4 * Prevents users from reposting their form data after a successful logout.
6 * Derived from webmail.php by Ralf Kraudelt <kraude@wiwi.uni-rostock.de>
8 * @copyright 1999-2011 The SquirrelMail Project Team
9 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
11 * @package squirrelmail
14 /** This is the redirect page */
15 define('PAGE_NAME', 'redirect');
18 * Include the SquirrelMail initialization file.
20 require('../include/init.php');
22 /* SquirrelMail required files. */
23 require_once(SM_PATH
. 'functions/imap_general.php');
24 require_once(SM_PATH
. 'functions/strings.php');
26 // Disable browser caching
28 header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0');
29 header('Pragma: no-cache');
30 header('Expires: Sat, 1 Jan 2000 00:00:00 GMT');
31 $location = get_location();
33 // session_set_cookie_params (0, $base_uri);
35 sqsession_unregister ('user_is_logged_in');
36 sqsession_register ($base_uri, 'base_uri');
38 /* get globals we me need */
39 sqGetGlobalVar('login_username', $login_username);
40 sqGetGlobalVar('secretkey', $secretkey);
41 if(!sqGetGlobalVar('squirrelmail_language', $squirrelmail_language) ||
$squirrelmail_language == '') {
42 $squirrelmail_language = $squirrelmail_default_language;
44 if (!sqgetGlobalVar('mailtodata', $mailtodata)) {
48 /* end of get globals */
50 set_up_language($squirrelmail_language, true);
51 /* Refresh the language cookie. */
52 sqsetcookie('squirrelmail_language', $squirrelmail_language, time()+
2592000,
55 if (!isset($login_username)) {
56 logout_error( _("You must be logged in to access this page.") );
60 do_hook('login_before', $null);
62 $onetimepad = OneTimePadCreate(strlen($secretkey));
63 $key = OneTimePadEncrypt($secretkey, $onetimepad);
65 /* remove redundant spaces */
66 $login_username = trim($login_username);
68 /* Case-normalise username if so desired */
69 if ($force_username_lowercase) {
70 $login_username = strtolower($login_username);
73 /* Verify that username and password are correct. */
74 $imapConnection = sqimap_login($login_username, $key, $imapServerAddress, $imapPort, 0);
75 /* From now on we are logged it. If the login failed then sqimap_login handles it */
78 * Regenerate session id to make sure that authenticated session uses
79 * different ID than one used before user authenticated. This is a
80 * countermeasure against session fixation attacks.
81 * NB: session_regenerate_id() was added in PHP 4.3.2 (and new session
82 * cookie is only sent out in this call as of PHP 4.3.3), but PHP 4
83 * is not vulnerable to session fixation problems in SquirrelMail
84 * because it prioritizes $base_uri subdirectory cookies differently
85 * than PHP 5, which is otherwise vulnerable. If we really want to,
86 * we could define our own session_regenerate_id() when one does not
87 * exist, but there seems to be no reason to do so.
89 sqsession_is_active();
90 if (function_exists('session_regenerate_id')) {
91 session_regenerate_id();
95 * The cookie part. session_start and session_regenerate_session normally set
96 * their own cookie. SquirrelMail sets another cookie which overwites the
97 * php cookies. The sqsetcookie function sets the cookie by using the header
98 * function which gives us full control how the cookie is set. We do that
99 * to add the HttpOnly cookie attribute which blocks javascript access on
102 sqsetcookie(session_name(),session_id(),false,$base_uri);
103 sqsetcookie('key', $key, false, $base_uri);
105 sqsession_register($onetimepad, 'onetimepad');
107 $sqimap_capabilities = sqimap_capability($imapConnection);
109 /* Server side sorting control */
110 if (isset($sqimap_capabilities['SORT']) && $sqimap_capabilities['SORT'] == true &&
111 isset($disable_server_sort) && $disable_server_sort) {
112 unset($sqimap_capabilities['SORT']);
115 /* Thread sort control */
116 if (isset($sqimap_capabilities['THREAD']) && $sqimap_capabilities['THREAD'] == true &&
117 isset($disable_thread_sort) && $disable_thread_sort) {
118 unset($sqimap_capabilities['THREAD']);
121 sqsession_register($sqimap_capabilities, 'sqimap_capabilities');
122 $delimiter = sqimap_get_delimiter ($imapConnection);
124 if (isset($sqimap_capabilities['NAMESPACE']) && $sqimap_capabilities['NAMESPACE'] == true) {
125 $namespace = sqimap_get_namespace($imapConnection);
126 sqsession_register($namespace, 'sqimap_namespace');
129 sqimap_logout($imapConnection);
130 sqsession_register($delimiter, 'delimiter');
132 $username = $login_username;
133 sqsession_register ($username, 'username');
134 do_hook('login_verified', $null);
136 /* Set the login variables. */
137 $user_is_logged_in = true;
138 $just_logged_in = true;
140 /* And register with them with the session. */
141 sqsession_register ($user_is_logged_in, 'user_is_logged_in');
142 sqsession_register ($just_logged_in, 'just_logged_in');
144 /* parse the accepted content-types of the client */
145 $attachment_common_types = array();
146 $attachment_common_types_parsed = array();
147 sqsession_register($attachment_common_types, 'attachment_common_types');
148 sqsession_register($attachment_common_types_parsed, 'attachment_common_types_parsed');
150 if ( sqgetGlobalVar('HTTP_ACCEPT', $http_accept, SQ_SERVER
) &&
151 !isset($attachment_common_types_parsed[$http_accept]) ) {
152 attachment_common_parse($http_accept);
155 // having just logged in, need to synch the template file cache
156 // so the right template set is displayed (per user prefs)
157 require(SM_PATH
. 'include/load_prefs.php');
159 Template
::cache_template_file_hierarchy($sTemplateID, TRUE);
161 /* Complete autodetection of Javascript. */
162 checkForJavascript();
164 /* Compute the URL to forward the user to. */
165 $redirect_url = $location . '/webmail.php';
167 if ( sqgetGlobalVar('session_expired_location', $session_expired_location, SQ_SESSION
) ) {
168 sqsession_unregister('session_expired_location');
169 if ( $session_expired_location == 'compose' ) {
170 $compose_new_win = getPref($data_dir, $username, 'compose_new_win', 0);
171 if ($compose_new_win) {
172 // do not prefix $location here because $session_expired_location is set to the PAGE_NAME
174 $redirect_url = $location . '/' . $session_expired_location . '.php';
176 $redirect_url = $location . '/webmail.php?right_frame=' . urlencode($session_expired_location . '.php');
178 } else if ($session_expired_location != 'webmail'
179 && $session_expired_location != 'left_main') {
180 $redirect_url = $location . '/webmail.php?right_frame=' . urlencode($session_expired_location . '.php');
182 unset($session_expired_location);
185 if($mailtodata != '') {
186 $redirect_url = $location . '/webmail.php?right_frame=compose.php&mailtodata=';
187 $redirect_url .= urlencode($mailtodata);
190 /* Write session data and send them off to the appropriate page. */
191 session_write_close();
192 header("Location: $redirect_url");
195 /* --------------------- end main ----------------------- */
197 function attachment_common_parse($str) {
198 global $attachment_common_types, $attachment_common_types_parsed;
201 * Replace ", " with "," and explode on that as Mozilla 1.x seems to
202 * use "," to seperate whilst IE, and earlier versions of Mozilla use
206 $str = str_replace( ', ' , ',' , $str );
207 $types = explode(',', $str);
209 foreach ($types as $val) {
210 // Ignore the ";q=1.0" stuff
211 if (strpos($val, ';') !== false) {
212 $val = substr($val, 0, strpos($val, ';'));
214 if (! isset($attachment_common_types[$val])) {
215 $attachment_common_types[$val] = true;
218 sqsession_register($attachment_common_types, 'attachment_common_types');
221 $attachment_common_types_parsed[$str] = true;