function check_session() { if (isset($_SESSION['OBSOLETE']) && $_SESSION['EXPIRES'] < time()) { return false; } if (isset($_SESSION['IPaddress']) != $_SERVER['REMOTE_ADDR']) { return false; } if ($_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) { return false; } if (!isset($_SESSION['OBSOLETE'])) { regenerate_session(); } return true; }
function check_session() { if (isset($_SESSION['isLoggedOutRecently'])) { // Skip the check_session check for the case of just logged out user, // as the session by all means doesnot have any extra privileges which // can be hijacked. And we get to regenerate the session, and do not // miss out on displaying the feedback messages added by different // parts of code. // Previously absence of this check for a just logged out user, // triggered a fake possible-CSRF alarm, and hence messages in feedback were // not being rendered regenerate_session(); unset($_SESSION['isLoggedOutRecently']); return true; } if (isset($_SESSION['OBSOLETE']) && $_SESSION['EXPIRES'] < time()) { return false; } if (isset($_SESSION['IPaddress']) != $_SERVER['REMOTE_ADDR']) { return false; } if ($_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) { return false; } if (!isset($_SESSION['OBSOLETE'])) { regenerate_session(); } return true; }
session_name('ATutorID'); error_reporting(AT_ERROR_REPORTING); if (headers_sent()) { require_once AT_INCLUDE_PATH . 'classes/ErrorHandler/ErrorHandler.class.php'; $err = new ErrorHandler(); trigger_error('VITAL#<br /><code><strong>Headers already sent. ' . 'Cannot initialise session.</strong></code><br /><hr /><br />', E_USER_ERROR); exit; } $isHttps = !isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on" ? false : true; ob_start(); session_set_cookie_params(0, $_config["session_path"], "", $isHttps); session_start(); // Regenerate session id at every page refresh to prevent CSRF $valid_session = true; if (count($_SESSION) == 0) { regenerate_session(); } else { $valid_session = check_session(); } $str = ob_get_contents(); ob_end_clean(); unregister_GLOBALS(); // Re-direct to login page at a potential session hijack if (!$valid_session) { $_SESSION = array(); header('Location: ' . AT_BASE_HREF . 'login.php'); exit; } if ($str) { require_once AT_INCLUDE_PATH . 'classes/ErrorHandler/ErrorHandler.class.php'; $err = new ErrorHandler();