implement some tweaks to session handling; properly remove session cookie if invalid/login failed

3 files changed, 7 insertions, 5 deletions

diff --git a/include/functions.php b/include/functions.php
index 71fd16542..9c64fad9f 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -756,9 +756,10 @@
 				}
 
 				if (!$_SESSION["uid"]) {
-					render_login_form($link);
 					@session_destroy();
 					setcookie(session_name(), '', time()-42000, '/');
+
+					render_login_form($link);
 					exit;
 				}
 
diff --git a/include/login_form.php b/include/login_form.php
index 7ac7111c8..ca07ccfee 100644
--- a/include/login_form.php
+++ b/include/login_form.php
@@ -221,7 +221,7 @@ function bwLimitChange(elem) {
 			<label style='display : inline' for="bw_limit"><?php echo __("Use less traffic") ?></label>
 		</div>
 
-		<?php if (SESSION_COOKIE_LIFETIME > 0) { ?>
+		<?php if (false && SESSION_COOKIE_LIFETIME > 0) { /* disabled for now */ ?>
 
 		<div class="row">
 			<label>&nbsp;</label>
diff --git a/include/sessions.php b/include/sessions.php
index 0edda4ec7..402e8b8de 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -15,10 +15,11 @@
 		ini_set("session.cookie_secure", true);
 	}
 
-	ini_set("session.gc_probability", 50);
+	ini_set("session.gc_probability", 75);
 	ini_set("session.name", $session_name);
 	ini_set("session.use_only_cookies", true);
 	ini_set("session.gc_maxlifetime", $session_expire);
+	ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
 
 	global $session_connection;
 
@@ -181,8 +182,8 @@
 			"ttrss_destroy", "ttrss_gc");
 	}
 
-	if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') {
-		if (isset($_COOKIE[$session_name])) {
+	if (!defined('NO_SESSION_AUTOSTART')) {
+		if (isset($_COOKIE[session_name()])) {
 			@session_start();
 		}
 	}