';
if (!empty($CFG->usesid) && empty($_COOKIE['MoodleSession'.$CFG->sessioncookie])) {
//cookieless mode - rewrite links
- $output = $SESSION->sid_ob_rewrite($output);
+ $output = sid_ob_rewrite($output);
}
@header('Content-Length: '.strlen($output));
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index c2e01cec690..f8dea4c536b 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -1827,55 +1827,6 @@ function dayofweek($day, $month, $year) {
/// USER AUTHENTICATION AND LOGIN ////////////////////////////////////////
-/**
- * Makes sure that $USER->sesskey exists, if $USER itself exists. It sets a new sesskey
- * if one does not already exist, but does not overwrite existing sesskeys. Returns the
- * sesskey string if $USER exists, or boolean false if not.
- *
- * @uses $USER
- * @return string
- */
-function sesskey() {
- global $USER;
-
- if(!isset($USER)) {
- return false;
- }
-
- if (empty($USER->sesskey)) {
- $USER->sesskey = random_string(10);
- }
-
- return $USER->sesskey;
-}
-
-
-/**
- * For security purposes, this function will check that the currently
- * given sesskey (passed as a parameter to the script or this function)
- * matches that of the current user.
- *
- * @param string $sesskey optionally provided sesskey
- * @return bool
- */
-function confirm_sesskey($sesskey=NULL) {
- global $USER;
-
- if (!empty($USER->ignoresesskey) || !empty($CFG->ignoresesskey)) {
- return true;
- }
-
- if (empty($sesskey)) {
- $sesskey = required_param('sesskey', PARAM_RAW); // Check script parameters
- }
-
- if (!isset($USER->sesskey)) {
- return false;
- }
-
- return ($USER->sesskey === $sesskey);
-}
-
/**
* Setup all global $CFG course variables, set locale and also themes
* This function can be used on pages that do not require login instead of require_login()
@@ -2202,7 +2153,7 @@ function require_logout() {
}
}
- $SESSION->terminate();
+ get_session()->terminate();
}
/**
@@ -3205,12 +3156,12 @@ function complete_user_login($user) {
update_user_login_times();
if (empty($CFG->nolastloggedin)) {
- $SESSION->set_moodle_cookie($USER->username);
+ set_moodle_cookie($USER->username);
} else {
// do not store last logged in user in cookie
// auth plugins can temporarily override this from loginpage_hook()
// do not save $CFG->nolastloggedin in database!
- $SESSION->set_moodle_cookie('nobody');
+ set_moodle_cookie('nobody');
}
set_login_session_preferences();
diff --git a/lib/sessionlib.php b/lib/sessionlib.php
index 8e34ef54202..577608f3810 100644
--- a/lib/sessionlib.php
+++ b/lib/sessionlib.php
@@ -1,158 +1,81 @@
prepare_cookies();
$this->init_session_storage();
if (!empty($CFG->usesid) && empty($_COOKIE['MoodleSession'.$CFG->sessioncookie])) {
- $this->sid_start_ob();
+ sid_start_ob();
}
- if (!NO_MOODLE_COOKIES) {
+ if (NO_MOODLE_COOKIES) {
+ $_SESSION = array();
+ $_SESSION['SESSION'] = new object();
+ $_SESSION['USER'] = new object();
+
+ } else {
session_name('MoodleSession'.$CFG->sessioncookie);
session_set_cookie_params(0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
@session_start();
if (!isset($_SESSION['SESSION'])) {
$_SESSION['SESSION'] = new object();
- $_SESSION['SESSION']->session_test = random_string(10);
- if (!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie])) {
- $_SESSION['SESSION']->has_timed_out = true;
- }
- setcookie('MoodleSessionTest'.$CFG->sessioncookie, $_SESSION['SESSION']->session_test, 0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
- $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] = $_SESSION['SESSION']->session_test;
}
if (!isset($_SESSION['USER'])) {
$_SESSION['USER'] = new object();
}
-
- if (!isset($_SESSION['USER']->id)) {
- $_SESSION['USER']->id = 0; // to enable proper function of $CFG->notloggedinroleid hack
- if (isset($CFG->mnet_localhost_id)) {
- $_SESSION['USER']->mnethostid = $CFG->mnet_localhost_id;
- }
- }
-
- $this->session = null;
-
- } else {
- $this->session = new object();
}
- }
- /**
- * Verify session, this detects problems with "switched" sessions
- * or multiple different wwwroot used at the same time.
- */
- public function session_verify() {
- global $CFG;
-
- /// disable checks when working in cookieless mode
- if (empty($CFG->usesid) || !empty($_COOKIE['MoodleSession'.$CFG->sessioncookie])) {
- if ($this->session != NULL) {
- if (empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie])) {
- $this->report_session_error();
- } else if (isset($this->session->session_test) && $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] != $this->session->session_test) {
- $this->report_session_error();
- }
+ if (!isset($_SESSION['USER']->id)) {
+ $_SESSION['USER']->id = 0; // to enable proper function of $CFG->notloggedinroleid hack
+ if (isset($CFG->mnet_localhost_id)) {
+ $_SESSION['USER']->mnethostid = $CFG->mnet_localhost_id;
}
}
}
- /**
- * Report serious problem detected in suer session
- */
- function report_session_error() {
- global $CFG, $FULLME;
-
- if (empty($CFG->lang)) {
- $CFG->lang = "en";
- }
- // Set up default theme and locale
- theme_setup();
- moodle_setlocale();
-
- //clear session cookies
- setcookie('MoodleSession'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
- setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
-
- //increment database error counters
- if (isset($CFG->session_error_counter)) {
- set_config('session_error_counter', 1 + $CFG->session_error_counter);
- } else {
- set_config('session_error_counter', 1);
- }
- redirect($FULLME, get_string('sessionerroruser2', 'error'), 5);
- }
-
/**
* Terminates active moodle session
*/
public function terminate() {
global $CFG, $SESSION, $USER;
- // Initialize variable to pass-by-reference to headers_sent(&$file, &$line)
- $file = null;
- $line = null;
- if (headers_sent($file, $line)) {
- error_log('MoodleSessionTest cookie could not be set in moodlelib.php:'.__LINE__);
- error_log('Headers were already sent in file: '.$file.' on line '.$line);
- } else {
- setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);
- }
-
- $this->session = new object();
- $_SESSION = array();
+ $_SESSION = array();
+ $SESSION = new object();
$USER = new object();
$USER->id = 0;
if (isset($CFG->mnet_localhost_id)) {
$USER->mnethostid = $CFG->mnet_localhost_id;
}
+ // Initialize variable to pass-by-reference to headers_sent(&$file, &$line)
+ $file = null;
+ $line = null;
+ if (headers_sent($file, $line)) {
+ error_log('Can not terminate session properly - headers were already sent in file: '.$file.' on line '.$line);
+ } else {
+ // TODO: regenerate session ID here
+
+ }
+
@session_write_close();
}
-
- public function __set($name, $value) {
- if (!is_null($this->session)) {
- $this->session->{$name} = $value;
- } else {
- $_SESSION['SESSION']->{$name} = $value;
- }
- }
-
- public function &__get($name) { // this is a weird hack for this stupid bug http://bugs.php.net/bug.php?id=39449
- if (!is_null($this->session)) {
- return $this->session->{$name};
- } else {
- return $_SESSION['SESSION']->{$name};
- }
- }
-
- public function __isset($name) {
- if (!is_null($this->session)) {
- return isset($this->session->{$name});
- } else {
- return isset($_SESSION['SESSION']->{$name});
- }
- }
-
- public function __unset($name) {
- if (!is_null($this->session)) {
- unset($this->session->{$name});
- } else {
- unset($_SESSION['SESSION']->{$name});
- }
- }
-
/**
* Prepare cookies and varions system settings
*/
@@ -199,9 +122,6 @@ class moodle_session {
if (!empty($_COOKIE['MoodleSession'.$CFG->sessioncookie]) && $_COOKIE['MoodleSession'.$CFG->sessioncookie] == "deleted") {
unset($_COOKIE['MoodleSession'.$CFG->sessioncookie]);
}
- if (!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]) && $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] == "deleted") {
- unset($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]);
- }
}
/**
@@ -234,185 +154,235 @@ class moodle_session {
}
}
}
+}
- /**
- * Sets a moodle cookie with a weakly encrypted string
- *
- * @uses $CFG
- * @uses DAYSECS
- * @uses HOURSECS
- * @param string $thing The string to encrypt and place in a cookie
- */
- public static function set_moodle_cookie($thing) {
- global $CFG;
+/**
+ * Makes sure that $USER->sesskey exists, if $USER itself exists. It sets a new sesskey
+ * if one does not already exist, but does not overwrite existing sesskeys. Returns the
+ * sesskey string if $USER exists, or boolean false if not.
+ *
+ * @uses $USER
+ * @return string
+ */
+function sesskey() {
+ global $USER;
- if ($thing == 'guest') { // Ignore guest account
- return;
- }
-
- $cookiename = 'MOODLEID_'.$CFG->sessioncookie;
-
- $days = 60;
- $seconds = DAYSECS*$days;
-
- // no need to set secure or http cookie only here - it is not secret
- setcookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath, $CFG->sessioncookiedomain);
- setcookie($cookiename, rc4encrypt($thing), time()+$seconds, $CFG->sessioncookiepath, $CFG->sessioncookiedomain);
+ if(!isset($USER)) {
+ return false;
}
- /**
- * Gets a moodle cookie with a weakly encrypted string
- *
- * @uses $CFG
- * @return string
- */
- public static function get_moodle_cookie() {
- global $CFG;
-
- $cookiename = 'MOODLEID_'.$CFG->sessioncookie;
-
- if (empty($_COOKIE[$cookiename])) {
- return '';
- } else {
- $thing = rc4decrypt($_COOKIE[$cookiename]);
- return ($thing == 'guest') ? '': $thing; // Ignore guest account
- }
+ if (empty($USER->sesskey)) {
+ $USER->sesskey = random_string(10);
}
- /**
- * Enable cookieless sessions by including $CFG->usesid=true;
- * in config.php.
- * Based on code from php manual by Richard at postamble.co.uk
- * Attempts to use cookies if cookies not present then uses session ids attached to all urls and forms to pass session id from page to page.
- * If site is open to google, google is given guest access as usual and there are no sessions. No session ids will be attached to urls for googlebot.
- * This doesn't require trans_sid to be turned on but this is recommended for better performance
- * you should put :
- * session.use_trans_sid = 1
- * in your php.ini file and make sure that you don't have a line like this in your php.ini
- * session.use_only_cookies = 1
- * @author Richard at postamble.co.uk and Jamie Pratt
- * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
- */
- /**
- * You won't call this function directly. This function is used to process
- * text buffered by php in an output buffer. All output is run through this function
- * before it is ouput.
- * @param string $buffer is the output sent from php
- * @return string the output sent to the browser
- */
- public static function sid_ob_rewrite($buffer){
- $replacements = array(
- '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*")([^"]*)(")/i',
- '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*\')([^\']*)(\')/i');
+ return $USER->sesskey;
+}
- $buffer = preg_replace_callback($replacements, array('moodle_session', 'sid_rewrite_link_tag'), $buffer);
- $buffer = preg_replace('/]*>/i',
- '\0', $buffer);
- return $buffer;
- }
- /**
- * You won't call this function directly. This function is used to process
- * text buffered by php in an output buffer. All output is run through this function
- * before it is ouput.
- * This function only processes absolute urls, it is used when we decide that
- * php is processing other urls itself but needs some help with internal absolute urls still.
- * @param string $buffer is the output sent from php
- * @return string the output sent to the browser
- */
- public static function sid_ob_rewrite_absolute($buffer){
- $replacements = array(
- '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*")((?:http|https)[^"]*)(")/i',
- '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*\')((?:http|https)[^\']*)(\')/i');
+/**
+ * For security purposes, this function will check that the currently
+ * given sesskey (passed as a parameter to the script or this function)
+ * matches that of the current user.
+ *
+ * @param string $sesskey optionally provided sesskey
+ * @return bool
+ */
+function confirm_sesskey($sesskey=NULL) {
+ global $USER;
- $buffer = preg_replace_callback($replacements, array('moodle_session', 'sid_rewrite_link_tag'), $buffer);
- $buffer = preg_replace('/]*>/i',
- '\0', $buffer);
- return $buffer;
+ if (!empty($USER->ignoresesskey) || !empty($CFG->ignoresesskey)) {
+ return true;
}
- /**
- * A function to process link, a and script tags found
- * by preg_replace_callback in {@link sid_ob_rewrite($buffer)}.
- */
- public static function sid_rewrite_link_tag($matches){
- $url = $matches[4];
- $url = moodle_session::sid_process_url($url);
- return $matches[1].$url.$matches[5];
+ if (empty($sesskey)) {
+ $sesskey = required_param('sesskey', PARAM_RAW); // Check script parameters
}
- /**
- * You can call this function directly. This function is used to process
- * urls to add a moodle session id to the url for internal links.
- * @param string $url is a url
- * @return string the processed url
- */
- public static function sid_process_url($url) {
- global $CFG;
-
- if ((preg_match('/^(http|https):/i', $url)) // absolute url
- && ((stripos($url, $CFG->wwwroot)!==0) && stripos($url, $CFG->httpswwwroot)!==0)) { // and not local one
- return $url; //don't attach sessid to non local urls
- }
- if ($url[0]=='#' || (stripos($url, 'javascript:')===0)) {
- return $url; //don't attach sessid to anchors
- }
- if (strpos($url, session_name())!==FALSE) {
- return $url; //don't attach sessid to url that already has one sessid
- }
- if (strpos($url, "?")===FALSE) {
- $append = "?".strip_tags(session_name() . '=' . session_id());
- } else {
- $append = "&".strip_tags(session_name() . '=' . session_id());
- }
- //put sessid before any anchor
- $p = strpos($url, "#");
- if ($p!==FALSE){
- $anch = substr($url, $p);
- $url = substr($url, 0, $p).$append.$anch ;
- } else {
- $url .= $append ;
- }
- return $url;
+ if (!isset($USER->sesskey)) {
+ return false;
}
- /**
- * Call this function before there has been any output to the browser to
- * buffer output and add session ids to all internal links.
- */
- public static function sid_start_ob(){
- global $CFG;
- //don't attach sess id for bots
+ return ($USER->sesskey === $sesskey);
+}
- if (!empty($_SERVER['HTTP_USER_AGENT'])) {
- if (!empty($CFG->opentogoogle)) {
- if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false) {
- @ini_set('session.use_trans_sid', '0'); // try and turn off trans_sid
- $CFG->usesid=false;
- return;
- }
- if (strpos($_SERVER['HTTP_USER_AGENT'], 'google.com') !== false) {
- @ini_set('session.use_trans_sid', '0'); // try and turn off trans_sid
- $CFG->usesid=false;
- return;
- }
+/**
+ * Sets a moodle cookie with a weakly encrypted string
+ *
+ * @uses $CFG
+ * @uses DAYSECS
+ * @uses HOURSECS
+ * @param string $thing The string to encrypt and place in a cookie
+ */
+function set_moodle_cookie($thing) {
+ global $CFG;
+
+ if ($thing == 'guest') { // Ignore guest account
+ return;
+ }
+
+ $cookiename = 'MOODLEID_'.$CFG->sessioncookie;
+
+ $days = 60;
+ $seconds = DAYSECS*$days;
+
+ // no need to set secure or http cookie only here - it is not secret
+ setcookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath, $CFG->sessioncookiedomain);
+ setcookie($cookiename, rc4encrypt($thing), time()+$seconds, $CFG->sessioncookiepath, $CFG->sessioncookiedomain);
+}
+
+/**
+ * Gets a moodle cookie with a weakly encrypted string
+ *
+ * @uses $CFG
+ * @return string
+ */
+function get_moodle_cookie() {
+ global $CFG;
+
+ $cookiename = 'MOODLEID_'.$CFG->sessioncookie;
+
+ if (empty($_COOKIE[$cookiename])) {
+ return '';
+ } else {
+ $thing = rc4decrypt($_COOKIE[$cookiename]);
+ return ($thing == 'guest') ? '': $thing; // Ignore guest account
+ }
+}
+
+/**
+* Enable cookieless sessions by including $CFG->usesid=true;
+* in config.php.
+* Based on code from php manual by Richard at postamble.co.uk
+* Attempts to use cookies if cookies not present then uses session ids attached to all urls and forms to pass session id from page to page.
+* If site is open to google, google is given guest access as usual and there are no sessions. No session ids will be attached to urls for googlebot.
+* This doesn't require trans_sid to be turned on but this is recommended for better performance
+* you should put :
+* session.use_trans_sid = 1
+* in your php.ini file and make sure that you don't have a line like this in your php.ini
+* session.use_only_cookies = 1
+* @author Richard at postamble.co.uk and Jamie Pratt
+* @license http://www.gnu.org/copyleft/gpl.html GNU Public License
+*/
+/**
+* You won't call this function directly. This function is used to process
+* text buffered by php in an output buffer. All output is run through this function
+* before it is ouput.
+* @param string $buffer is the output sent from php
+* @return string the output sent to the browser
+*/
+function sid_ob_rewrite($buffer){
+ $replacements = array(
+ '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*")([^"]*)(")/i',
+ '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*\')([^\']*)(\')/i');
+
+ $buffer = preg_replace_callback($replacements, 'sid_rewrite_link_tag', $buffer);
+ $buffer = preg_replace('/]*>/i',
+ '\0', $buffer);
+
+ return $buffer;
+}
+/**
+* You won't call this function directly. This function is used to process
+* text buffered by php in an output buffer. All output is run through this function
+* before it is ouput.
+* This function only processes absolute urls, it is used when we decide that
+* php is processing other urls itself but needs some help with internal absolute urls still.
+* @param string $buffer is the output sent from php
+* @return string the output sent to the browser
+*/
+function sid_ob_rewrite_absolute($buffer){
+ $replacements = array(
+ '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*")((?:http|https)[^"]*)(")/i',
+ '/(<\s*(a|link|script|frame|area)\s[^>]*(href|src)\s*=\s*\')((?:http|https)[^\']*)(\')/i');
+
+ $buffer = preg_replace_callback($replacements, 'sid_rewrite_link_tag', $buffer);
+ $buffer = preg_replace('/]*>/i',
+ '\0', $buffer);
+ return $buffer;
+}
+
+/**
+* A function to process link, a and script tags found
+* by preg_replace_callback in {@link sid_ob_rewrite($buffer)}.
+*/
+function sid_rewrite_link_tag($matches){
+ $url = $matches[4];
+ $url = sid_process_url($url);
+ return $matches[1].$url.$matches[5];
+}
+
+/**
+* You can call this function directly. This function is used to process
+* urls to add a moodle session id to the url for internal links.
+* @param string $url is a url
+* @return string the processed url
+*/
+function sid_process_url($url) {
+ global $CFG;
+
+ if ((preg_match('/^(http|https):/i', $url)) // absolute url
+ && ((stripos($url, $CFG->wwwroot)!==0) && stripos($url, $CFG->httpswwwroot)!==0)) { // and not local one
+ return $url; //don't attach sessid to non local urls
+ }
+ if ($url[0]=='#' || (stripos($url, 'javascript:')===0)) {
+ return $url; //don't attach sessid to anchors
+ }
+ if (strpos($url, session_name())!==FALSE) {
+ return $url; //don't attach sessid to url that already has one sessid
+ }
+ if (strpos($url, "?")===FALSE) {
+ $append = "?".strip_tags(session_name() . '=' . session_id());
+ } else {
+ $append = "&".strip_tags(session_name() . '=' . session_id());
+ }
+ //put sessid before any anchor
+ $p = strpos($url, "#");
+ if ($p!==FALSE){
+ $anch = substr($url, $p);
+ $url = substr($url, 0, $p).$append.$anch ;
+ } else {
+ $url .= $append ;
+ }
+ return $url;
+}
+
+/**
+* Call this function before there has been any output to the browser to
+* buffer output and add session ids to all internal links.
+*/
+function sid_start_ob(){
+ global $CFG;
+ //don't attach sess id for bots
+
+ if (!empty($_SERVER['HTTP_USER_AGENT'])) {
+ if (!empty($CFG->opentogoogle)) {
+ if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false) {
+ @ini_set('session.use_trans_sid', '0'); // try and turn off trans_sid
+ $CFG->usesid=false;
+ return;
}
- if (strpos($_SERVER['HTTP_USER_AGENT'], 'W3C_Validator') !== false) {
+ if (strpos($_SERVER['HTTP_USER_AGENT'], 'google.com') !== false) {
@ini_set('session.use_trans_sid', '0'); // try and turn off trans_sid
$CFG->usesid=false;
return;
}
}
-
- @ini_set('session.use_trans_sid', '1'); // try and turn on trans_sid
-
- if (ini_get('session.use_trans_sid') != 0) {
- // use trans sid as its available
- ini_set('url_rewriter.tags', 'a=href,area=href,script=src,link=href,frame=src,form=fakeentry');
- ob_start(array('moodle_session', 'sid_ob_rewrite_absolute'));
- } else {
- //rewrite all links ourselves
- ob_start(array('moodle_session', 'sid_ob_rewrite'));
+ if (strpos($_SERVER['HTTP_USER_AGENT'], 'W3C_Validator') !== false) {
+ @ini_set('session.use_trans_sid', '0'); // try and turn off trans_sid
+ $CFG->usesid=false;
+ return;
}
}
+
+ @ini_set('session.use_trans_sid', '1'); // try and turn on trans_sid
+
+ if (ini_get('session.use_trans_sid') != 0) {
+ // use trans sid as its available
+ ini_set('url_rewriter.tags', 'a=href,area=href,script=src,link=href,frame=src,form=fakeentry');
+ ob_start('sid_ob_rewrite_absolute');
+ } else {
+ //rewrite all links ourselves
+ ob_start('sid_ob_rewrite');
+ }
}
+
diff --git a/lib/setup.php b/lib/setup.php
index 9dc398e1ec3..db3ca6dd5ad 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -386,19 +386,10 @@ global $HTTPSPAGEREQUIRED;
}
}
-/// start session and prepare global $SESSION
- $SESSION = new moodle_session();
-
-/// set up global $USER
- if (!NO_MOODLE_COOKIES) {
- $USER = &$_SESSION['USER'];
- } else {
- $USER = new object();
- $USER->id = 0; // user not logged in when session disabled
- if (isset($CFG->mnet_localhost_id)) {
- $USER->mnethostid = $CFG->mnet_localhost_id;
- }
- }
+/// start session and prepare global $SESSION, $USER
+ get_session();
+ $SESSION = &$_SESSION['SESSION'];
+ $USER = &$_SESSION['USER'];
if (defined('FULLME')) { // Usually in command-line scripts like admin/cron.php
$FULLME = FULLME;
@@ -430,9 +421,6 @@ global $HTTPSPAGEREQUIRED;
$CFG->theme = 'standardwhite';
}
-/// now do a session test to prevent random user switching - observed on some PHP/Apache combinations,
- $SESSION->session_verify();
-
/// Set language/locale of printed times. If user has chosen a language that
/// that is different from the site language, then use the locale specified
/// in the language file. Otherwise, if the admin hasn't specified a locale
diff --git a/login/confirm.php b/login/confirm.php
index 4f7a6712c3b..5e4a15e9a3e 100644
--- a/login/confirm.php
+++ b/login/confirm.php
@@ -48,7 +48,7 @@
print_error('cannotfinduser', '', '', $username);
}
- $SESSION->set_moodle_cookie($USER->username);
+ set_moodle_cookie($USER->username);
if ( ! empty($SESSION->wantsurl) ) { // Send them where they were going
$goto = $SESSION->wantsurl;
diff --git a/login/index.php b/login/index.php
index 03b7c1a6065..f8a61df48c5 100644
--- a/login/index.php
+++ b/login/index.php
@@ -99,7 +99,7 @@ httpsrequired();
/// Check if the user has actually submitted login data to us
- if (empty($CFG->usesid) and $testcookies and ($SESSION->get_moodle_cookie() == '')) { // Login without cookie when test requested
+ if (empty($CFG->usesid) and $testcookies and (get_moodle_cookie() == '')) { // Login without cookie when test requested
$errormsg = get_string("cookiesnotenabled");
$errorcode = 1;
@@ -268,12 +268,12 @@ httpsrequired();
/// Generate the login page with forms
- if ($SESSION->get_moodle_cookie() == '') {
- $SESSION->set_moodle_cookie('nobody'); // To help search for cookies
+ if (get_moodle_cookie() == '') {
+ set_moodle_cookie('nobody'); // To help search for cookies
}
if (empty($frm->username) && $authsequence[0] != 'shibboleth') { // See bug 5184
- $frm->username = $SESSION->get_moodle_cookie() === 'nobody' ? '' : $SESSION->get_moodle_cookie();
+ $frm->username = get_moodle_cookie() === 'nobody' ? '' : get_moodle_cookie();
$frm->password = "";
}