowfish_decrypt($encdata, $secret)
73 return trim(mcrypt_decrypt(MCRYPT_BLOWFISH
, $secret, base64_decode($encdata), MCRYPT_MODE_CBC
, $iv));
77 require_once './libraries/blowfish.php';
78 if (!$GLOBALS['cfg']['McryptDisableWarning']) {
79 PMA_warnMissingExtension('mcrypt');
84 * Returns blowfish secret or generates one if needed.
85 * @uses $cfg['blowfish_secret']
86 * @uses $_SESSION['auto_blowfish_secret']
90 function PMA_get_blowfish_secret() {
91 if (empty($GLOBALS['cfg']['blowfish_secret'])) {
92 if (empty($_SESSION['auto_blowfish_secret'])) {
93 // this returns 23 characters
94 $_SESSION['auto_blowfish_secret'] = uniqid('', true);
96 return $_SESSION['auto_blowfish_secret'];
98 // apply md5() to work around too long secrets (returns 32 characters)
99 return md5($GLOBALS['cfg']['blowfish_secret']);
104 * Displays authentication form
106 * this function MUST exit/quit the application
108 * @uses $GLOBALS['server']
109 * @uses $GLOBALS['PHP_AUTH_USER']
110 * @uses $GLOBALS['pma_auth_server']
111 * @uses $GLOBALS['text_dir']
112 * @uses $GLOBALS['pmaThemeImage']
113 * @uses $GLOBALS['charset']
114 * @uses $GLOBALS['target']
115 * @uses $GLOBALS['db']
116 * @uses $GLOBALS['table']
117 * @uses $GLOBALS['pmaThemeImage']
118 * @uses $cfg['Servers']
119 * @uses $cfg['LoginCookieRecall']
121 * @uses $cfg['Server']
122 * @uses $cfg['ReplaceHelpImg']
123 * @uses $cfg['blowfish_secret']
124 * @uses $cfg['AllowArbitraryServer']
126 * @uses $_REQUEST['old_usr']
127 * @uses PMA_sendHeaderLocation()
128 * @uses PMA_select_language()
129 * @uses PMA_select_server()
130 * @uses file_exists()
133 * @uses htmlspecialchars()
135 * @global string the last connection error
143 /* Perform logout to custom URL */
144 if (! empty($_REQUEST['old_usr'])
145 && ! empty($GLOBALS['cfg']['Server']['LogoutURL'])) {
146 PMA_sendHeaderLocation($GLOBALS['cfg']['Server']['LogoutURL']);
150 /* No recall if blowfish secret is not configured as it would produce garbage */
151 if ($GLOBALS['cfg']['LoginCookieRecall'] && !empty($GLOBALS['cfg']['blowfish_secret'])) {
152 $default_user = $GLOBALS['PHP_AUTH_USER'];
153 $default_server = $GLOBALS['pma_auth_server'];
157 $default_server = '';
158 // skip the IE autocomplete feature.
159 $autocomplete = ' autocomplete="off"';
162 $cell_align = ($GLOBALS['text_dir'] == 'ltr') ?
'left' : 'right';
164 // Defines the charset to be used
165 header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
166 // Defines the "item" image depending on text direction
167 $item_img = $GLOBALS['pmaThemeImage'] . 'item_' . $GLOBALS['text_dir'] . '.png';
169 /* HTML header; do not show here the PMA version to improve security */
170 $page_title = 'phpMyAdmin ';
171 require './libraries/header_meta_style.inc.php';
173 <script src
="./js/jquery/jquery-1.4.2.js" type
="text/javascript"></script
>
174 <script src
="./js/update-location.js" type
="text/javascript"></script
>
175 <script type
="text/javascript">
177 // show login form in top frame
179 window
.top
.location
.href
=location
;
183 <script src
="./js/functions.js" type
="text/javascript"></script
>
186 <body
class="loginform">
189 if (file_exists(CUSTOM_HEADER_FILE
)) {
190 require CUSTOM_HEADER_FILE
;
194 <div
class="container">
195 <a href
="http://www.phpmyadmin.net" target
="_blank" class="logo"><?php
196 $logo_image = $GLOBALS['pmaThemeImage'] . 'logo_right.png';
197 if (@file_exists
($logo_image)) {
198 echo '<img src="' . $logo_image . '" id="imLogo" name="imLogo" alt="phpMyAdmin" border="0" />';
200 echo '<img name="imLogo" id="imLogo" src="' . $GLOBALS['pmaThemeImage'] . 'pma_logo.png' . '" '
201 . 'border="0" width="88" height="31" alt="phpMyAdmin" />';
206 echo sprintf(__('Welcome to %s'),
207 '<bdo dir="ltr" xml:lang="en">' . $page_title . '</bdo>');
212 // Show error message
213 if (! empty($conn_error)) {
214 PMA_Message
::rawError($conn_error)->display();
217 // Displays the languages form
218 if (empty($GLOBALS['cfg']['Lang'])) {
219 require_once './libraries/display_select_lang.lib.php';
220 // use fieldset, don't show doc link
221 PMA_select_language(true, false);
227 <form method
="post" action
="index.php" name
="login_form"<?php
echo $autocomplete; ?
> target
="_top" class="login">
232 echo '<a href="./Documentation.html" target="documentation" ' .
233 'title="' . __('phpMyAdmin documentation') . '">';
234 if ($GLOBALS['cfg']['ReplaceHelpImg']) {
235 echo '<img class="icon" src="' . $GLOBALS['pmaThemeImage'] . 'b_help.png" width="11" height="11" alt="' . __('phpMyAdmin documentation') . '" />';
243 <?php
if ($GLOBALS['cfg']['AllowArbitraryServer']) { ?
>
245 <label
for="input_servername" title
="<?php echo __('You can enter hostname/IP address and port separated by space.'); ?>"><?php
echo __('Server:'); ?
></label
>
246 <input type
="text" name
="pma_servername" id
="input_servername" value
="<?php echo htmlspecialchars($default_server); ?>" size
="24" class="textfield" title
="<?php echo __('You can enter hostname/IP address and port separated by space.'); ?>" />
250 <label
for="input_username"><?php
echo __('Username:'); ?
></label
>
251 <input type
="text" name
="pma_username" id
="input_username" value
="<?php echo htmlspecialchars($default_user); ?>" size
="24" class="textfield"/>
254 <label
for="input_password"><?php
echo __('Password:'); ?
></label
>
255 <input type
="password" name
="pma_password" id
="input_password" value
="" size
="24" class="textfield" />
258 if (count($GLOBALS['cfg']['Servers']) > 1) {
261 <label
for="select_server"><?php
echo __('Server Choice'); ?
>:</label
>
262 <select name
="server" id
="select_server"
264 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
265 echo ' onchange="document.forms[\'login_form\'].elements[\'pma_servername\'].value = \'\'" ';
269 require_once './libraries/select_server.lib.php';
270 PMA_select_server(false, false);
272 echo '</select></div>';
274 echo ' <input type="hidden" name="server" value="' . $GLOBALS['server'] . '" />';
275 } // end if (server choice)
278 <fieldset
class="tblFooters">
279 <input value
="<?php echo __('Go'); ?>" type
="submit" id
="input_go" />
281 $_form_params = array();
282 if (! empty($GLOBALS['target'])) {
283 $_form_params['target'] = $GLOBALS['target'];
285 if (! empty($GLOBALS['db'])) {
286 $_form_params['db'] = $GLOBALS['db'];
288 if (! empty($GLOBALS['table'])) {
289 $_form_params['table'] = $GLOBALS['table'];
291 // do not generate a "server" hidden field as we want the "server"
292 // drop-down to have priority
293 echo PMA_generate_common_hidden_inputs($_form_params, '', 0, 'server');
300 // BEGIN Swekey Integration
301 Swekey_login('input_username', 'input_go');
302 // END Swekey Integration
304 // show the "Cookies required" message only if cookies are disabled
305 // (we previously tried to set some cookies)
306 if (empty($_COOKIE)) {
307 trigger_error(__('Cookies must be enabled past this point.'), E_USER_NOTICE
);
309 if ($GLOBALS['error_handler']->hasDisplayErrors()) {
311 $GLOBALS['error_handler']->dispErrors();
317 if (file_exists(CUSTOM_FOOTER_FILE
)) {
318 require CUSTOM_FOOTER_FILE
;
325 } // end of the 'PMA_auth()' function
330 * Gets advanced authentication settings
332 * this function DOES NOT check authentication - it just checks/provides
333 * authentication credentials required to connect to the MySQL server
334 * usually with PMA_DBI_connect()
336 * it returns false if something is missing - which usually leads to
337 * PMA_auth() which displays login form
339 * it returns true if all seems ok which usually leads to PMA_auth_set_user()
341 * it directly switches to PMA_auth_fails() if user inactivity timout is reached
343 * @todo AllowArbitraryServer on does not imply that the user wants an
344 * arbitrary server, or? so we should also check if this is filled and
345 * not only if allowed
346 * @uses $GLOBALS['PHP_AUTH_USER']
347 * @uses $GLOBALS['PHP_AUTH_PW']
348 * @uses $GLOBALS['no_activity']
349 * @uses $GLOBALS['server']
350 * @uses $GLOBALS['from_cookie']
351 * @uses $GLOBALS['pma_auth_server']
352 * @uses $cfg['AllowArbitraryServer']
353 * @uses $cfg['LoginCookieValidity']
354 * @uses $cfg['Servers']
355 * @uses $_REQUEST['old_usr'] from logout link
356 * @uses $_REQUEST['pma_username'] from login form
357 * @uses $_REQUEST['pma_password'] from login form
358 * @uses $_REQUEST['pma_servername'] from login form
360 * @uses $_SESSION['last_access_time']
361 * @uses $GLOBALS['PMA_Config']->removeCookie()
362 * @uses PMA_blowfish_decrypt()
363 * @uses PMA_auth_fails()
366 * @return boolean whether we get authentication settings or not
370 function PMA_auth_check()
374 * @global $GLOBALS['pma_auth_server'] the user provided server to connect to
376 $GLOBALS['pma_auth_server'] = '';
378 $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
379 $GLOBALS['from_cookie'] = false;
381 // BEGIN Swekey Integration
382 if (! Swekey_auth_check()) {
385 // END Swekey Integration
387 if (defined('PMA_CLEAR_COOKIES')) {
388 foreach($GLOBALS['cfg']['Servers'] as $key => $val) {
389 $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
390 $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key);
391 $GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key);
396 if (! empty($_REQUEST['old_usr'])) {
397 // The user wants to be logged out
398 // -> delete his choices that were stored in session
400 // according to the PHP manual we should do this before the destroy:
401 //$_SESSION = array();
402 // but we still need some parts of the session information
403 // in libraries/header_meta_style.inc.php
406 // -> delete password cookie(s)
407 if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
408 foreach($GLOBALS['cfg']['Servers'] as $key => $val) {
409 $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
410 if (isset($_COOKIE['pmaPass-' . $key])) {
411 unset($_COOKIE['pmaPass-' . $key]);
415 $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']);
416 if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
417 unset($_COOKIE['pmaPass-' . $GLOBALS['server']]);
422 if (! empty($_REQUEST['pma_username'])) {
423 // The user just logged in
424 $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
425 $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ?
'' : $_REQUEST['pma_password'];
426 if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) {
427 $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
432 // At the end, try to set the $GLOBALS['PHP_AUTH_USER']
433 // and $GLOBALS['PHP_AUTH_PW'] variables from cookies
436 if ($GLOBALS['cfg']['AllowArbitraryServer']
437 && ! empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) {
438 $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']];
442 if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) {
446 $GLOBALS['PHP_AUTH_USER'] = PMA_blowfish_decrypt(
447 $_COOKIE['pmaUser-' . $GLOBALS['server']],
448 PMA_get_blowfish_secret());
450 // user was never logged in since session start
451 if (empty($_SESSION['last_access_time'])) {
455 // User inactive too long
456 if ($_SESSION['last_access_time'] < time() - $GLOBALS['cfg']['LoginCookieValidity']) {
457 PMA_cacheUnset('is_create_db_priv', true);
458 PMA_cacheUnset('is_process_priv', true);
459 PMA_cacheUnset('is_reload_priv', true);
460 PMA_cacheUnset('db_to_create', true);
461 PMA_cacheUnset('dbs_where_create_table_allowed', true);
462 $GLOBALS['no_activity'] = true;
468 if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
472 $GLOBALS['PHP_AUTH_PW'] = PMA_blowfish_decrypt(
473 $_COOKIE['pmaPass-' . $GLOBALS['server']],
474 PMA_get_blowfish_secret());
476 if ($GLOBALS['PHP_AUTH_PW'] == "\xff(blank)") {
477 $GLOBALS['PHP_AUTH_PW'] = '';
480 $GLOBALS['from_cookie'] = true;
483 } // end of the 'PMA_auth_check()' function
487 * Set the user and password after last checkings if required
489 * @uses $GLOBALS['PHP_AUTH_USER']
490 * @uses $GLOBALS['PHP_AUTH_PW']
491 * @uses $GLOBALS['server']
492 * @uses $GLOBALS['from_cookie']
493 * @uses $GLOBALS['pma_auth_server']
494 * @uses $cfg['Server']
495 * @uses $cfg['AllowArbitraryServer']
496 * @uses $cfg['LoginCookieStore']
497 * @uses $cfg['PmaAbsoluteUri']
498 * @uses $_SESSION['last_access_time']
499 * @uses PMA_COMING_FROM_COOKIE_LOGIN
500 * @uses $GLOBALS['PMA_Config']->setCookie()
501 * @uses PMA_blowfish_encrypt()
502 * @uses $GLOBALS['PMA_Config']->removeCookie()
503 * @uses PMA_sendHeaderLocation()
506 * @return boolean always true
510 function PMA_auth_set_user()
514 // Ensures valid authentication mode, 'only_db', bookmark database and
515 // table names and relation table name are used
516 if ($cfg['Server']['user'] != $GLOBALS['PHP_AUTH_USER']) {
517 foreach ($cfg['Servers'] as $idx => $current) {
518 if ($current['host'] == $cfg['Server']['host']
519 && $current['port'] == $cfg['Server']['port']
520 && $current['socket'] == $cfg['Server']['socket']
521 && $current['ssl'] == $cfg['Server']['ssl']
522 && $current['connect_type'] == $cfg['Server']['connect_type']
523 && $current['user'] == $GLOBALS['PHP_AUTH_USER']) {
524 $GLOBALS['server'] = $idx;
525 $cfg['Server'] = $current;
531 if ($GLOBALS['cfg']['AllowArbitraryServer']
532 && ! empty($GLOBALS['pma_auth_server'])) {
533 /* Allow to specify 'host port' */
534 $parts = explode(' ', $GLOBALS['pma_auth_server']);
535 if (count($parts) == 2) {
536 $tmp_host = $parts[0];
537 $tmp_port = $parts[1];
539 $tmp_host = $GLOBALS['pma_auth_server'];
542 if ($cfg['Server']['host'] != $GLOBALS['pma_auth_server']) {
543 $cfg['Server']['host'] = $tmp_host;
544 if (!empty($tmp_port)) {
545 $cfg['Server']['port'] = $tmp_port;
548 unset($tmp_host, $tmp_port, $parts);
550 $cfg['Server']['user'] = $GLOBALS['PHP_AUTH_USER'];
551 $cfg['Server']['password'] = $GLOBALS['PHP_AUTH_PW'];
553 $_SESSION['last_access_time'] = time();
555 // Name and password cookies need to be refreshed each time
556 // Duration = one month for username
557 $GLOBALS['PMA_Config']->setCookie('pmaUser-' . $GLOBALS['server'],
558 PMA_blowfish_encrypt($cfg['Server']['user'],
559 PMA_get_blowfish_secret()));
561 // Duration = as configured
562 $GLOBALS['PMA_Config']->setCookie('pmaPass-' . $GLOBALS['server'],
563 PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ?
$cfg['Server']['password'] : "\xff(blank)",
564 PMA_get_blowfish_secret()),
566 $GLOBALS['cfg']['LoginCookieStore']);
568 // Set server cookies if required (once per session) and, in this case, force
569 // reload to ensure the client accepts cookies
570 if (! $GLOBALS['from_cookie']) {
571 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
572 if (! empty($GLOBALS['pma_auth_server'])) {
573 // Duration = one month for servername
574 $GLOBALS['PMA_Config']->setCookie('pmaServer-' . $GLOBALS['server'], $cfg['Server']['host']);
576 // Delete servername cookie
577 $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $GLOBALS['server']);
582 $redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php';
584 // any parameters to pass?
585 $url_params = array();
586 if (strlen($GLOBALS['db'])) {
587 $url_params['db'] = $GLOBALS['db'];
589 if (strlen($GLOBALS['table'])) {
590 $url_params['table'] = $GLOBALS['table'];
592 // any target to pass?
593 if (! empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php') {
594 $url_params['target'] = $GLOBALS['target'];
598 * whether we come from a fresh cookie login
600 define('PMA_COMING_FROM_COOKIE_LOGIN', true);
601 PMA_sendHeaderLocation($redirect_url . PMA_generate_common_url($url_params, '&'));
606 } // end of the 'PMA_auth_set_user()' function
610 * User is not allowed to login to MySQL -> authentication failed
612 * prepares error message and switches to PMA_auth() which display the error
615 * this function MUST exit/quit the application,
616 * currently doen by call to PMA_auth()
618 * @uses $GLOBALS['server']
619 * @uses $GLOBALS['allowDeny_forbidden']
620 * @uses $GLOBALS['no_activity']
621 * @uses $cfg['LoginCookieValidity']
622 * @uses $GLOBALS['PMA_Config']->removeCookie()
624 * @uses PMA_DBI_getError()
625 * @uses PMA_sanitize()
631 function PMA_auth_fails()
635 // Deletes password cookie and displays the login form
636 $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']);
638 if (! empty($GLOBALS['login_without_password_is_forbidden'])) {
639 $conn_error = __('Login without a password is forbidden by configuration (see AllowNoPassword)');
640 } elseif (! empty($GLOBALS['allowDeny_forbidden'])) {
641 $conn_error = __('Access denied');
642 } elseif (! empty($GLOBALS['no_activity'])) {
643 $conn_error = sprintf(__('No activity within %s seconds; please log in again'), $GLOBALS['cfg']['LoginCookieValidity']);
644 // Remember where we got timeout to return on same place
645 if (PMA_getenv('SCRIPT_NAME')) {
646 $GLOBALS['target'] = basename(PMA_getenv('SCRIPT_NAME'));
647 // avoid "missing parameter: field" on re-entry
648 if ('tbl_alter.php' == $GLOBALS['target']) {
649 $GLOBALS['target'] = 'tbl_structure.php';
652 } elseif (PMA_DBI_getError()) {
653 $conn_error = '#' . $GLOBALS['errno'] . ' ' . __('Cannot log in to the MySQL server');
655 $conn_error = __('Cannot log in to the MySQL server');
658 // needed for PHP-CGI (not need for FastCGI or mod-php)
659 header('Cache-Control: no-store, no-cache, must-revalidate');
660 header('Pragma: no-cache');
663 } // end of the 'PMA_auth_fails()' function