diff --git a/README.md b/README.md index 0d3a2cf..f4c2acc 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,16 @@ define('ENCRYPT_PASS', "bluelotus"); * 挑战应答式的登录校验,session绑定ip与useragent * 密码输错三次封IP,误封请删除`DATA_PATH`/forbiddenIPList.dat文件 +## keepsession功能 +* 需要在config.php开启 +* 如果请求的get或post或cookie中带有keepsession=1,则这条记录会被keepsession +* 请设置脚本或者网站监控定期访问keepsession.php +* 请将cookie存在cookie参数,url存在location参数(传递方法可get可post可cookie),如`index.php?keepsession=1&cookie=aaa&location=bbb`,keepsession.php将会定期使用cookie aaa去访问bbb +* cookie和location参数支持base64编码,keepsession.php会自动判断,自动解码 +* 如果不设置location,将会使用HTTP Referer作为url +* keepsession.php使用`flock($pid, LOCK_EX|LOCK_NB)`实现单例运行(由于windows下不支持无阻塞锁定,所以最好删除keepsession.php里的`set_time_limit(0)`),可自行加上sleep防止keepsession.php被恶意频繁访问 + ## TODO -* keepsession * 完全启用CSP * 我的js * js模板 @@ -52,3 +60,9 @@ define('ENCRYPT_PASS', "bluelotus"); * 为方便开发与调试,未合并压缩js与css,待最终版发布后合并 * 使用纯真ip库的函数基于Discuz X3.1 function_misc.php上修改而来, 判断客户端操作系统与浏览器的脚本基于原作者@author Jea杨写的php版本修改而来,后台整体布局借鉴Kendo UI 的demo NORTHWIND DASH * Warning: 本工具仅允许使用在CTF比赛等学习、研究场景,严禁用于非法用途 + +## 意见与建议 + +欢迎大家在体验过程中提出各种宝贵的意见和建议,以及各种bug! + +反馈邮箱firesun.cn`at`gmail.com diff --git a/admin.php b/admin.php index 012c94a..b5cee73 100644 --- a/admin.php +++ b/admin.php @@ -80,7 +80,7 @@ require("auth.php"); - Copyright © 2015-2016
Powered by Firesun + Copyright © 2015-2016
Powered by Firesun diff --git a/auth.php b/auth.php index e57d073..9092e42 100644 --- a/auth.php +++ b/auth.php @@ -23,4 +23,5 @@ if(!(isset($_SESSION['isLogin']) && $_SESSION['isLogin']===true && isset($_SESSI header("Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'"); header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'"); header("X-WebKit-CSP: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-src 'none'"); + ?> \ No newline at end of file diff --git a/functions.php b/functions.php index d78da81..40d5190 100644 --- a/functions.php +++ b/functions.php @@ -19,17 +19,29 @@ if (!function_exists('getallheaders')) { //判断该记录是否 function isKeepSession($info){ $keepsession=false; - foreach($info['cookie_data'] as $k => $v) { - if($k==="keepsession") - $keepsession=($v==="1"?true:false); - } - foreach($info['post_data'] as $k => $v) { - if($k==="keepsession") - $keepsession=($v==="1"?true:false); - } + foreach($info['get_data'] as $k => $v) { if($k==="keepsession") + { $keepsession=($v==="1"?true:false); + return $keepsession; + } + } + + foreach($info['post_data'] as $k => $v) { + if($k==="keepsession") + { + $keepsession=($v==="1"?true:false); + return $keepsession; + } + } + + foreach($info['cookie_data'] as $k => $v) { + if($k==="keepsession") + { + $keepsession=($v==="1"?true:false); + return $keepsession; + } } return $keepsession; } diff --git a/keepsession.php b/keepsession.php index 9c4971f..9f0525a 100644 --- a/keepsession.php +++ b/keepsession.php @@ -1,9 +1,102 @@ \ No newline at end of file diff --git a/login.php b/login.php index e74c3ea..7a27b69 100644 --- a/login.php +++ b/login.php @@ -23,7 +23,7 @@ $forbiddenIPList=loadForbiddenIPList(); $ip=$_SERVER['REMOTE_ADDR']; if(!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip]<3) { - if(isset($_POST['password']) && $_POST['password']!='' ) + if(isset($_POST['password']) && $_POST['password']!="") { if(checkPassword($_POST['password'])) { @@ -85,7 +85,7 @@ php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='bluelotus';$key=md5($salt */ function checkPassword($p) { - if(isset($_SESSION['firesunCheck'])&&isset($_POST['firesunCheck'])&&$_SESSION['firesunCheck']!=""&&$_POST['firesunCheck']===$_SESSION['firesunCheck']) + if(isset($_POST['firesunCheck']) && isset($_SESSION['firesunCheck']) && $_SESSION['firesunCheck']!="" && $_POST['firesunCheck']===$_SESSION['firesunCheck']) { //改了这个盐记得改login.js里的,两个要一致 $salt="!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl"; diff --git a/static/js/notification.js b/static/js/notification.js index 1036b1e..ed19df1 100644 --- a/static/js/notification.js +++ b/static/js/notification.js @@ -9,7 +9,6 @@ function readNotification(){ $(this).parent().fadeOut(200); //reload data $('#panelGrid').jqxGrid('updatebounddata'); - //$("#panelGrid").jqxGrid({ source: getAdapter() }); } @@ -23,7 +22,7 @@ function showNotification(newUnreadNum,lastedID,interval){ { if(document.title) - document.title='【收到'+unreadNum+"份消息】"+document.title; + document.title='【收到'+unreadNum+"封消息】"+oldTitle; var notificationHTML='

未知

0.0.0.0

GET:0个 POST:0个 Cookie:0个

'; $("#webpushtipcontainer").remove();