/**
* Check the auth hash sent by the client against the local session credentials
*
* @return boolean True if valid, False if not
*/
function authenticate_session()
{
// advanced session authentication
if ($this->config->get('double_auth')) {
$now = time();
$valid = $_COOKIE['sessauth'] == $this->get_auth_hash(session_id(), $_SESSION['auth_time']) || $_COOKIE['sessauth'] == $this->get_auth_hash(session_id(), $_SESSION['last_auth']);
// renew auth cookie every 5 minutes (only for GET requests)
if (!$valid || $_SERVER['REQUEST_METHOD'] != 'POST' && $now - $_SESSION['auth_time'] > 300) {
$_SESSION['last_auth'] = $_SESSION['auth_time'];
$_SESSION['auth_time'] = $now;
rcmail::setcookie('sessauth', $this->get_auth_hash(session_id(), $now), 0);
}
} else {
$valid = $this->config->get('ip_check') ? $_SERVER['REMOTE_ADDR'] == $this->session->get_ip() : true;
}
// check session filetime
$lifetime = $this->config->get('session_lifetime');
$sess_ts = $this->session->get_ts();
if (!empty($lifetime) && !empty($sess_ts) && $sess_ts + $lifetime * 60 < time()) {
$valid = false;
}
return $valid;
}
