uid > 0 && $page_match && $_SERVER['HTTPS']) { if (! isset($_COOKIE[SECUREPAGES_SESSID]) || $_COOKIE[SECUREPAGES_SESSID] !== $_SESSION[SECUREPAGES_SESSID]) { watchdog('security', t('Session hijack attempt detected for user %user!', array('%user' => $user->name))); menu_set_active_item(''); drupal_set_header('HTTP/1.1 403 Forbidden'); drupal_set_title(t('Access denied by Secure Pages module')); $return = t('

The Secure Pages module has detected an invalid '. 'session access attempt. Please log in again.

', array('!url' => url('user/login', array('query' => array('destination' => $path))))); print theme('page', $return); module_invoke_all('exit', $url); session_destroy(); exit; } } } /** * Implementation of hook_user(). */ function securepages_prevent_hijack_user($op, &$edit, &$user, $category = NULL) { switch ($op) { case 'login': if (variable_get('securepages_prevent_hijack', FALSE)) { if (! isset($_SERVER['HTTPS'])) { // Admin asked us to prevent hijacks but we have a non-secure login. watchdog('security', t('Secure Pages detected non-SSL login '. 'with hijack-prevention enabled.')); } _securepages_prevent_hijack_cookie(); } break; } } /** * Set a secure cookie (that will only be returned to SSL-protected pages) * containing a non-guessable token, and store that token in the $_SESSION. */ function _securepages_prevent_hijack_cookie() { $tok = md5(mt_rand() . mt_rand()); $_SESSION[SECUREPAGES_SESSID] = "$tok"; $cookie_params = session_get_cookie_params(); setcookie(SECUREPAGES_SESSID, $tok, time() + $cookie_params['lifetime'], $cookie_params['path'], $cookie_params['domain'], 1); }