/** * This function starts, validates and secures a session. * * @param string $name The name of the session. * @param int $limit Expiration date of the session cookie, 0 for session only * @param string $path Used to restrict where the browser sends the cookie * @param string $domain Used to allow subdomains access to the cookie * @param bool $secure If true the browser only sends the cookie over https */ static function sesStart($name = 'echelon', $limit = 0, $path = '/', $domain = null, $secure = null) { // Set the cookie name session_name($name . '_session_' . SES_SALT); // Set SSL level $https = isset($secure) ? $secure : isset($_SERVER['HTTPS']); // Set session cookie options // httpOnly is set to true // this can help prevent identiy theft with XSS hacks session_set_cookie_params($limit, $path, $domain, $https, true); session_start(); // Make sure the session hasn't expired, and destroy it if it has if (self::validateSession()) { // Check to see if the session is new or a hijacking attempt if (!self::preventHijacking()) { // Reset session data and regenerate id $_SESSION['finger'] = self::getFinger(); self::regenerateSession(); // Give a 20% chance of the session id changing on any request } elseif (mt_rand(1, 100) <= 20) { self::regenerateSession(); } } else { // logout and send to home page self::logout(); sendHome(); } }
/** * Checks if a user has the rights to view this page, is not locked/banned or not logged in * * @param string $name - permission name */ function auth($name) { locked(); // stop blocked people from acessing if (!$this->loggedIn()) { // if not authorised/logged in set_error('Please login to Echelon'); sendLogin(); exit; } if (!$this->reqLevel($name)) { // if users level is less than needed access, deny entry, and cause error set_error('You do not have the correct privilages to view that page'); sendHome(); exit; } }
<?php $b3_conn = false; $auth_user_here = false; $pagination = false; require 'inc.php'; if ($mem->loggedIn()) { // if logged don't allow the user to register set_error('Logged in users cannot register'); sendHome(); // send to the index/home page } if (!isset($_REQUEST['key'])) { // if key does not exists $step = 1; // the user must input a matching key and email address } else { // if key is sent // clean vars of unwanted materials $key = cleanvar($_REQUEST['key']); $email = cleanvar($_REQUEST['email']); // check the new email address is a valid email address if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { set_error('That email is not valid 9999999'); } // query db to see if key and email are valid $valid_key = $dbl->verifyRegKey($key, $email, $key_expire); if ($valid_key == true) { // if the key sent is a valid one $step = 2; } else {