$validate_url, CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "GET", CURLOPT_HTTPHEADER => [ "Content-Type: application/xml" ], ]); $response = curl_exec($curl); $httpCode = curl_getinfo($curl, CURLINFO_HTTP_CODE); curl_close($curl); if ($httpCode === 200) { $data = json_decode($response, true); if ( is_array($data) && isset($data['valid']) && $data['valid'] === true && isset($data['logged_in_user']) && is_array($data['logged_in_user']) ) { foreach ($data['logged_in_user'] as $key => $value) { $_SESSION[$key] = $value; } } } else { setcookie('sso_auth_token', '', time() - 3600, '/', '.lupmis4luspa.org'); } } // ──────────────────────────────────────────────────────────────────────────── // Production access guard — render an in-iframe "Sign in required" page // instead of a 302 redirect. // // Why not redirect like index.php does? A 302 inside an