/** * * check if user is loged * * @global mysql $db */ function isLoged() { @session_start(); global $db; // check user agent if (isset($_SESSION['HTTP_USER_AGENT'])) { if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) { self::logout(); exit; } } /* If session not set, check for cookies set by Remember me */ if (!isset($_SESSION['usr_email']) && !isset($_SESSION['created_at'])) { if (isset($_COOKIE['usr_email']) && isset($_COOKIE['created_at'])) { /* we double check cookie expiry time against stored in database */ $cookie_user_email = DbTools::filterData($_COOKIE['usr_email']); $sessionKeyQry = mysql_query("select `session_key`,`last_access` from `users` where `email` ='{$cookie_user_email}'") or die(mysql_error()); list($sessionkey, $lastaccess) = mysql_fetch_row($sessionKeyQry); // check if cookie has expired if (time() - time($lastaccess) > 60 * 60 * 24 * APP_COOKIE_EXPIRA) { self::logout(); } /* Security check with untrusted cookies - dont trust value stored in cookie. /* We also do authentication check of the `ckey` stored in cookie matches that stored in database during login*/ if (!empty($sessionkey) && MyTools::isEmail($_COOKIE['usr_email']) && $_COOKIE['usr_session_key'] == sha1($sessionkey)) { session_regenerate_id(); //against session fixation attacks. $_SESSION['usr_email'] = $_COOKIE['usr_email']; $_SESSION['created_at'] = $_COOKIE['created_at']; $_SESSION['usr_administrator'] = $_COOKIE['usr_administrator']; $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } else { self::logout(); } } else { // return to homepage header("Location: /"); exit; } } }