Browse Source

implement some tweaks to session handling; properly remove session cookie if invalid/login failed

Andrew Dolgov 7 years ago
parent
commit
9ce7a5546c
5 changed files with 10 additions and 7 deletions
  1. 1 0
      api/index.php
  2. 2 2
      classes/handler/public.php
  3. 2 1
      include/functions.php
  4. 1 1
      include/login_form.php
  5. 4 3
      include/sessions.php

+ 1 - 0
api/index.php

@@ -11,6 +11,7 @@
 	chdir("..");
 
 	define('TTRSS_SESSION_NAME', 'ttrss_api_sid');
+	define('NO_SESSION_AUTOSTART', true);
 
 	require_once "db.php";
 	require_once "db-prefs.php";

+ 2 - 2
classes/handler/public.php

@@ -515,7 +515,7 @@ class Handler_Public extends Handler {
 
 			$login = db_escape_string($this->link, $_POST["login"]);
 			$password = $_POST["password"];
-			$remember_me = $_POST["remember_me"];
+			/* $remember_me = $_POST["remember_me"];
 
 			if ($remember_me) {
 				session_set_cookie_params(SESSION_COOKIE_LIFETIME);
@@ -523,7 +523,7 @@ class Handler_Public extends Handler {
 				session_set_cookie_params(0);
 			}
 
-			@session_start();
+			@session_start(); */
 
 			if (authenticate_user($this->link, $login, $password)) {
 				$_POST["password"] = "";

+ 2 - 1
include/functions.php

@@ -756,9 +756,10 @@
 				}
 
 				if (!$_SESSION["uid"]) {
-					render_login_form($link);
 					@session_destroy();
 					setcookie(session_name(), '', time()-42000, '/');
+
+					render_login_form($link);
 					exit;
 				}
 

+ 1 - 1
include/login_form.php

@@ -221,7 +221,7 @@ function bwLimitChange(elem) {
 			<label style='display : inline' for="bw_limit"><?php echo __("Use less traffic") ?></label>
 		</div>
 
-		<?php if (SESSION_COOKIE_LIFETIME > 0) { ?>
+		<?php if (false && SESSION_COOKIE_LIFETIME > 0) { /* disabled for now */ ?>
 
 		<div class="row">
 			<label>&nbsp;</label>

+ 4 - 3
include/sessions.php

@@ -15,10 +15,11 @@
 		ini_set("session.cookie_secure", true);
 	}
 
-	ini_set("session.gc_probability", 50);
+	ini_set("session.gc_probability", 75);
 	ini_set("session.name", $session_name);
 	ini_set("session.use_only_cookies", true);
 	ini_set("session.gc_maxlifetime", $session_expire);
+	ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
 
 	global $session_connection;
 
@@ -181,8 +182,8 @@
 			"ttrss_destroy", "ttrss_gc");
 	}
 
-	if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') {
-		if (isset($_COOKIE[$session_name])) {
+	if (!defined('NO_SESSION_AUTOSTART')) {
+		if (isset($_COOKIE[session_name()])) {
 			@session_start();
 		}
 	}