diff options
| author | Andrew Dolgov <[email protected]> | 2013-04-04 15:33:14 +0400 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2013-04-04 15:33:14 +0400 |
| commit | 9ce7a5546c6d9cca8aa8be524d43c735e2bd7182 (patch) | |
| tree | fd2326ab8a39f19737b391da537f3065d0b8fa55 | |
| parent | 82d77deb2876df4aac8536108404b93e20fd407b (diff) | |
implement some tweaks to session handling; properly remove session cookie if invalid/login failed
| -rw-r--r-- | api/index.php | 1 | ||||
| -rw-r--r-- | classes/handler/public.php | 4 | ||||
| -rw-r--r-- | include/functions.php | 3 | ||||
| -rw-r--r-- | include/login_form.php | 2 | ||||
| -rw-r--r-- | include/sessions.php | 7 |
5 files changed, 10 insertions, 7 deletions
diff --git a/api/index.php b/api/index.php index 50703175b..53b78b010 100644 --- a/api/index.php +++ b/api/index.php @@ -11,6 +11,7 @@ chdir(".."); define('TTRSS_SESSION_NAME', 'ttrss_api_sid'); + define('NO_SESSION_AUTOSTART', true); require_once "db.php"; require_once "db-prefs.php"; diff --git a/classes/handler/public.php b/classes/handler/public.php index b8a32cd27..9304b0181 100644 --- a/classes/handler/public.php +++ b/classes/handler/public.php @@ -515,7 +515,7 @@ class Handler_Public extends Handler { $login = db_escape_string($this->link, $_POST["login"]); $password = $_POST["password"]; - $remember_me = $_POST["remember_me"]; + /* $remember_me = $_POST["remember_me"]; if ($remember_me) { session_set_cookie_params(SESSION_COOKIE_LIFETIME); @@ -523,7 +523,7 @@ class Handler_Public extends Handler { session_set_cookie_params(0); } - @session_start(); + @session_start(); */ if (authenticate_user($this->link, $login, $password)) { $_POST["password"] = ""; diff --git a/include/functions.php b/include/functions.php index 71fd16542..9c64fad9f 100644 --- a/include/functions.php +++ b/include/functions.php @@ -756,9 +756,10 @@ } if (!$_SESSION["uid"]) { - render_login_form($link); @session_destroy(); setcookie(session_name(), '', time()-42000, '/'); + + render_login_form($link); exit; } diff --git a/include/login_form.php b/include/login_form.php index 7ac7111c8..ca07ccfee 100644 --- a/include/login_form.php +++ b/include/login_form.php @@ -221,7 +221,7 @@ function bwLimitChange(elem) { <label style='display : inline' for="bw_limit"><?php echo __("Use less traffic") ?></label> </div> - <?php if (SESSION_COOKIE_LIFETIME > 0) { ?> + <?php if (false && SESSION_COOKIE_LIFETIME > 0) { /* disabled for now */ ?> <div class="row"> <label> </label> diff --git a/include/sessions.php b/include/sessions.php index 0edda4ec7..402e8b8de 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -15,10 +15,11 @@ ini_set("session.cookie_secure", true); } - ini_set("session.gc_probability", 50); + ini_set("session.gc_probability", 75); ini_set("session.name", $session_name); ini_set("session.use_only_cookies", true); ini_set("session.gc_maxlifetime", $session_expire); + ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME)); global $session_connection; @@ -181,8 +182,8 @@ "ttrss_destroy", "ttrss_gc"); } - if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') { - if (isset($_COOKIE[$session_name])) { + if (!defined('NO_SESSION_AUTOSTART')) { + if (isset($_COOKIE[session_name()])) { @session_start(); } } |