/**
* Initialize PHP session and do security checks to prevent session stealing.
*/
private static function initPHPSession()
{
//start PHP session
session_write_close();
session_start();
self::debug("initPHPSession: PHPSESSID=" . session_id());
//1. check client's identifier code
//we make sure that who created the session is the one who resumes it.
$sSessionIdentifier = self::calculateSessionIdentifier();
if (AnwEnv::_SESSION(self::PHPSESSION_IDENTIFIER) && $sSessionIdentifier == AnwEnv::_SESSION(self::PHPSESSION_IDENTIFIER)) {
//2. check session code
//just to make it harder, even if someone who steals PHPSESSID would probably steal the session code too.
if (AnwEnv::_SESSION(self::PHPSESSION_CODE) && AnwEnv::_COOKIE(self::COOKIE_PHPSESSION_CODE) && AnwEnv::_SESSION(self::PHPSESSION_CODE) == AnwEnv::_COOKIE(self::COOKIE_PHPSESSION_CODE)) {
//allright, session seems safe to work with
self::debug("initPHPSession: OK, resuming PHP session (" . session_id() . ")");
return;
} else {
self::debug("initPHPSession: WARNING: no valid PHP session: bad session code");
}
} else {
self::debug("initPHPSession: no valid PHP session: bad or missing session identifier");
}
//no valid session found
self::debug("initPHPSession: no valid PHP session found, starting a new session (" . session_id() . ")");
//clear session data
if (is_array($_SESSION)) {
foreach ($_SESSION as $i => $v) {
AnwEnv::unsetSession($i);
}
}
//start a new session and delete old phpsession file
session_regenerate_id(true);
//set the session identifier, for next hit
AnwEnv::putSession(self::PHPSESSION_IDENTIFIER, $sSessionIdentifier);
//generate a session code
$sSessionCode = self::generateSessionCode();
AnwEnv::putCookie(self::COOKIE_PHPSESSION_CODE, $sSessionCode);
AnwEnv::putSession(self::PHPSESSION_CODE, $sSessionCode);
}
static function testCaptcha()
{
//retrieve typed number
$nTestedNumber = AnwEnv::_POST("captcha");
if (!$nTestedNumber) {
$nTestedNumber = AnwEnv::_GET("captcha", 0);
}
$nTestedNumber = "{$nTestedNumber}";
//compare
$bTest = AnwEnv::_SESSION(self::SESSION_CAPTCHA) && AnwEnv::_SESSION(self::SESSION_CAPTCHA) == md5($nTestedNumber);
AnwEnv::unsetSession(self::SESSION_CAPTCHA);
return $bTest;
}
function logout()
{
//object in PHPSESSION has been automatically updated.
//all we have to do is to update session in database if we are logged in.
$oSession = AnwCurrentSession::getSession();
$oSession->logout();
//duplicate with AnwCurrentSession, but so we are sure it's done
//delete session from database
$sSessionId = $oSession->getId();
$this->db()->query("DELETE FROM `#PFX#session` WHERE SessionId=" . $this->db()->strtosql($sSessionId));
//unset session cookies
$this->saveSession($oSession);
//unset session in cache to be sure to start a new anonymous session
AnwEnv::unsetSession(self::ANWSESSION);
}
static function restoreHttpPostFromSession()
{
if (AnwEnv::_SESSION(self::SESSION_POST) && is_array(AnwEnv::_SESSION(self::SESSION_POST))) {
$asPost = AnwEnv::_SESSION(self::SESSION_POST);
//warning, we get a reference to _SESSION here!
self::debug("Restoring POST from session...");
foreach ($asPost as $i => $v) {
if (!isset($_POST[$i])) {
$_POST[$i] = $v;
self::debug("RestoreHttpPostFromSession(): restored _POST[{$i}]");
} else {
self::debug("RestoreHttpPostFromSession(): skipping _POST[{$i}], already set");
}
/*if (!isset($_REQUEST[$i]))
{
$_REQUEST[$i] = $v;
self::debug("RestoreHttpPostFromSession(): restored _REQUEST[$i]");
}
else
{
self::debug("RestoreHttpPostFromSession(): skipping _REQUEST[$i], already set");
}*/
}
self::debug("anwpostdata : unset");
AnwEnv::unsetSession(self::SESSION_POST);
} else {
self::debug("ResrestoreHttpPostFromSession(): nothing to restore");
}
}
