* </ul> * @package com.tecnick.tcexam.shared * @brief TCExam Shared Area * @author Nicola Asuni * @since 2001-09-26 */ /** */ require_once '../config/tce_config.php'; require_once '../../shared/code/tce_functions_authorization.php'; require_once '../../shared/code/tce_functions_session.php'; $logged = false; // the user is not yet logged in // --- read existing user's session data from database $PHPSESSIDSQL = F_escape_sql($PHPSESSID); $session_hash = md5($PHPSESSID . getClientFingerprint()); $sqls = 'SELECT * FROM ' . K_TABLE_SESSIONS . ' WHERE cpsession_id=\'' . $PHPSESSIDSQL . '\''; if ($rs = F_db_query($sqls, $db)) { if ($ms = F_db_fetch_array($rs)) { // the user's session already exist // decode session data session_decode($ms['cpsession_data']); // check for possible session hijacking if (K_CHECK_SESSION_FINGERPRINT and (!isset($_SESSION['session_hash']) or $_SESSION['session_hash'] != $session_hash)) { // display login form session_regenerate_id(); F_login_form(); exit; } // update session expiration time $expiry = date(K_TIMESTAMP_FORMAT);
// set client cookie $cookie_now_time = time(); // note: while time() function returns a 32 bit integer, it works fine until year 2038. $cookie_expire_time = $cookie_now_time + K_COOKIE_EXPIRE; // set cookie expiration time setcookie('LastVisit', $cookie_now_time, $cookie_expire_time, K_COOKIE_PATH, K_COOKIE_DOMAIN, K_COOKIE_SECURE); setcookie('PHPSESSID', $PHPSESSID, $cookie_expire_time, K_COOKIE_PATH, K_COOKIE_DOMAIN, K_COOKIE_SECURE); } } else { F_display_db_error(); } // --- check if login information has been submitted if (isset($_POST['logaction']) and $_POST['logaction'] == 'login') { // check login attempt from the current client device to avoid brute force attack $bruteforce = true; $fingerprintkey = md5(getClientFingerprint()); $sqlt = 'SELECT * FROM ' . K_TABLE_SESSIONS . ' WHERE cpsession_id=\'' . $fingerprintkey . '\' LIMIT 1'; if ($rt = F_db_query($sqlt, $db)) { if ($mt = F_db_fetch_array($rt)) { // check the expiration time if (strtotime($mt['cpsession_expiry']) < time()) { $bruteforce = false; } // update $wait = intval($mt['cpsession_data']); if ($wait < 86400) { $wait *= 2; } $sqlup = 'UPDATE ' . K_TABLE_SESSIONS . ' SET cpsession_expiry=\'' . date(K_TIMESTAMP_FORMAT, time() + $wait) . '\', cpsession_data=\'' . $wait . '\'
/** * Generate and return a new session ID. * @author Nicola Asuni * @since 2010-10-04 * @return string PHPSESSID */ function getNewSessionID() { return md5(uniqid(microtime() . getmypid(), true) . getClientFingerprint() . uniqid(session_id() . microtime(), true)); }