BlueLotus_XSSReceiver/auth.php

<?php
if (!defined('IN_XSS_PLATFORM')) {
    exit('Access Denied');
}

require_once("functions.php");

//设置httponly
ini_set("session.cookie_httponly", 1);
session_start();

//判断登陆情况，ip和useragent是否改变，改变则强制退出
if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
    $_SESSION['isLogin']    = false;
    $_SESSION['user_IP']    = "";
    $_SESSION['user_agent'] = "";
    session_unset();
    session_destroy();
    header("Location: login.php");
    exit();
}

if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === getRealIP()) ) {
    $_SESSION['isLogin']    = false;
    $_SESSION['user_IP']    = "";
    $_SESSION['user_agent'] = "";
    session_unset();
    session_destroy();
    header("Location: login.php");
    exit();
}

//开启CSP
require_once("waf.php");
-												Version 1.0

											
										
										
											2015-10-13 00:07:10 +08:00
+								<?php
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								if (!defined('IN_XSS_PLATFORM')) {
 								    exit('Access Denied');
-												Version 2.0
实现基本功能
实现了基本界面admin.php
支持查看各种信息，支持自动base64解码

todolist
keepsession
认证
完全启用CSP
我的js
js模板

为实现一些jqxgrid无法实现的功能改动了jqx库，详见diff文件夹

											
										
										
											2015-10-27 12:26:59 +08:00
+								}
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
-												Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

											
										
										
											2016-12-27 21:49:19 +08:00
+								require_once("functions.php");
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//设置httponly
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								ini_set("session.cookie_httponly", 1);
-												Version 2.2
增加登录界面与登录校验

											
										
										
											2015-10-29 00:57:57 +08:00
+								session_start();
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//判断登陆情况，ip和useragent是否改变，改变则强制退出
-												Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项，在有反代或负载均衡的情况下可开启XFF_ENABLE，关闭ADMIN_IP_CHECK_ENABLE
2. 修复一系列bug

											
										
										
											2016-12-27 21:49:19 +08:00
+								if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
 								    $_SESSION['isLogin']    = false;
 								    $_SESSION['user_IP']    = "";
 								    $_SESSION['user_agent'] = "";
 								    session_unset();
 								    session_destroy();
 								    header("Location: login.php");
 								    exit();
 								}
 								if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === getRealIP()) ) {
-												Version 3.3.0
添加安装脚本install.php

											
										
										
											2016-01-28 02:19:09 +08:00
+								    $_SESSION['isLogin']    = false;
 								    $_SESSION['user_IP']    = "";
 								    $_SESSION['user_agent'] = "";
 								    session_unset();
 								    session_destroy();
 								    header("Location: login.php");
 								    exit();
-												Version 2.2
增加登录界面与登录校验

											
										
										
											2015-10-29 00:57:57 +08:00
+								}
-												Version 2.2.2
增加注销按钮
完善注释

											
										
										
											2015-10-30 22:46:04 +08:00
+								//开启CSP
-												Version 3.5.1
1. 升级PHPMailer至5.2.22
2. 安装后删除无用文件
3. 开启X-Frame-Options，X-Content-Type-Options
4. 修复一系列bug

Todo
修复jqxgrid的一些问题

											
										
										
											2017-02-18 17:07:32 +08:00
+								require_once("waf.php");