Browse Source

fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks

Andrew Dolgov 10 months ago
parent
commit
5f66f872b6
3 changed files with 27 additions and 26 deletions
  1. 0 8
      classes/handler/public.php
  2. 1 1
      include/functions.php
  3. 26 17
      include/sessions.php

+ 0 - 8
classes/handler/public.php

@@ -465,14 +465,6 @@ class Handler_Public extends Handler {
 
 	function login() {
 		if (!SINGLE_USER_MODE) {
-			/* if a session is started here there's a stale login cookie we need to clean */
-
-			if (session_status() != PHP_SESSION_NONE) {
-				$_SESSION["login_error_msg"] = __("Stale session cookie found, try logging in again");
-
-				header("Location: " . get_self_url_prefix());
-				exit;
-			}
 
 			$login = clean($_POST["login"]);
 			$password = clean($_POST["password"]);

+ 1 - 1
include/functions.php

@@ -714,8 +714,8 @@
 
 			if ($user_id && !$check_only) {
 
-				session_regenerate_id(true);
 				session_start();
+				session_regenerate_id(true);
 
 				$_SESSION["uid"] = $user_id;
 				$_SESSION["version"] = VERSION_STATIC;

+ 26 - 17
include/sessions.php

@@ -45,7 +45,7 @@
 				__("Session failed to validate (schema version changed)");
 			return false;
 		}
-        $pdo = Db::pdo();
+		  $pdo = Db::pdo();
 
 		if ($_SESSION["uid"]) {
 
@@ -59,21 +59,21 @@
 
 			// user not found
 			if ($row = $sth->fetch()) {
-                $pwd_hash = $row["pwd_hash"];
+					 $pwd_hash = $row["pwd_hash"];
 
-                if ($pwd_hash != $_SESSION["pwd_hash"]) {
+					 if ($pwd_hash != $_SESSION["pwd_hash"]) {
 
-                    $_SESSION["login_error_msg"] =
-                        __("Session failed to validate (password changed)");
+						  $_SESSION["login_error_msg"] =
+								__("Session failed to validate (password changed)");
 
-                    return false;
-                }
+						  return false;
+					 }
 			} else {
 
-                $_SESSION["login_error_msg"] =
-                    __("Session failed to validate (user not found)");
+					 $_SESSION["login_error_msg"] =
+						  __("Session failed to validate (user not found)");
 
-                return false;
+					 return false;
 
 			}
 		}
@@ -95,16 +95,16 @@
 		$sth->execute([$id]);
 
 		if ($row = $sth->fetch()) {
-            return base64_decode($row["data"]);
+				return base64_decode($row["data"]);
 
 		} else {
-            $expire = time() + $session_expire;
+				$expire = time() + $session_expire;
 
-            $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
+				$sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
 					VALUES (?, '', ?)");
-            $sth->execute([$id, $expire]);
+				$sth->execute([$id, $expire]);
 
-            return "";
+				return "";
 
 		}
 
@@ -116,8 +116,17 @@
 		$data = base64_encode($data);
 		$expire = time() + $session_expire;
 
-        $sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
-        $sth->execute([$data, $expire, $id]);
+		$sth = Db::pdo()->prepare("SELECT id FROM ttrss_sessions WHERE id=?");
+		$sth->execute([$id]);
+
+		if ($row = $sth->fetch()) {
+			$sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
+			$sth->execute([$data, $expire, $id]);
+		} else {
+			$sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
+				VALUES (?, ?, ?)");
+			$sth->execute([$id, $data, $expire]);
+		}
 
 		return true;
 	}