implement some tweaks to session handling; properly remove session cookie if invalid/login failed

This commit is contained in:
Andrew Dolgov 2013-04-04 15:33:14 +04:00
parent 82d77deb28
commit 9ce7a5546c
5 changed files with 10 additions and 7 deletions

View file

@ -11,6 +11,7 @@
chdir("..");
define('TTRSS_SESSION_NAME', 'ttrss_api_sid');
define('NO_SESSION_AUTOSTART', true);
require_once "db.php";
require_once "db-prefs.php";

View file

@ -515,7 +515,7 @@ class Handler_Public extends Handler {
$login = db_escape_string($this->link, $_POST["login"]);
$password = $_POST["password"];
$remember_me = $_POST["remember_me"];
/* $remember_me = $_POST["remember_me"];
if ($remember_me) {
session_set_cookie_params(SESSION_COOKIE_LIFETIME);
@ -523,7 +523,7 @@ class Handler_Public extends Handler {
session_set_cookie_params(0);
}
@session_start();
@session_start(); */
if (authenticate_user($this->link, $login, $password)) {
$_POST["password"] = "";

View file

@ -756,9 +756,10 @@
}
if (!$_SESSION["uid"]) {
render_login_form($link);
@session_destroy();
setcookie(session_name(), '', time()-42000, '/');
render_login_form($link);
exit;
}

View file

@ -221,7 +221,7 @@ function bwLimitChange(elem) {
<label style='display : inline' for="bw_limit"><?php echo __("Use less traffic") ?></label>
</div>
<?php if (SESSION_COOKIE_LIFETIME > 0) { ?>
<?php if (false && SESSION_COOKIE_LIFETIME > 0) { /* disabled for now */ ?>
<div class="row">
<label>&nbsp;</label>

View file

@ -15,10 +15,11 @@
ini_set("session.cookie_secure", true);
}
ini_set("session.gc_probability", 50);
ini_set("session.gc_probability", 75);
ini_set("session.name", $session_name);
ini_set("session.use_only_cookies", true);
ini_set("session.gc_maxlifetime", $session_expire);
ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
global $session_connection;
@ -181,8 +182,8 @@
"ttrss_destroy", "ttrss_gc");
}
if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') {
if (isset($_COOKIE[$session_name])) {
if (!defined('NO_SESSION_AUTOSTART')) {
if (isset($_COOKIE[session_name()])) {
@session_start();
}
}