/**
* Initialise $_SESSION, handles google access
* and sets up not-logged-in user properly.
*
* WARNING: $USER and $SESSION are set up later, do not use them yet!
*
* @param bool $newsid is this a new session in first http request?
*/
protected static function initialise_user_session($newsid)
{
global $CFG, $DB;
$sid = session_id();
if (!$sid) {
// No session, very weird.
error_log('Missing session ID, session not started!');
self::init_empty_session();
return;
}
if (!($record = $DB->get_record('sessions', array('sid' => $sid), 'id, sid, state, userid, lastip, timecreated, timemodified'))) {
if (!$newsid) {
if (!empty($_SESSION['USER']->id)) {
// This should not happen, just log it, we MUST not produce any output here!
error_log("Cannot find session record {$sid} for user " . $_SESSION['USER']->id . ", creating new session.");
}
// Prevent session fixation attacks.
session_regenerate_id(true);
}
$_SESSION = array();
}
unset($sid);
if (isset($_SESSION['USER']->id)) {
if (!empty($_SESSION['USER']->realuser)) {
$userid = $_SESSION['USER']->realuser;
} else {
$userid = $_SESSION['USER']->id;
}
// Verify timeout first.
$maxlifetime = $CFG->sessiontimeout;
$timeout = false;
if (isguestuser($userid) or empty($userid)) {
// Ignore guest and not-logged in timeouts, there is very little risk here.
$timeout = false;
} else {
if ($record->timemodified < time() - $maxlifetime) {
$timeout = true;
$authsequence = get_enabled_auth_plugins();
// Auths, in sequence.
foreach ($authsequence as $authname) {
$authplugin = get_auth_plugin($authname);
if ($authplugin->ignore_timeout_hook($_SESSION['USER'], $record->sid, $record->timecreated, $record->timemodified)) {
$timeout = false;
break;
}
}
}
}
if ($timeout) {
session_regenerate_id(true);
$_SESSION = array();
$DB->delete_records('sessions', array('id' => $record->id));
} else {
// Update session tracking record.
$update = new \stdClass();
$updated = false;
if ($record->userid != $userid) {
$update->userid = $record->userid = $userid;
$updated = true;
}
$ip = getremoteaddr();
if ($record->lastip != $ip) {
$update->lastip = $record->lastip = $ip;
$updated = true;
}
$updatefreq = empty($CFG->session_update_timemodified_frequency) ? 20 : $CFG->session_update_timemodified_frequency;
if ($record->timemodified == $record->timecreated) {
// Always do first update of existing record.
$update->timemodified = $record->timemodified = time();
$updated = true;
} else {
if ($record->timemodified < time() - $updatefreq) {
// Update the session modified flag only once every 20 seconds.
$update->timemodified = $record->timemodified = time();
$updated = true;
}
}
if ($updated) {
$update->id = $record->id;
$DB->update_record('sessions', $update);
}
return;
}
} else {
if ($record) {
// This happens when people switch session handlers...
session_regenerate_id(true);
$_SESSION = array();
$DB->delete_records('sessions', array('id' => $record->id));
}
}
unset($record);
$timedout = false;
if (!isset($_SESSION['SESSION'])) {
$_SESSION['SESSION'] = new \stdClass();
if (!$newsid) {
$timedout = true;
}
}
$user = null;
if (!empty($CFG->opentogoogle)) {
if (\core_useragent::is_web_crawler()) {
$user = guest_user();
}
$referer = get_local_referer(false);
if (!empty($CFG->guestloginbutton) and !$user and !empty($referer)) {
// Automatically log in users coming from search engine results.
if (strpos($referer, 'google') !== false) {
$user = guest_user();
} else {
if (strpos($referer, 'altavista') !== false) {
$user = guest_user();
}
}
}
}
// Setup $USER and insert the session tracking record.
if ($user) {
self::set_user($user);
self::add_session_record($user->id);
} else {
self::init_empty_session();
self::add_session_record(0);
}
if ($timedout) {
$_SESSION['SESSION']->has_timed_out = true;
}
}
/**
* Checks if current user is a web crawler.
*
* This list can not be made complete, this is not a security
* restriction, we make the list only to help these sites
* especially when automatic guest login is disabled.
*
* If admin needs security they should enable forcelogin
* and disable guest access!!
*
* @return bool
* @deprecated since Moodle 3.0 use \core_useragent::is_web_crawler instead.
*/
function is_web_crawler()
{
debugging('is_web_crawler() has been deprecated, please use core_useragent::is_web_crawler() instead.', DEBUG_DEVELOPER);
return core_useragent::is_web_crawler();
}
/**
* @dataProvider user_agents_providers
*/
public function test_useragent_web_crawler($useragent, $tests)
{
// Setup the core_useragent instance.
core_useragent::instance(true, $useragent);
$expectation = isset($tests['is_web_crawler']) ? $tests['is_web_crawler'] : false;
$this->assertSame($expectation, core_useragent::is_web_crawler());
}
