diff --git a/airtime_mvc/application/controllers/LoginController.php b/airtime_mvc/application/controllers/LoginController.php index 4c58a6b57..4f462478d 100644 --- a/airtime_mvc/application/controllers/LoginController.php +++ b/airtime_mvc/application/controllers/LoginController.php @@ -14,9 +14,11 @@ class LoginController extends Zend_Controller_Action $request = $this->getRequest(); Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA')); - if (Zend_Auth::getInstance()->hasIdentity()) + $auth = Zend_Auth::getInstance(); + Application_Model_Auth::pinSessionToClient($auth); + + if ($auth->hasIdentity()) { - $this->_redirect('Showbuilder'); } @@ -52,8 +54,7 @@ class LoginController extends Zend_Controller_Action //pass to the adapter the submitted username and password $authAdapter->setIdentity($username) ->setCredential($password); - - $auth = Zend_Auth::getInstance(); + $result = $auth->authenticate($authAdapter); if ($result->isValid()) { //all info about this user from the login table omit only the password @@ -66,14 +67,12 @@ class LoginController extends Zend_Controller_Action Application_Model_LoginAttempts::resetAttempts($_SERVER['REMOTE_ADDR']); Application_Model_Subjects::resetLoginAttempts($username); - $tempSess = new Zend_Session_Namespace("referrer"); - $tempSess->referrer = 'login'; - //set the user locale in case user changed it in when logging in Application_Model_Preference::SetUserLocale($locale); $this->_redirect('Showbuilder'); } else { + $message = _("Wrong username or password provided. Please try again."); Application_Model_Subjects::increaseLoginAttempts($username); Application_Model_LoginAttempts::increaseAttempts($_SERVER['REMOTE_ADDR']); @@ -96,7 +95,9 @@ class LoginController extends Zend_Controller_Action public function logoutAction() { - Zend_Auth::getInstance()->clearIdentity(); + $auth = Zend_Auth::getInstance(); + Application_Model_Auth::pinSessionToClient($auth); + $auth->clearIdentity(); $this->_redirect('showbuilder/index'); } @@ -188,6 +189,7 @@ class LoginController extends Zend_Controller_Action $auth->invalidateTokens($user, 'password.restore'); $zend_auth = Zend_Auth::getInstance(); + Application_Model_Auth::pinSessionToClient($zend_auth); $zend_auth->clearIdentity(); $authAdapter = Application_Model_Auth::getAuthAdapter(); diff --git a/airtime_mvc/application/controllers/plugins/Acl_plugin.php b/airtime_mvc/application/controllers/plugins/Acl_plugin.php index 44555e533..2771b1121 100644 --- a/airtime_mvc/application/controllers/plugins/Acl_plugin.php +++ b/airtime_mvc/application/controllers/plugins/Acl_plugin.php @@ -109,9 +109,9 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract public function preDispatch(Zend_Controller_Request_Abstract $request) { $controller = strtolower($request->getControllerName()); + Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance()); if (in_array($controller, array("api", "auth", "locale"))) { - $this->setRoleName("G"); } elseif (!Zend_Auth::getInstance()->hasIdentity()) { diff --git a/airtime_mvc/application/models/Auth.php b/airtime_mvc/application/models/Auth.php index 104ee8050..04aafff6b 100644 --- a/airtime_mvc/application/models/Auth.php +++ b/airtime_mvc/application/models/Auth.php @@ -101,4 +101,13 @@ class Application_Model_Auth return $string; } + + /** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between + * different copies of Airtime on the same webserver. This essentially pins this session to this hostname and client ID. + * @param Zend_Auth $auth Get this with Zend_Auth::getInstance(). + */ + public static function pinSessionToClient($auth) + { + $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . Application_Model_Preference::GetClientId())); + } }