Sessions and LDAP
Solution 1
function check_auth_ldap () {
$sessionTimeoutSecs = 10;
$ldapServer = '11.22.33.44';
$ldapPort = 389;
if (!isset($_SESSION)) session_start();
if (!empty($_SESSION['lastactivity']) && $_SESSION['lastactivity'] > time() - $sessionTimeoutSecs && !isset($_GET['logout'])) {
// Session is already authenticated
$ds = ldap_connect($ldapServer, $ldapPort);
if (ldap_bind($ds, $_SESSION['username'], $_SESSION['password'])) {
$_SESSION['lastactivity'] = time();
return $ds;
} else {
unset($_SESSION['lastactivity'], $_SESSION['username'], $_SESSION['password']);
header("Location: endSession.php");
exit;
}
} else if (isset($_POST['username'], $_POST['password'])) {
// Handle login requests
$ds = ldap_connect($ldapServer, $ldapPort);
if (ldap_bind($ds, $_POST['username'], $_POST['password'])) {
// Successful auth
$_SESSION['lastactivity'] = time();
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
return $ds;
} else {
// Auth failed
header("Location: endSession.php");
exit;
}
} else {
// Session has expired or a logout was requested
unset($_SESSION['lastactivity'], $_SESSION['username'], $_SESSION['password']);
header("Location: endSession.php");
exit;
}
}
Just call the above function at the top of every protected page. This will handle all the authentication processes. It will return the LDAP connection resource if the user is authenticated, and redirect them to endSession.php if they are not.
Just place this line at the top of each page:
$ds = check_auth_ldap();
...and the function will do all the legwork for you.
Solution 2
There is often a need for a bind based on the uid. I've modified the function a little to achieve this. cn for bind comes from a search operation based on uid for username. Hope this could help someone.
function check_auth_ldap () {
if (!($_POST['username'] && $_POST['password'])) {
header("Location: login.php?failure=6");
}
$sessionTimeoutSecs = 10;
$ldapServer = localhost;
$ldapBaseDN = ou=users,ou=subtree,dc=domain,dc=tld;
$ldapPort = 389;
$ldapFilter = "(&(objectClass=*)(uid=".$_POST['username']."))";
$ldapAttributes = array("cn");
if (!isset($_SESSION)) session_start();
if (!empty($_SESSION['lastactivity']) && $_SESSION['lastactivity'] > time() - $sessionTimeoutSecs && !isset($_GET['logout'])) {
// Session is already authenticated
$ds = ldap_connect($ldapServer, $ldapPort);
$sr = ldap_search($ds,$ldapBaseDN,$ldapFilter,$ldapAttributes);
$result = ldap_get_entries($ds, $sr);
if ($result) {
$binddn = $result[0]['dn'];
} else {
header("Location: login.php?failure=1");
}
ldap_close ($ds);
$ds = ldap_connect($ldapServer, $ldapPort);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
if (ldap_bind($ds, $binddn, $_SESSION['password'])) {
$_SESSION['lastactivity'] = time();
return $ds;
} else {
unset($_SESSION['lastactivity'], $_SESSION['username'], $_SESSION['password']);
header("Location: login.php?failure=2");
exit;
}
} else if (isset($_POST['username'], $_POST['password'])) {
// Handle login requests
$ds = ldap_connect($ldapServer, $ldapPort);
$sr = ldap_search($ds,$ldapBaseDN,$ldapFilter,$ldapAttributes);
$result = ldap_get_entries($ds, $sr);
if ($result) {
$binddn = $result[0]['dn'];
} else {
header("Location: login.php?failure=3");
}
ldap_close ($ds);
$ds = ldap_connect($ldapServer, $ldapPort);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
if (ldap_bind($ds, $binddn, $_POST['password'])) {
// Successful auth
$_SESSION['lastactivity'] = time();
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
return $ds;
} else {
// Auth failed
header("Location: login.php?failure=4");
exit;
}
} else {
// Session has expired or a logout was requested
unset($_SESSION['lastactivity'], $_SESSION['username'], $_SESSION['password']);
header("Location: login.php?failure=5");
exit;
}
}
Solution 3
I've just written (and tested) this:
test.php
<?php
session_start();
if(isset($_GET['start']))
$_SESSION['start'] = time();
if(time() - $_SESSION['start'] > 10)
echo 'Logged out';
else
echo 'Logged in';
?>
If you go to test.php?start in your browser, it will say "Logged in", then go to test.php in your browser and any time after 10 seconds, it will echo "Logged out", any time under 10 seconds it will say "Logged in"
Comments
-
TheAptKid almost 2 years
I have a webpage. The authentication to the webpage is handled by a ldap server I have set up. Now I wan`t to implement sessions, so that when a user is inactive for a period of time (in the case below, 10 seconds), the session will end and the user will unbind from the ldap server. I found this excerpt of code:
<?php session_cache_expire(20); session_start(); $inactive = 10; if(isset($_SESSION['start'])) { $session_life = time() - $_SESSION['start']; if($session_life > $inactive){ header("Location: endSession.php"); } } $_SESSION['start'] = time(); ?>It is not working. If I refresh the page it redirects me to my 'endSession.php' page, even if I`m active.