/** * Check the auth hash sent by the client against the local session credentials * * @return boolean True if valid, False if not */ function authenticate_session() { // advanced session authentication if ($this->config->get('double_auth')) { $now = time(); $valid = $_COOKIE['sessauth'] == $this->get_auth_hash(session_id(), $_SESSION['auth_time']) || $_COOKIE['sessauth'] == $this->get_auth_hash(session_id(), $_SESSION['last_auth']); // renew auth cookie every 5 minutes (only for GET requests) if (!$valid || $_SERVER['REQUEST_METHOD'] != 'POST' && $now - $_SESSION['auth_time'] > 300) { $_SESSION['last_auth'] = $_SESSION['auth_time']; $_SESSION['auth_time'] = $now; rcmail::setcookie('sessauth', $this->get_auth_hash(session_id(), $now), 0); } } else { $valid = $this->config->get('ip_check') ? $_SERVER['REMOTE_ADDR'] == $this->session->get_ip() : true; } // check session filetime $lifetime = $this->config->get('session_lifetime'); $sess_ts = $this->session->get_ts(); if (!empty($lifetime) && !empty($sess_ts) && $sess_ts + $lifetime * 60 < time()) { $valid = false; } return $valid; }