/** * Check if a visitor is logged in * * Query "Sessions" table with supplied cookie. Determine if the cookie is valid * or not. Unset the cookie if invalid or session timeout reached. Update the * session timeout if it is still valid. * * @global array $_COOKIE User cookie values * * @return void */ function check_sid() { global $_COOKIE; if (isset($_COOKIE["AURSID"])) { $failed = 0; $timeout = config_get_int('options', 'login_timeout'); # the visitor is logged in, try and update the session # $dbh = DB::connect(); $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; $q .= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]); $result = $dbh->query($q); $row = $result->fetch(PDO::FETCH_NUM); if (!$row[0]) { # Invalid SessionID - hacker alert! # $failed = 1; } else { $last_update = $row[0]; if ($last_update + $timeout <= $row[1]) { $failed = 2; } } if ($failed == 1) { # clear out the hacker's cookie, and send them to a naughty page # why do you have to be so harsh on these people!? # setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } elseif ($failed == 2) { # session id timeout was reached and they must login again. # delete_session_id($_COOKIE["AURSID"]); setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } else { # still logged in and haven't reached the timeout, go ahead # and update the idle timestamp # Only update the timestamp if it is less than the # current time plus $timeout. # # This keeps 'remembered' sessions from being # overwritten. if ($last_update < time() + $timeout) { $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; $q .= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]); $dbh->exec($q); } } } return; }
<?php set_include_path(get_include_path() . PATH_SEPARATOR . '../lib'); include_once "aur.inc.php"; # access AUR common functions include_once "acctfuncs.inc.php"; # access AUR common functions # if they've got a cookie, log them out - need to do this before # sending any HTML output. # if (isset($_COOKIE["AURSID"])) { delete_session_id($_COOKIE["AURSID"]); # setting expiration to 1 means '1 second after midnight January 1, 1970' setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); clear_expired_sessions(); } header('Location: /');