uid > 0 && $page_match && securepages_is_secure() && variable_get('securepages_enable', FALSE)) { if (! isset($_COOKIE[SECUREPAGES_SESSID]) || ! drupal_valid_token($_COOKIE[SECUREPAGES_SESSID], 'securepages_prevent_hijack')) { watchdog('security', t('Session hijack attempt detected for user %user!', array('%user' => $user->name))); menu_set_active_item(''); drupal_set_header('HTTP/1.1 403 Forbidden'); drupal_set_title(t('Access denied by Secure Pages module')); $return = t('

The Secure Pages module has detected an invalid '. 'session access attempt. Please log in again.

', array('!url' => url('user/login', "destination=$path"))); print theme('page', $return); module_invoke_all('exit', $url); session_destroy(); exit; } } } /** * Implementation of hook_user(). */ function securepages_prevent_hijack_user($op, &$edit, &$user, $category = NULL) { switch ($op) { case 'login': _securepages_prevent_hijack_cookie(); break; case 'after_update': // Regenerate our cookie after password changes. if (!empty($edit['pass'])) { _securepages_prevent_hijack_cookie(); } break; } } /** * Set a secure cookie (that will only be returned to SSL-protected pages) * containing a non-guessable token. */ function _securepages_prevent_hijack_cookie() { if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { $tok = drupal_get_token('securepages_prevent_hijack'); $cookie_params = session_get_cookie_params(); $lifetime = 0; if ($cookie_params['lifetime'] > 0) { $lifetime = $_SERVER['REQUEST_TIME'] + $cookie_params['lifetime']; } setcookie(SECUREPAGES_SESSID, $tok, $lifetime, $cookie_params['path'], $cookie_params['domain'], 1); } else { watchdog('security', 'Secure Pages Prevent Hijack failed to set secure cookie.', NULL, WATCHDOG_ERROR); } } /** * Implementation of hook_form_alter(). */ function securepages_prevent_hijack_form_alter($form_id, &$form) { // Refresh the cookie whenever the settings page is submitted. if ($form_id == 'securepages_settings') { $form['#submit'][] = '_securepages_prevent_hijack_cookie'; } // Secure the login form, so that we always have a secure connection to transmit the // initial cookie. Also, protect the password in transit. if ($form_id == 'user_login_block' || $form_id == 'user_login') { $url = parse_url($form['#action']); $base_path = base_path(); $path = (!strncmp($url['path'], $base_path, drupal_strlen($base_path)) ? drupal_substr($url['path'], drupal_strlen($base_path)) : $url['path']); $form['#action'] = securepages_url( $path, $url['query'], NULL, TRUE ); } }