<?php

session_start();

// Define all session variables with proper initialization
$session_variables = [
    'CRMMERCHANT', 'ADMIN', 'ADMINNAME', 'MAIL', 'MERCHANT', 'AFFILIATE',
    'HEADER', 'BODY', 'FOOTER', 'msg', 'res', 'SESSIONSTATUS', 'JOINSTATUS',
    'MERCHANTID', 'AFFILIATEID', 'PROGRAMID', 'DES', 'LINKS', 'PGMID',
    'MAILAMNT', 'MAILHEADER', 'MAILFOOTER', 'TRANS_MERCHANTID', 'BANNERCODE',
    'VAR', 'SORTINGTABLE', 'MER_SORTINGTABLE', 'CAT_SORTING', 'LANGUAGE',
    'MERCHANTNAME', 'PAYMODE', 'MERCHANTBALANCE', 'AFFILIATENAME',
    'AFFILIATEBALANCE', 'ADMINLASTLOGGEDIP', 'USERRETRIEDCOUNT', 'ADMINUSERID',
    'DEFAULTCURRENCYSYMBOL', 'AFF_ADDRESS', 'MER_ADDRESS', 'AFFILIATE_REFERER_ID'
];

// Initialize all session variables if they don't exist
foreach ($session_variables as $var) {
    if (!isset($_SESSION[$var])) {
        $_SESSION[$var] = null;
    }
}

// Global array for tracking
$USERCOOKIE_FOR_TRACKING = [];

// Import session variables to local scope securely
foreach ($_SESSION as $key => $value) {
    if ($value === null) {
        // Handle null values - assign empty string instead of trying to trim null
        $$key = '';
    } elseif (!is_array($value) && !is_object($value)) {
        // Sanitize and assign to local variables - only trim if it's a string
        $$key = htmlspecialchars(stripslashes(trim((string)$value)), ENT_QUOTES, 'UTF-8');
    } else {
        // For arrays and objects, assign directly (no sanitization to preserve structure)
        $$key = $value;
    }
}

// Security headers
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');

// Regenerate session ID periodically for security
if (!isset($_SESSION['SESSION_CREATED'])) {
    $_SESSION['SESSION_CREATED'] = time();
} elseif (time() - $_SESSION['SESSION_CREATED'] > 1800) {
    // Regenerate session ID every 30 minutes
    session_regenerate_id(true);
    $_SESSION['SESSION_CREATED'] = time();
}

// Auto-load admin header if on an admin page and logged in
if (isset($_SESSION['admin_id']) && strpos($_SERVER['PHP_SELF'], '/admin_') !== false) {
    include_once 'admin_header.php';
}
?>