/** * Extract all of the post data, set up data in tables, and set up session. */ public static function setupSession() { global $CFG, $PDOX; if (!LTI::isRequest()) { return false; } // Pull LTI data out of the incoming $_POST and map into the same // keys that we use in our database (i.e. like $row) $post = self::extractPost(); if ($post === false) { $pdata = safe_var_dump($_POST); error_log('Missing post data: ' . $pdata); require 'lti/nopost.php'; return; } if ($post['key'] == '12345' && !$CFG->DEVELOPER) { die_with_error_log('You can only use key 12345 in developer mode'); } // We make up a Session ID Key because we don't want a new one // each time the same user launches the same link. $session_id = self::getCompositeKey($post, $CFG->sessionsalt); session_id($session_id); session_start(); header('Content-Type: text/html; charset=utf-8'); // Since we might reuse session IDs, clean everything out session_unset(); $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp // Read all of the data from the database with a very long // LEFT JOIN and get all the data we have back in the $row variable // $row = loadAllData($CFG->dbprefix, false, $post); $row = self::loadAllData($CFG->dbprefix, $CFG->dbprefix . 'profile', $post); $delta = 0; if (isset($_POST['oauth_timestamp'])) { $server_time = $_POST['oauth_timestamp'] + 0; $delta = abs(time() - $server_time); if ($delta > 480) { // More than four minutes is getting close error_log('Warning: Time skew, delta=' . $delta . ' sever_time=' . $server_time . ' our_time=' . time()); } } // Check the nonce to make sure there is no reuse if ($row['nonce'] !== null) { die_with_error_log('OAuth nonce error key=' . $post['key'] . ' nonce=' . $row['nonce']); } // Use returned data to check the OAuth signature on the // incoming data - returns true or an array $valid = LTI::verifyKeyAndSecret($post['key'], $row['secret']); // If there is a new_secret it means an LTI2 re-registration is in progress and we // need to check both the current and new secret until the re-registration is committed if ($valid !== true && strlen($row['new_secret']) > 0 && $row['new_secret'] != $row['secret']) { $valid = LTI::verifyKeyAndSecret($post['key'], $row['new_secret']); if ($valid) { $row['secret'] = $row['new_secret']; } $row['new_secret'] = null; } if ($valid !== true) { print "<pre>\n"; print_r($valid); print "</pre>\n"; die_with_error_log('OAuth validation fail key=' . $post['key'] . ' delta=' . $delta . ' error=' . $valid[0]); } $actions = self::adjustData($CFG->dbprefix, $row, $post); // Record the nonce but first probabilistically check if ($CFG->noncecheck > 0) { if (time() % $CFG->noncecheck == 0) { $PDOX->queryDie("DELETE FROM {$CFG->dbprefix}lti_nonce WHERE\n created_at < DATE_ADD(CURRENT_TIMESTAMP(), INTERVAL -{$CFG->noncetime} SECOND)"); // error_log("Nonce table cleanup done."); } $PDOX->queryDie("INSERT INTO {$CFG->dbprefix}lti_nonce\n (key_id, nonce) VALUES ( :key_id, :nonce)", array(':nonce' => $post['nonce'], ':key_id' => $row['key_id'])); } // If there is an appropriate role override variable, we use that role if (isset($row['role_override']) && isset($row['role']) && $row['role_override'] > $row['role']) { $row['role'] = $row['role_override']; } // Put the information into the row variable // TODO: do AES on the secret $_SESSION['lti'] = $row; $_SESSION['lti_post'] = $_POST; if (isset($_SERVER['HTTP_USER_AGENT'])) { $_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT']; } if (isset($_SERVER['REMOTE_ADDR'])) { $_SESSION['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR']; } $_SESSION['CSRF_TOKEN'] = uniqid(); // Save this to make sure the user does not wander unless we launched from the root $scp = getScriptPath(); if (strlen($scp) > 0) { $_SESSION['script_path'] = getScriptPath(); } // Check if we can auto-login the system user if (Settings::linkGet('dologin', false) && isset($PDOX) && $PDOX !== false) { loginSecureCookie(); } // Set up basic custom values (legacy) if (isset($_POST['custom_due'])) { $when = strtotime($_POST['custom_due']); if ($when === false) { echo '<p>Error, bad setting for custom_due=' . htmlentities($_POST['custom_due']) . '</p>'; error_log('Bad custom_due=' . $_POST['custom_due']); flush(); } else { $_SESSION['due'] = $_POST['custom_due']; } } if (isset($_POST['custom_timezone'])) { $_SESSION['timezone'] = $_POST['custom_timezone']; } if (isset($_POST['custom_penalty_time'])) { if ($_POST['custom_penalty_time'] + 0 == 0) { echo '<p>Error, bad setting for custom_penalty_time=' . htmlentities($_POST['custom_penalty_time']) . '</p>'; error_log('Bad custom_penalty_time=' . $_POST['custom_penalty_time']); flush(); } else { $_SESSION['penalty_time'] = $_POST['custom_penalty_time']; } } if (isset($_POST['custom_penalty_cost'])) { if ($_POST['custom_penalty_cost'] + 0 == 0) { echo '<p>Error, bad setting for custom_penalty_cost=' . htmlentities($_POST['custom_penalty_cost']) . '</p>'; error_log('Bad custom_penalty_cost=' . $_POST['custom_penalty_cost']); flush(); } else { $_SESSION['penalty_cost'] = $_POST['custom_penalty_cost']; } } $breadcrumb = 'Launch,'; $breadcrumb .= isset($row['key_id']) ? $row['key_id'] : ''; $breadcrumb .= ','; $breadcrumb .= isset($row['user_id']) ? $row['user_id'] : ''; $breadcrumb .= ','; $breadcrumb .= isset($_POST['user_id']) ? str_replace(',', ';', $_POST['user_id']) : ''; $breadcrumb .= ','; $breadcrumb .= $session_id; $breadcrumb .= ','; $breadcrumb .= curPageURL(); $breadcrumb .= ','; $breadcrumb .= isset($_SESSION['email']) ? $_SESSION['email'] : ''; error_log($breadcrumb); return $session_id; }
echo "</pre>\n"; die; } require_once "sanity.php"; $PDOX = false; try { define('PDO_WILL_CATCH', true); require_once "pdo.php"; } catch (PDOException $ex) { $PDOX = false; // sanity-db-will re-check this below } header('Content-Type: text/html; charset=utf-8'); session_start(); if ($PDOX !== false) { loginSecureCookie(); } $OUTPUT->header(); $OUTPUT->bodyStart(); require_once "sanity-db.php"; $OUTPUT->topNav(); ?> <div> <?php $OUTPUT->flashMessages(); if ($CFG->DEVELOPER) { echo '<div class="alert alert-danger" style="margin-top: 10px;">' . _m('Note: Currently this server is running in developer mode.') . "\n</div>\n"; } ?> <p> Hello and welcome to <b><?php