public static function checkSessionSecurity(CurrentUser $user) { $context = \Freetrix\Main\Application::getInstance()->getContext(); if (!$context instanceof \Freetrix\Main\HttpContext) { throw new \Freetrix\Main\NotSupportedException(); } $policy = $user->getPolicy(); $currentTime = time(); /** @var $request \Freetrix\Main\HttpRequest */ $request = $context->getRequest(); $remoteAddress = $request->getRemoteAddress(); // IP address changed $destroySession = $_SESSION['SESS_IP'] && strlen($policy["SESSION_IP_MASK"]) > 0 && (ip2long($policy["SESSION_IP_MASK"]) & ip2long($_SESSION['SESS_IP'])) != (ip2long($policy["SESSION_IP_MASK"]) & ip2long($remoteAddress)); // session timeout if (!$destroySession) { $destroySession = $policy["SESSION_TIMEOUT"] > 0 && $_SESSION['SESS_TIME'] > 0 && $currentTime - $policy["SESSION_TIMEOUT"] * 60 > $_SESSION['SESS_TIME']; } // session expander control if (!$destroySession) { $destroySession = $_SESSION["FX_SESSION_TERMINATE_TIME"] > 0 && $currentTime > $_SESSION["FX_SESSION_TERMINATE_TIME"]; } if ($destroySession) { $_SESSION = array(); @session_destroy(); //session_destroy cleans user session handles in some PHP versions //see http://bugs.php.net/bug.php?id=32330 discussion if (Config\Option::get("security", "session", "N") === "Y" && Main\Loader::includeModule("security")) { \CSecuritySession::init(); } session_id(md5(uniqid(rand(), true))); session_start(); } $_SESSION['SESS_IP'] = $remoteAddress; $_SESSION['SESS_TIME'] = time(); //session control from security module if (Config\Option::get("main", "use_session_id_ttl", "N") == "Y" && intval(Config\Option::get("main", "session_id_ttl", 0)) > 0 && !defined("FX_SESSION_ID_CHANGE")) { if (!array_key_exists('SESS_ID_TIME', $_SESSION)) { $_SESSION['SESS_ID_TIME'] = $_SESSION['SESS_TIME']; } elseif ($_SESSION['SESS_ID_TIME'] + intval(Config\Option::get("main", "session_id_ttl")) < $_SESSION['SESS_TIME']) { if (Config\Option::get("security", "session", "N") === "Y" && \Freetrix\Main\Loader::includeModule("security")) { \CSecuritySession::updateSessID(); } else { session_regenerate_id(); } $_SESSION['SESS_ID_TIME'] = $_SESSION['SESS_TIME']; } } return !$destroySession; }