implement some tweaks to session handling; properly remove session cookie if invalid...

[tt-rss.git] / include / sessions.php

diff --git a/include/sessions.php b/include/sessions.php
index 15178915a8934bf10170c9144797a1dce708c988..402e8b8deca2c26922e75f8c6dd2b78c9cf5e64e 100644 (file)
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -5,6 +5,7 @@
        require_once "db.php";
        require_once "lib/accept-to-gettext.php";
        require_once "lib/gettext/gettext.inc";
+       require_once "version.php";
 
        $session_expire = max(SESSION_COOKIE_LIFETIME, 86400);
        $session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
@@ -14,10 +15,11 @@
                ini_set("session.cookie_secure", true);
        }
 
-       ini_set("session.gc_probability", 50);
+       ini_set("session.gc_probability", 75);
        ini_set("session.name", $session_name);
        ini_set("session.use_only_cookies", true);
        ini_set("session.gc_maxlifetime", $session_expire);
+       ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
 
        global $session_connection;
 
@@ -38,6 +40,8 @@
                if (SINGLE_USER_MODE) return true;
                if (!$link) return false;
 
+               if (VERSION != $_SESSION["version"]) return false;
+
                $check_ip = $_SESSION['ip_address'];
 
                switch (SESSION_CHECK_ADDRESS) {
@@ -178,8 +182,8 @@
                        "ttrss_destroy", "ttrss_gc");
        }
 
-       if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') {
-               if (isset($_COOKIE[$session_name])) {
+       if (!defined('NO_SESSION_AUTOSTART')) {
+               if (isset($_COOKIE[session_name()])) {
                        @session_start();
                }
        }