4 files changed, 18 insertions, 3 deletions

diff --git a/backend.php b/backend.php
index 018c0e8..7cd15bb 100644
--- a/backend.php
+++ b/backend.php
@@ -1,11 +1,20 @@
 <?php
 
 	require_once "config.php";
-	require_once "sessions.php";
-	require_once "db.php";
 
 	header("Content-type: text/json");
 
+	// let's not start a session if there's no cookie, login is impossible
+	// via backend anyway
+	if (!isset($_COOKIE['epube_sid'])) {
+		header($_SERVER["SERVER_PROTOCOL"]." 402 Unauthorized");
+		echo "Unauthorized";
+		die;
+	}
+
+	require_once "sessions.php";
+	require_once "db.php";
+
 	@$owner = SQLite3::escapeString($_SESSION["owner"]);
 
 	if (!$owner) {
diff --git a/index.php b/index.php
index 5260b1d..5743ea6 100644
--- a/index.php
+++ b/index.php
@@ -11,6 +11,11 @@
 		die("HTTP Authentication is no longer supported, please see migration notes in git.");
 	}
 
+	if (!isset($_COOKIE['epube_sid'])) {
+		header("Location: login.php");
+		exit;
+	}
+
 	require_once "config.php";
 	require_once "sessions.php";
 	require_once "db.php";
diff --git a/login.php b/login.php
index ddb25b5..6adf038 100644
--- a/login.php
+++ b/login.php
@@ -1,6 +1,5 @@
 <?php
 	require_once "config.php";
-	require_once "sessions.php";
 
 	@$op = $_REQUEST["op"];
 
@@ -13,6 +12,8 @@
 		$res = $dbh->query("SELECT id FROM epube_users WHERE user = '$user' AND pass = '$password'");
 
 		if ($line = $res->fetchArray(SQLITE3_ASSOC)) {
+			require_once "sessions.php";
+
 			$_SESSION["owner"] = $user;
 			header("Location: index.php");
 		}
diff --git a/sessions/.empty b/sessions/.empty
deleted file mode 100644
index e69de29..0000000
--- a/sessions/.empty
+++ /dev/null