Commit 9ce7a554 authored by Andrew Dolgov's avatar Andrew Dolgov
Browse files

implement some tweaks to session handling; properly remove session cookie if invalid/login failed

parent 82d77deb
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
chdir(".."); chdir("..");
define('TTRSS_SESSION_NAME', 'ttrss_api_sid'); define('TTRSS_SESSION_NAME', 'ttrss_api_sid');
define('NO_SESSION_AUTOSTART', true);
require_once "db.php"; require_once "db.php";
require_once "db-prefs.php"; require_once "db-prefs.php";
......
...@@ -515,7 +515,7 @@ class Handler_Public extends Handler { ...@@ -515,7 +515,7 @@ class Handler_Public extends Handler {
$login = db_escape_string($this->link, $_POST["login"]); $login = db_escape_string($this->link, $_POST["login"]);
$password = $_POST["password"]; $password = $_POST["password"];
$remember_me = $_POST["remember_me"]; /* $remember_me = $_POST["remember_me"];
if ($remember_me) { if ($remember_me) {
session_set_cookie_params(SESSION_COOKIE_LIFETIME); session_set_cookie_params(SESSION_COOKIE_LIFETIME);
...@@ -523,7 +523,7 @@ class Handler_Public extends Handler { ...@@ -523,7 +523,7 @@ class Handler_Public extends Handler {
session_set_cookie_params(0); session_set_cookie_params(0);
} }
@session_start(); @session_start(); */
if (authenticate_user($this->link, $login, $password)) { if (authenticate_user($this->link, $login, $password)) {
$_POST["password"] = ""; $_POST["password"] = "";
......
...@@ -756,9 +756,10 @@ ...@@ -756,9 +756,10 @@
} }
if (!$_SESSION["uid"]) { if (!$_SESSION["uid"]) {
render_login_form($link);
@session_destroy(); @session_destroy();
setcookie(session_name(), '', time()-42000, '/'); setcookie(session_name(), '', time()-42000, '/');
render_login_form($link);
exit; exit;
} }
......
...@@ -221,7 +221,7 @@ function bwLimitChange(elem) { ...@@ -221,7 +221,7 @@ function bwLimitChange(elem) {
<label style='display : inline' for="bw_limit"><?php echo __("Use less traffic") ?></label> <label style='display : inline' for="bw_limit"><?php echo __("Use less traffic") ?></label>
</div> </div>
<?php if (SESSION_COOKIE_LIFETIME > 0) { ?> <?php if (false && SESSION_COOKIE_LIFETIME > 0) { /* disabled for now */ ?>
<div class="row"> <div class="row">
<label>&nbsp;</label> <label>&nbsp;</label>
......
...@@ -15,10 +15,11 @@ ...@@ -15,10 +15,11 @@
ini_set("session.cookie_secure", true); ini_set("session.cookie_secure", true);
} }
ini_set("session.gc_probability", 50); ini_set("session.gc_probability", 75);
ini_set("session.name", $session_name); ini_set("session.name", $session_name);
ini_set("session.use_only_cookies", true); ini_set("session.use_only_cookies", true);
ini_set("session.gc_maxlifetime", $session_expire); ini_set("session.gc_maxlifetime", $session_expire);
ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
global $session_connection; global $session_connection;
...@@ -181,8 +182,8 @@ ...@@ -181,8 +182,8 @@
"ttrss_destroy", "ttrss_gc"); "ttrss_destroy", "ttrss_gc");
} }
if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') { if (!defined('NO_SESSION_AUTOSTART')) {
if (isset($_COOKIE[$session_name])) { if (isset($_COOKIE[session_name()])) {
@session_start(); @session_start();
} }
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment