From 9ce7a5546c6d9cca8aa8be524d43c735e2bd7182 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Thu, 4 Apr 2013 15:33:14 +0400 Subject: [PATCH] implement some tweaks to session handling; properly remove session cookie if invalid/login failed --- api/index.php | 1 + classes/handler/public.php | 4 ++-- include/functions.php | 3 ++- include/login_form.php | 2 +- include/sessions.php | 7 ++++--- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/api/index.php b/api/index.php index 50703175..53b78b01 100644 --- a/api/index.php +++ b/api/index.php @@ -11,6 +11,7 @@ chdir(".."); define('TTRSS_SESSION_NAME', 'ttrss_api_sid'); + define('NO_SESSION_AUTOSTART', true); require_once "db.php"; require_once "db-prefs.php"; diff --git a/classes/handler/public.php b/classes/handler/public.php index b8a32cd2..9304b018 100644 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -515,7 +515,7 @@ class Handler_Public extends Handler { $login = db_escape_string($this->link, $_POST["login"]); $password = $_POST["password"]; - $remember_me = $_POST["remember_me"]; + /* $remember_me = $_POST["remember_me"]; if ($remember_me) { session_set_cookie_params(SESSION_COOKIE_LIFETIME); @@ -523,7 +523,7 @@ class Handler_Public extends Handler { session_set_cookie_params(0); } - @session_start(); + @session_start(); */ if (authenticate_user($this->link, $login, $password)) { $_POST["password"] = ""; diff --git a/include/functions.php b/include/functions.php index 71fd1654..9c64fad9 100644 --- a/include/functions.php +++ b/include/functions.php @@ -756,9 +756,10 @@ } if (!$_SESSION["uid"]) { - render_login_form($link); @session_destroy(); setcookie(session_name(), '', time()-42000, '/'); + + render_login_form($link); exit; } diff --git a/include/login_form.php b/include/login_form.php index 7ac7111c..ca07ccfe 100644 --- a/include/login_form.php +++ b/include/login_form.php @@ -221,7 +221,7 @@ function bwLimitChange(elem) { - 0) { ?> + 0) { /* disabled for now */ ?>
diff --git a/include/sessions.php b/include/sessions.php index 0edda4ec..402e8b8d 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -15,10 +15,11 @@ ini_set("session.cookie_secure", true); } - ini_set("session.gc_probability", 50); + ini_set("session.gc_probability", 75); ini_set("session.name", $session_name); ini_set("session.use_only_cookies", true); ini_set("session.gc_maxlifetime", $session_expire); + ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME)); global $session_connection; @@ -181,8 +182,8 @@ "ttrss_destroy", "ttrss_gc"); } - if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') { - if (isset($_COOKIE[$session_name])) { + if (!defined('NO_SESSION_AUTOSTART')) { + if (isset($_COOKIE[session_name()])) { @session_start(); } } -- 2.39.5