<?
if(!isset($_SESSION['user_id'])) { header("Location: $URL_ROOT/bad_access.php"); exit; }

$user_id = $_SESSION['user_id'];
$db = initdb();
list($fingerprint) = $db->fetch_results($db->runQuery("SELECT fingerprint FROM user_fingerprints WHERE user_id=$user_id"));
if($_SESSION['fingerprint'] != sha1($fingerprint . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR'])) {
	// by retreiving this user's fingerprint from the database, concatinating the user agent and IP, and then 
	// finding the sha1 hash of that string, we re-create the work we did in /database/pro_login.php to create
	// a unique fingerprint hash for a valid user.  if the one generated on this page doesn't match the one
	// stored in the session then it indicates that the user's IP address changed or their user agent (browser)
	// string did.  in either case, this could represent an attempt to hijack a user's valid session for
	// potentially nefarious purposes.  thus, if this happens, we'll destroy the session and redirect them
	// to a different web page.
	
	session_destroy();
	header("Location: $URL_ROOT/bad_access.php");
	exit;
}
?>