/**
* This function starts, validates and secures a session.
*
* @param string $name The name of the session.
* @param int $limit Expiration date of the session cookie, 0 for session only
* @param string $path Used to restrict where the browser sends the cookie
* @param string $domain Used to allow subdomains access to the cookie
* @param bool $secure If true the browser only sends the cookie over https
*/
static function sesStart($name = 'echelon', $limit = 0, $path = '/', $domain = null, $secure = null)
{
// Set the cookie name
session_name($name . '_session_' . SES_SALT);
// Set SSL level
$https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);
// Set session cookie options
// httpOnly is set to true // this can help prevent identiy theft with XSS hacks
session_set_cookie_params($limit, $path, $domain, $https, true);
session_start();
// Make sure the session hasn't expired, and destroy it if it has
if (self::validateSession()) {
// Check to see if the session is new or a hijacking attempt
if (!self::preventHijacking()) {
// Reset session data and regenerate id
$_SESSION['finger'] = self::getFinger();
self::regenerateSession();
// Give a 20% chance of the session id changing on any request
} elseif (mt_rand(1, 100) <= 20) {
self::regenerateSession();
}
} else {
// logout and send to home page
self::logout();
sendHome();
}
}
/**
* Checks if a user has the rights to view this page, is not locked/banned or not logged in
*
* @param string $name - permission name
*/
function auth($name)
{
locked();
// stop blocked people from acessing
if (!$this->loggedIn()) {
// if not authorised/logged in
set_error('Please login to Echelon');
sendLogin();
exit;
}
if (!$this->reqLevel($name)) {
// if users level is less than needed access, deny entry, and cause error
set_error('You do not have the correct privilages to view that page');
sendHome();
exit;
}
}
<?php
$b3_conn = false;
$auth_user_here = false;
$pagination = false;
require 'inc.php';
if ($mem->loggedIn()) {
// if logged don't allow the user to register
set_error('Logged in users cannot register');
sendHome();
// send to the index/home page
}
if (!isset($_REQUEST['key'])) {
// if key does not exists
$step = 1;
// the user must input a matching key and email address
} else {
// if key is sent
// clean vars of unwanted materials
$key = cleanvar($_REQUEST['key']);
$email = cleanvar($_REQUEST['email']);
// check the new email address is a valid email address
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
set_error('That email is not valid 9999999');
}
// query db to see if key and email are valid
$valid_key = $dbl->verifyRegKey($key, $email, $key_expire);
if ($valid_key == true) {
// if the key sent is a valid one
$step = 2;
} else {
