Пример #1
0
 /**
  * Initialise $_SESSION, handles google access
  * and sets up not-logged-in user properly.
  *
  * WARNING: $USER and $SESSION are set up later, do not use them yet!
  *
  * @param bool $newsid is this a new session in first http request?
  */
 protected static function initialise_user_session($newsid)
 {
     global $CFG, $DB;
     $sid = session_id();
     if (!$sid) {
         // No session, very weird.
         error_log('Missing session ID, session not started!');
         self::init_empty_session();
         return;
     }
     if (!($record = $DB->get_record('sessions', array('sid' => $sid), 'id, sid, state, userid, lastip, timecreated, timemodified'))) {
         if (!$newsid) {
             if (!empty($_SESSION['USER']->id)) {
                 // This should not happen, just log it, we MUST not produce any output here!
                 error_log("Cannot find session record {$sid} for user " . $_SESSION['USER']->id . ", creating new session.");
             }
             // Prevent session fixation attacks.
             session_regenerate_id(true);
         }
         $_SESSION = array();
     }
     unset($sid);
     if (isset($_SESSION['USER']->id)) {
         if (!empty($_SESSION['USER']->realuser)) {
             $userid = $_SESSION['USER']->realuser;
         } else {
             $userid = $_SESSION['USER']->id;
         }
         // Verify timeout first.
         $maxlifetime = $CFG->sessiontimeout;
         $timeout = false;
         if (isguestuser($userid) or empty($userid)) {
             // Ignore guest and not-logged in timeouts, there is very little risk here.
             $timeout = false;
         } else {
             if ($record->timemodified < time() - $maxlifetime) {
                 $timeout = true;
                 $authsequence = get_enabled_auth_plugins();
                 // Auths, in sequence.
                 foreach ($authsequence as $authname) {
                     $authplugin = get_auth_plugin($authname);
                     if ($authplugin->ignore_timeout_hook($_SESSION['USER'], $record->sid, $record->timecreated, $record->timemodified)) {
                         $timeout = false;
                         break;
                     }
                 }
             }
         }
         if ($timeout) {
             session_regenerate_id(true);
             $_SESSION = array();
             $DB->delete_records('sessions', array('id' => $record->id));
         } else {
             // Update session tracking record.
             $update = new \stdClass();
             $updated = false;
             if ($record->userid != $userid) {
                 $update->userid = $record->userid = $userid;
                 $updated = true;
             }
             $ip = getremoteaddr();
             if ($record->lastip != $ip) {
                 $update->lastip = $record->lastip = $ip;
                 $updated = true;
             }
             $updatefreq = empty($CFG->session_update_timemodified_frequency) ? 20 : $CFG->session_update_timemodified_frequency;
             if ($record->timemodified == $record->timecreated) {
                 // Always do first update of existing record.
                 $update->timemodified = $record->timemodified = time();
                 $updated = true;
             } else {
                 if ($record->timemodified < time() - $updatefreq) {
                     // Update the session modified flag only once every 20 seconds.
                     $update->timemodified = $record->timemodified = time();
                     $updated = true;
                 }
             }
             if ($updated) {
                 $update->id = $record->id;
                 $DB->update_record('sessions', $update);
             }
             return;
         }
     } else {
         if ($record) {
             // This happens when people switch session handlers...
             session_regenerate_id(true);
             $_SESSION = array();
             $DB->delete_records('sessions', array('id' => $record->id));
         }
     }
     unset($record);
     $timedout = false;
     if (!isset($_SESSION['SESSION'])) {
         $_SESSION['SESSION'] = new \stdClass();
         if (!$newsid) {
             $timedout = true;
         }
     }
     $user = null;
     if (!empty($CFG->opentogoogle)) {
         if (\core_useragent::is_web_crawler()) {
             $user = guest_user();
         }
         $referer = get_local_referer(false);
         if (!empty($CFG->guestloginbutton) and !$user and !empty($referer)) {
             // Automatically log in users coming from search engine results.
             if (strpos($referer, 'google') !== false) {
                 $user = guest_user();
             } else {
                 if (strpos($referer, 'altavista') !== false) {
                     $user = guest_user();
                 }
             }
         }
     }
     // Setup $USER and insert the session tracking record.
     if ($user) {
         self::set_user($user);
         self::add_session_record($user->id);
     } else {
         self::init_empty_session();
         self::add_session_record(0);
     }
     if ($timedout) {
         $_SESSION['SESSION']->has_timed_out = true;
     }
 }
Пример #2
0
/**
 * Checks if current user is a web crawler.
 *
 * This list can not be made complete, this is not a security
 * restriction, we make the list only to help these sites
 * especially when automatic guest login is disabled.
 *
 * If admin needs security they should enable forcelogin
 * and disable guest access!!
 *
 * @return bool
 * @deprecated since Moodle 3.0 use \core_useragent::is_web_crawler instead.
 */
function is_web_crawler()
{
    debugging('is_web_crawler() has been deprecated, please use core_useragent::is_web_crawler() instead.', DEBUG_DEVELOPER);
    return core_useragent::is_web_crawler();
}
Пример #3
0
 /**
  * @dataProvider user_agents_providers
  */
 public function test_useragent_web_crawler($useragent, $tests)
 {
     // Setup the core_useragent instance.
     core_useragent::instance(true, $useragent);
     $expectation = isset($tests['is_web_crawler']) ? $tests['is_web_crawler'] : false;
     $this->assertSame($expectation, core_useragent::is_web_crawler());
 }