From f9b431b87311688140f6c78f7da1c153fcf546e9 Mon Sep 17 00:00:00 2001
From: Andrew Nicols <andrew@nicols.co.uk>
Date: Tue, 16 Dec 2014 10:18:21 +0800
Subject: [PATCH] MDL-44642 session: Remove 403 from require_sesskey()

This should not have been added in core at this time (needs a separate
issue).
---
 lib/sessionkeepalive_ajax.php | 5 ++++-
 lib/sessionlib.php            | 1 -
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/sessionkeepalive_ajax.php b/lib/sessionkeepalive_ajax.php
index a2047a7c490..7a930ff0c1f 100644
--- a/lib/sessionkeepalive_ajax.php
+++ b/lib/sessionkeepalive_ajax.php
@@ -27,7 +27,10 @@ require_once(dirname(__DIR__) . '/config.php');
 
 // Require the session key - want to make sure that this isn't called
 // maliciously to keep a session alive longer than intended.
-require_sesskey();
+if (!confirm_sesskey()) {
+    header('HTTP/1.1 403 Forbidden');
+    print_error('invalidsesskey');
+}
 
 // Update the session.
 \core\session\manager::touch_session(session_id());
diff --git a/lib/sessionlib.php b/lib/sessionlib.php
index 40640d688e2..e60462f34d3 100644
--- a/lib/sessionlib.php
+++ b/lib/sessionlib.php
@@ -82,7 +82,6 @@ function confirm_sesskey($sesskey=NULL) {
  */
 function require_sesskey() {
     if (!confirm_sesskey()) {
-        header('HTTP/1.1 403 Forbidden');
         print_error('invalidsesskey');
     }
 }