/**
*
* check if user is loged
*
* @global mysql $db
*/
function isLoged()
{
@session_start();
global $db;
// check user agent
if (isset($_SESSION['HTTP_USER_AGENT'])) {
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])) {
self::logout();
exit;
}
}
/* If session not set, check for cookies set by Remember me */
if (!isset($_SESSION['usr_email']) && !isset($_SESSION['created_at'])) {
if (isset($_COOKIE['usr_email']) && isset($_COOKIE['created_at'])) {
/* we double check cookie expiry time against stored in database */
$cookie_user_email = DbTools::filterData($_COOKIE['usr_email']);
$sessionKeyQry = mysql_query("select `session_key`,`last_access` from `users` where `email` ='{$cookie_user_email}'") or die(mysql_error());
list($sessionkey, $lastaccess) = mysql_fetch_row($sessionKeyQry);
// check if cookie has expired
if (time() - time($lastaccess) > 60 * 60 * 24 * APP_COOKIE_EXPIRA) {
self::logout();
}
/* Security check with untrusted cookies - dont trust value stored in cookie.
/* We also do authentication check of the `ckey` stored in cookie matches that stored in database during login*/
if (!empty($sessionkey) && MyTools::isEmail($_COOKIE['usr_email']) && $_COOKIE['usr_session_key'] == sha1($sessionkey)) {
session_regenerate_id();
//against session fixation attacks.
$_SESSION['usr_email'] = $_COOKIE['usr_email'];
$_SESSION['created_at'] = $_COOKIE['created_at'];
$_SESSION['usr_administrator'] = $_COOKIE['usr_administrator'];
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
} else {
self::logout();
}
} else {
// return to homepage
header("Location: /");
exit;
}
}
}
