implement some tweaks to session handling; properly remove session cookie if invalid...

diff --git a/api/index.php b/api/index.php
index 50703175b9a28f8cc68a9013a2bd873ff0578f41..53b78b010df0351d88c90e69513bb84e27999b9d 100644 (file)
--- a/api/index.php
+++ b/api/index.php
@@ -11,6 +11,7 @@
        chdir("..");
 
        define('TTRSS_SESSION_NAME', 'ttrss_api_sid');
+       define('NO_SESSION_AUTOSTART', true);
 
        require_once "db.php";
        require_once "db-prefs.php";

diff --git a/classes/handler/public.php b/classes/handler/public.php
index b8a32cd2707d0ad3a341fa65c94bf29fa8dc3c43..9304b01811bc019bd6e2d90c56035a42e9dad2f3 100644 (file)
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -515,7 +515,7 @@ class Handler_Public extends Handler {
 
                        $login = db_escape_string($this->link, $_POST["login"]);
                        $password = $_POST["password"];
-                       $remember_me = $_POST["remember_me"];
+                       /* $remember_me = $_POST["remember_me"];
 
                        if ($remember_me) {
                                session_set_cookie_params(SESSION_COOKIE_LIFETIME);
@@ -523,7 +523,7 @@ class Handler_Public extends Handler {
                                session_set_cookie_params(0);
                        }
 
-                       @session_start();
+                       @session_start(); */
 
                        if (authenticate_user($this->link, $login, $password)) {
                                $_POST["password"] = "";

diff --git a/include/functions.php b/include/functions.php
index 71fd165428a7e978cfe9a5aae8c222c9774f7291..9c64fad9fac04e5bf3343dec8e28bf3529f18151 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -756,9 +756,10 @@
                                }
 
                                if (!$_SESSION["uid"]) {
-                                       render_login_form($link);
                                        @session_destroy();
                                        setcookie(session_name(), '', time()-42000, '/');
+
+                                       render_login_form($link);
                                        exit;
                                }
 

diff --git a/include/login_form.php b/include/login_form.php
index 7ac7111c895f20fba1efdb8c4ffcea80833a850e..ca07ccfee5f53ca4d4f57d28b321a62c0cb5c583 100644 (file)
--- a/include/login_form.php
+++ b/include/login_form.php
@@ -221,7 +221,7 @@ function bwLimitChange(elem) {
                        <label style='display : inline' for="bw_limit"><?php echo __("Use less traffic") ?></label>
                </div>
 
-               <?php if (SESSION_COOKIE_LIFETIME > 0) { ?>
+               <?php if (false && SESSION_COOKIE_LIFETIME > 0) { /* disabled for now */ ?>
 
                <div class="row">
                        <label>&nbsp;</label>

diff --git a/include/sessions.php b/include/sessions.php
index 0edda4ec7d55ae6d556b7bf020fc55388166d6fd..402e8b8deca2c26922e75f8c6dd2b78c9cf5e64e 100644 (file)
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -15,10 +15,11 @@
                ini_set("session.cookie_secure", true);
        }
 
-       ini_set("session.gc_probability", 50);
+       ini_set("session.gc_probability", 75);
        ini_set("session.name", $session_name);
        ini_set("session.use_only_cookies", true);
        ini_set("session.gc_maxlifetime", $session_expire);
+       ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
 
        global $session_connection;
 
@@ -181,8 +182,8 @@
                        "ttrss_destroy", "ttrss_gc");
        }
 
-       if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') {
-               if (isset($_COOKIE[$session_name])) {
+       if (!defined('NO_SESSION_AUTOSTART')) {
+               if (isset($_COOKIE[session_name()])) {
                        @session_start();
                }
        }