function loginCookie_get() { // get login data $loginData = array(); $cookieLoginDataEncoded = getPrefixedCookie(loginCookie_name()); // Flash Cookie Bug Fix - Flash sometimes sends no cookies (or cookies from IE when you're using Firefox). // ... So we fake it by passing the loginCookie via a POST request. Security: Use POST instead of GET so // ... sessions can't be force-created or hijacked with GET urls (and so login data won't get stored in server logs) $loginDataEncoded = isFlashUploader() ? @$_POST['_FLASH_COOKIE_BUG_FIX_'] : $cookieLoginDataEncoded; if ($loginDataEncoded) { $loginData = json_decode(base64_decode(strrev($loginDataEncoded)), true); } // check if session has expired $sessionExpired = false; if ($loginData) { // get session expiry in seconds $maxSeconds = loginExpirySeconds(); // clear login username and passwordHash if login_expiry_limit exceeded, and set $hasExpired $secondsAgo = time() - $loginData['lastAccess']; if ($loginData['lastAccess'] && $secondsAgo > $maxSeconds) { $loginData['username'] = ''; $loginData['passwordHash'] = ''; $sessionExpired = true; loginCookie_remove(); } } // $username = $sessionExpired ? '' : (isset($loginData['username']) ? $loginData['username'] : ''); $passwordHash = $sessionExpired ? '' : (isset($loginData['passwordHash']) ? $loginData['passwordHash'] : ''); return array($sessionExpired, $username, $passwordHash); }
if (!$SETTINGS['advanced']['requireHTTPS']) { $tips[] = t("Enable 'Require HTTPS' above to disallow insecure connections."); } if (ini_get('display_errors')) { $tips[] = t("Hide PHP Errors (for production and live web servers)."); } if (!$SETTINGS['advanced']['phpEmailErrors']) { $tips[] = t("Enable 'Email PHP Errors' to be notified of PHP errors on website."); } if (ini_get('expose_php')) { $tips[] = t(sprintf("%s is currently enabled, disable it in php.ini.", '<a href="http://www.php.net/manual/en/ini.core.php#ini.expose-php">expose_php</a>')); } if ($errorLogCount) { $tips[] = t("There are PHP errors in the <a href='?menu=_error_log'>error log</a>. Review them and then clear the error log."); } if (loginExpirySeconds() > 60 * 30) { $tips[] = t("Set login timeout to 30 minutes or less."); } if (!array_key_exists('CMSB_MOD_SECURITY2', $_SERVER)) { // mod_security2 reports false positives that are excluded for scripts named admin.php, so don't recommend this setting for hosts mod_security2 hosts if (basename($_SERVER['SCRIPT_NAME']) == 'admin.php') { $tips[] = t(sprintf("Rename admin.php to something unique such as admin_%s.php", substr(sha1(uniqid(null, true)), 0, 20))); } } $oldFilesAndDirs = array(); // ask user to remove outdated files $oldFilesAndDirs[] = '/3rdParty/thickbox'; $oldFilesAndDirs[] = '/3rdParty/tiny_mce/tiny_mce_gzip.js'; $oldFilesAndDirs[] = '/css'; $oldFilesAndDirs[] = '/images'; $oldFilesAndDirs[] = '/js';