$string['sessionerroruser'] = 'Your session has timed out. Please login again.';
$string['sessionerroruser2'] = 'A server error that affects your login session was detected. Please login again or restart your browser.';
$string['sessionipnomatch'] = 'Sorry, but your IP number seems to have changed from when you first logged in. This security feature prevents crackers stealing your identity while logged in to this site. Normal users should not be seeing this message - please ask the site administrator for help.';
+$string['sessionipnomatch2'] = 'Sorry, but your IP number seems to have changed from when you first logged in. This security feature prevents crackers stealing your identity while logged in to this site. You may see this error if you use wireless networks or if you are roaming between different networks. Please ask the site administrator for more help.<br /><br />If you want to continue please press F5 key to refresh this page.';
$string['socksnotsupported'] = 'SOCKS5 proxy is not supported in PHP4';
$string['spellcheckernotconf'] = 'Spellchecker not configured';
$string['statscatchupmode'] = 'Statistics is currently in catchup mode. So far $a->daysdone day(s) have been processed and $a->dayspending are pending. Check back soon!';
/** DEBUG_ALL with extra Moodle debug messages - (DEBUG_ALL | 32768) */
define ('DEBUG_DEVELOPER', 38911);
+/** Get remote addr constant */
+define('GETREMOTEADDR_SKIP_HTTP_CLIENT_IP', '1');
+/** Get remote addr constant */
+define('GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR', '2');
/// Blog access level constant declaration ///
define ('BLOG_USER_LEVEL', 1);
$user->lastname = ' ';
}
- if (isset($_SERVER['REMOTE_ADDR'])) {
- $user->sessionIP = md5(getremoteaddr()); // Store the current IP in the session
- }
-
return $user;
}
*
* @return string The remote IP address
*/
-define('GETREMOTEADDR_SKIP_HTTP_CLIENT_IP', '1');
-define('GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR', '2');
function getremoteaddr() {
global $CFG;
}
$this->check_user_initialised();
+
+ $this->check_security();
}
/**
session_set_user($user);
}
+ /**
+ * Does various session security checks
+ * @global void
+ */
protected function check_security() {
global $CFG;
- if (!empty($_SESSION['USER']->id)) {
- /// Make sure current IP matches the one for this session (if required)
+ if (!empty($_SESSION['USER']->id) and !empty($CFG->tracksessionip)) {
+ /// Make sure current IP matches the one for this session
$remoteaddr = getremoteaddr();
if (empty($_SESSION['USER']->sessionip)) {
}
if ($_SESSION['USER']->sessionip != $remoteaddr) {
- if (!is_guestuser($_SESSION['USER'])) {
- $link = '';
- } else {
-
- }
- print_error('sessionipnomatch', 'error');
+ // this is a security feature - terminate the session in case of any doubt
+ $this->terminate();
+ print_error('sessionipnomatch2', 'error');
}
}
+ // TODO: add wwwroot check here
+
}
/**
$line = null;
if (headers_sent($file, $line)) {
error_log('Can not terminate session properly - headers were already sent in file: '.$file.' on line '.$line);
- } else {
- // TODO: regenerate session ID here
-
}
+ // now let's try to get a new session id and destroy the old one
+ @session_regenerate_id(true);
+
+ // close the session
@session_write_close();
}
}
}
-/// start session and prepare global $SESSION, $USER
- session_get_instance();
- $SESSION = &$_SESSION['SESSION'];
- $USER = &$_SESSION['USER'];
-
+/// initialise ME's
if (defined('FULLME')) { // Usually in command-line scripts like admin/cron.php
$FULLME = FULLME;
$ME = FULLME;
$ME = strip_querystring($FULLME);
}
+/// start session and prepare global $SESSION, $USER
+ session_get_instance();
+ $SESSION = &$_SESSION['SESSION'];
+ $USER = &$_SESSION['USER'];
+
/// Load up theme variables (colours etc)
if (!isset($CFG->themedir)) {
if (debugging('', DEBUG_DEVELOPER)) {
if ($debuginfo) {
debugging($debuginfo, DEBUG_DEVELOPER, $backtrace);
- } else {
+ } else if ($backtrace) {
notify('Stack trace:'.print_backtrace($backtrace, true), 'notifytiny');
}
}
projects / moodle.git / commitdiff