示例#1
0
 function __construct($sessionKey = '')
 {
     $this->sessionStart($sessionKey, false);
     $this->sessionData['curr_session_id'] = session_id();
     $this->sessionData['start_session_time'] = date('Y-m-d H:i:s');
     $sCurrentDBSessionID = Func::POSTGET('curdbsessid');
     if ($sCurrentDBSessionID) {
         $this->sCurrentDBSessionID = $sCurrentDBSessionID;
     }
     $this->restoreSession();
     //check access to fordev mode
     $this->checkFORDEV();
     // уязвимость 'session fixation'
     if (!empty($this->sessionData['curr_session_id'])) {
         # много динамических ip, часто слетает сессия, пока закомментим
         //$ip = func::getRemoteAddress(false);
         //$ip = substr($ip, 0, strrpos($ip, '.') - 1);
         $useragent = func::getSERVER('HTTP_USER_AGENT', 'no user agent');
         $charset = func::getSERVER('HTTP_ACCEPT_CHARSET', 'hello from IE');
         $fixHash = md5($useragent . $charset);
         if (!isset($this->sessionData['hash'])) {
             $this->sessionData['hash'] = $fixHash;
         } elseif ($this->sessionData['hash'] != $fixHash) {
             if (!empty($_POST['sessid']) && (strpos(strtolower($useragent), 'adobe flash') !== false || in_array(strtolower($useragent), array('shockwave flash', 'adobe flash player 10')))) {
                 /*
                  swfupload:
                  HTTP_USER_AGENT = 'Shockwave Flash';
                  HTTP_ACCEPT_CHARSET = '';
                 */
             } else {
                 session_regenerate_id();
                 $this->sessionData = array();
                 $this->sessionData['hash'] = $fixHash;
             }
         }
     }
 }