1 files changed, 17 insertions, 8 deletions

diff --git a/functions.php b/functions.php
index 5f7565f73..98bfc2e64 100644
--- a/functions.php
+++ b/functions.php
@@ -1163,6 +1163,7 @@
 		if (SESSION_CHECK_ADDRESS && $_SESSION["uid"]) {
 			if ($_SESSION["ip_address"]) {
 				if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
+					$_SESSION["login_error_msg"] = "Session failed to validate (incorrect IP)";
 					return false;
 				}
 			}
@@ -1191,20 +1192,22 @@
 				}
 			}
 
-			if ($_COOKIE[get_session_cookie_name()]) {
+/*			if ($_COOKIE[get_session_cookie_name()]) {
 				require_once "sessions.php";
-			}
+} */
+
+			$login_action = $_POST["login_action"];
 
-			if (!validate_session($link)) {
+/*			if (!validate_session($link) && $login_action != "do_login") {
 				logout_user();
 				render_login_form($link);
 				exit;
-			}
+} */
 
-			$login_action = $_POST["login_action"];
+			$session_started = false;
 
 			# try to authenticate user if called from login form			
-			if ($login_action == "do_login" && !$_SESSION["uid"]) {
+			if ($login_action == "do_login") {
 				$login = $_POST["login"];
 				$password = $_POST["password"];
 				$remember_me = $_POST["remember_me"];
@@ -1217,7 +1220,7 @@
 
 				require_once "sessions.php";
 
-				session_regenerate_id();
+				$session_started = true;
 
 				if (authenticate_user($link, $login, $password)) {
 					$_POST["password"] = "";
@@ -1236,10 +1239,16 @@
 					exit;
 
 					return;
+				} else {
+					$_SESSION["login_error_msg"] = "Incorrect username or password";
 				}
 			}
 
-			if (!$_SESSION["uid"]) {
+			if (!$session_started) {
+				require_once "sessions.php";
+			}
+
+			if (!$_SESSION["uid"] || !validate_session($link)) {
 				render_login_form($link);
 				exit;
 			}