BlueLotus_XSSReceiver/auth.php

<?php
if (!defined('IN_XSS_PLATFORM')) {
    exit('Access Denied');
}

require_once('functions.php');

//设置httponly
ini_set('session.cookie_httponly', 1);
session_start();

//判断登陆情况，ip和useragent是否改变，改变则强制退出
if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
    $_SESSION['isLogin']    = false;
    $_SESSION['user_IP']    = "";
    $_SESSION['user_agent'] = "";
    session_unset();
    session_destroy();
    header('Location: login.php');
    exit();
}

if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != '' && $_SESSION['user_IP'] === getRealIP()) ) {
    $_SESSION['isLogin']    = false;
    $_SESSION['user_IP']    = '';
    $_SESSION['user_agent'] = '';
    session_unset();
    session_destroy();
    header('Location: login.php');
    exit();
}

//开启CSP
require_once('waf.php');
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
+								<?php
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								if (!defined('IN_XSS_PLATFORM')) {
 								    exit('Access Denied');
-												Version 2.0
实现基本功能
实现了基本界面admin.php
支持查看各种信息，支持自动base64解码

todolist
keepsession
认证
完全启用CSP
我的js
js模板

为实现一些jqxgrid无法实现的功能改动了jqx库，详见diff文件夹

											
										
										
											2015-10-27 12:26:59 +08:00
+								}
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
-												Version 3.5.3
1. 增加referer校验防御CSRF
2. 修复若干小bug
3. 更新IP库

											
										
										
											2022-05-24 00:13:20 +08:00
+								require_once('functions.php');
-												Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

											
										
										
											2016-12-27 21:49:19 +08:00
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//设置httponly
-												Version 3.5.3
1. 增加referer校验防御CSRF
2. 修复若干小bug
3. 更新IP库

											
										
										
											2022-05-24 00:13:20 +08:00
+								ini_set('session.cookie_httponly', 1);
-												Version 2.2
增加登录界面与登录校验

											
										
										
											2015-10-29 00:57:57 +08:00
+								session_start();
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//判断登陆情况，ip和useragent是否改变，改变则强制退出
-												Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

											
										
										
											2016-12-27 21:49:19 +08:00
+								if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
 								    $_SESSION['isLogin']    = false;
 								    $_SESSION['user_IP']    = "";
 								    $_SESSION['user_agent'] = "";
 								    session_unset();
 								    session_destroy();
-												Version 3.5.3
1. 增加referer校验防御CSRF
2. 修复若干小bug
3. 更新IP库

											
										
										
											2022-05-24 00:13:20 +08:00
+								    header('Location: login.php');
-												Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

											
										
										
											2016-12-27 21:49:19 +08:00
+								    exit();
 								}
-												Version 3.5.3
1. 增加referer校验防御CSRF
2. 修复若干小bug
3. 更新IP库

											
										
										
											2022-05-24 00:13:20 +08:00
+								if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != '' && $_SESSION['user_IP'] === getRealIP()) ) {
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								    $_SESSION['isLogin']    = false;
-												Version 3.5.3
1. 增加referer校验防御CSRF
2. 修复若干小bug
3. 更新IP库

											
										
										
											2022-05-24 00:13:20 +08:00
+								    $_SESSION['user_IP']    = '';
 								    $_SESSION['user_agent'] = '';
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								    session_unset();
 								    session_destroy();
-												Version 3.5.3
1. 增加referer校验防御CSRF
2. 修复若干小bug
3. 更新IP库

											
										
										
											2022-05-24 00:13:20 +08:00
+								    header('Location: login.php');
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								    exit();
-												Version 2.2
增加登录界面与登录校验

											
										
										
											2015-10-29 00:57:57 +08:00
+								}
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//开启CSP
-												Version 3.5.3
1. 增加referer校验防御CSRF
2. 修复若干小bug
3. 更新IP库

											
										
										
											2022-05-24 00:13:20 +08:00
+								require_once('waf.php');