Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 4.2.x will end 22 April 2024 (12 months).
- Bug fixes for security issues in 4.2.x will end 7 October 2024 (18 months).
- PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.1.x is supported too.
/lib/ -> sessionlib.php (source)
Differences Between: [Versions 310 and 402] [Versions 311 and 402] [Versions 39 and 402] [Versions 400 and 402] [Versions 401 and 402]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * @package core 19 * @subpackage session 20 * @copyright 1999 onwards Martin Dougiamas {@link http://moodle.com} 21 * @copyright 2008, 2009 Petr Skoda {@link http://skodak.org} 22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 23 */ 24 25 defined('MOODLE_INTERNAL') || die(); 26 27 28 /** 29 * Makes sure that $USER->sesskey exists, if $USER itself exists. It sets a new sesskey 30 * if one does not already exist, but does not overwrite existing sesskeys. Returns the 31 * sesskey string if $USER exists, or boolean false if not. 32 * 33 * @uses $USER 34 * @return string 35 */ 36 function sesskey() { 37 // note: do not use $USER because it may not be initialised yet 38 if (empty($_SESSION['USER']->sesskey)) { 39 if (!isset($_SESSION['USER'])) { 40 // This should never happen, 41 // do not mess with session and globals here, 42 // let any checks fail instead! 43 return false; 44 } 45 $_SESSION['USER']->sesskey = random_string(10); 46 } 47 48 return $_SESSION['USER']->sesskey; 49 } 50 51 52 /** 53 * Check the sesskey and return true of false for whether it is valid. 54 * (You might like to imagine this function is called sesskey_is_valid().) 55 * 56 * Every script that lets the user perform a significant action (that is, 57 * changes data in the database) should check the sesskey before doing the action. 58 * Depending on your code flow, you may want to use the {@link require_sesskey()} 59 * helper function. 60 * 61 * @param string $sesskey The sesskey value to check (optional). Normally leave this blank 62 * and this function will do required_param('sesskey', ...). 63 * @return bool whether the sesskey sent in the request matches the one stored in the session. 64 */ 65 function confirm_sesskey($sesskey=NULL) { 66 global $USER; 67 68 if (!empty($USER->ignoresesskey)) { 69 return true; 70 } 71 72 if (empty($sesskey)) { 73 $sesskey = required_param('sesskey', PARAM_RAW); // Check script parameters 74 } 75 76 return (sesskey() === $sesskey); 77 } 78 79 /** 80 * Check the session key using {@link confirm_sesskey()}, 81 * and cause a fatal error if it does not match. 82 */ 83 function require_sesskey() { 84 if (!confirm_sesskey()) { 85 throw new \moodle_exception('invalidsesskey'); 86 } 87 } 88 89 /** 90 * Determine wether the secure flag should be set on cookies 91 * @return bool 92 */ 93 function is_moodle_cookie_secure() { 94 global $CFG; 95 96 if (!isset($CFG->cookiesecure)) { 97 return false; 98 } 99 if (!is_https() and empty($CFG->sslproxy)) { 100 return false; 101 } 102 return !empty($CFG->cookiesecure); 103 } 104 105 /** 106 * Sets a moodle cookie with a weakly encrypted username 107 * 108 * @param string $username to encrypt and place in a cookie, '' means delete current cookie 109 * @return void 110 */ 111 function set_moodle_cookie($username) { 112 global $CFG; 113 114 if (NO_MOODLE_COOKIES) { 115 return; 116 } 117 118 if (empty($CFG->rememberusername)) { 119 // erase current and do not store permanent cookies 120 $username = ''; 121 } 122 123 if ($username === 'guest') { 124 // keep previous cookie in case of guest account login 125 return; 126 } 127 128 $cookiename = 'MOODLEID1_'.$CFG->sessioncookie; 129 130 $cookiesecure = is_moodle_cookie_secure(); 131 132 // Delete old cookie. 133 setcookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $cookiesecure, $CFG->cookiehttponly); 134 135 if ($username !== '') { 136 // Set username cookie for 60 days. 137 setcookie($cookiename, rc4encrypt($username), time() + (DAYSECS * 60), $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $cookiesecure, $CFG->cookiehttponly); 138 } 139 } 140 141 /** 142 * Gets a moodle cookie with a weakly encrypted username 143 * 144 * @return string username 145 */ 146 function get_moodle_cookie() { 147 global $CFG; 148 149 if (NO_MOODLE_COOKIES) { 150 return ''; 151 } 152 153 if (empty($CFG->rememberusername)) { 154 return ''; 155 } 156 157 $cookiename = 'MOODLEID1_'.$CFG->sessioncookie; 158 159 if (empty($_COOKIE[$cookiename])) { 160 return ''; 161 } else { 162 $username = rc4decrypt($_COOKIE[$cookiename]); 163 if ($username === 'guest' or $username === 'nobody') { 164 // backwards compatibility - we do not set these cookies any more 165 $username = ''; 166 } 167 return $username; 168 } 169 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
