function storesession($etag)
{
global $session, $sessionsdir;
$fid = fopen($sessionsdir . $etag, "w");
fwrite($fid, serialize($session));
fclose($fid);
}
initsession($etag);
// .htaccess rewrites to ?tracker if the 'tracker.jpg' file is requested.
if (isset($_GET["tracker"])) {
// No ETag sent? Make sure we use a new session.
if (empty($_SERVER["HTTP_IF_NONE_MATCH"])) {
@unlink($sessionsdir . $etag);
// may or may not exist
unset($session);
initsession($etag);
}
updatesession();
storesession($etag);
header("Cache-Control: private, must-revalidate, proxy-revalidate");
header("ETag: " . substr($etag, 0, 18));
// our "cookie"
header("Content-type: image/jpeg");
header("Content-length: " . filesize("fingerprinting.jpg"));
readfile("fingerprinting.jpg");
exit;
}
// Vulnerable to CSRF attacks, I know. I didn't think it really mattered
// since XSS is impossible and no important data is stored.
if (isset($_POST["newstring"])) {
$session["your_string"] = substr(htmlentities($_POST["newstring"]), 0, 500);
$_SESSION['nocookie'] = false;
}
// Check if cookies are enabled
if (isset($_GET['ns']) && !isset($_SESSION['first'])) {
// Cookies are disabled
initsession(false);
}
if (!isset($_SESSION['first'])) {
// User first enters here
$_SESSION['first'] = true;
$loc = $_SERVER['PHP_SELF'] . '?ns&' . http_build_query($_GET);
header('Location: ' . $loc);
}
if ($_SESSION['first']) {
// Cookies are enabled and this is the first fulfilled query
initsession(true);
}
/** Initiates requires session variables
* @param $cookie must be TRUE, if cookies are enabled
*/
function initsession($cookie)
{
$_SESSION['nocookie'] = !$cookie;
$_SESSION['nojavascript'] = true;
$_SESSION['arrive'] = time();
$_SESSION['lastclick'] = $_SESSION['arrive'];
$_SESSION['click'] = 0;
$_SESSION['first'] = false;
}
######################## LOG QUERY ########################
if ($_SESSION['nocookie'] === false && $_SESSION['first'] === false) {