do not use separate _ssl cookie for secure sessions

[tt-rss.git] / include / functions.php

diff --git a/include/functions.php b/include/functions.php
index be0d4e262151ebdec9b005844ed7ab6ac3e90a8c..3cd21969d27f90f3b86d509832b1c8bfb7d2f6fc 100755 (executable)
--- a/include/functions.php
+++ b/include/functions.php
@@ -712,7 +712,14 @@
                        }
 
                        if ($user_id && !$check_only) {
-                               @session_start();
+
+                               if (session_status() != PHP_SESSION_NONE) {
+                                       session_destroy();
+                                       session_commit();
+                               }
+
+                               session_start();
+                               session_regenerate_id(true);
 
                                $_SESSION["uid"] = $user_id;
                                $_SESSION["version"] = VERSION_STATIC;
@@ -811,10 +818,11 @@
        }
 
        function logout_user() {
-               session_destroy();
+               @session_destroy();
                if (isset($_COOKIE[session_name()])) {
                   setcookie(session_name(), '', time()-42000, '/');
                }
+               session_commit();
        }
 
        function validate_csrf($csrf_token) {
@@ -856,8 +864,7 @@
                                }
 
                                if (!$_SESSION["uid"]) {
-                                       @session_destroy();
-                                       setcookie(session_name(), '', time()-42000, '/');
+                                       logout_user();
 
                                        render_login_form();
                                        exit;