Merge pull request #567 from mariroz/fix-session-livetime

fix of #115 - stay connected and session livetime
2014-03-17 21:49:42 +01:00 · 2014-03-17 21:49:42 +01:00 · a7048bc45d
parent 897b2b5302 eb5b677250
commit a7048bc45d
3 changed files with 27 additions and 7 deletions
--- a/inc/3rdparty/Session.class.php
+++ b/inc/3rdparty/Session.class.php
@ -31,9 +31,9 @@ class Session
    public static $sessionName = '';
    // If the user does not access any page within this time,
    // his/her session is considered expired (3600 sec. = 1 hour)
-    public static $inactivityTimeout = 86400;
+    public static $inactivityTimeout = 3600;
    // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
-    public static $longSessionTimeout = 604800; // 604800 = a week
+    public static $longSessionTimeout = 7776000; // 7776000 = 90 days
    // If you get disconnected often or if your IP address changes often.
    // Let you disable session cookie hijacking protection
    public static $disableSessionProtection = false;
@ -48,8 +48,13 @@ class Session
    /**
     * Initialize session
     */
-    public static function init()
+    public static function init($longlastingsession = false)
    {
+        //check if session name is correct
+        if ( session_id() && session_id()!=self::$sessionName ) {
+            session_destroy();
+        }
+
        // Force cookie path (but do not change lifetime)
        $cookie = session_get_cookie_params();
        // Default cookie expiration and path.
@ -61,12 +66,19 @@ class Session
        if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
            $ssl = true;
        }
-        session_set_cookie_params(self::$longSessionTimeout, $cookiedir, $_SERVER['HTTP_HOST'], $ssl);
+
+        if ( $longlastingsession ) {
+            session_set_cookie_params(self::$longSessionTimeout, $cookiedir, $_SERVER['HTTP_HOST'], $ssl, true);
+        }
+        else {
+            session_set_cookie_params('', $cookiedir, $_SERVER['HTTP_HOST'], $ssl, true);
+        }
+
        // Use cookies to store session.
        ini_set('session.use_cookies', 1);
        // Force cookies for session  (phpsessionID forbidden in URL)
        ini_set('session.use_only_cookies', 1);
-        if (!session_id()) {
+        if ( !session_id() ) {
            // Prevent php to use sessionID in URL if cookies are disabled.
            ini_set('session.use_trans_sid', false);
            if (!empty(self::$sessionName)) {
@ -115,6 +127,9 @@ class Session
        if (self::banCanLogin()) {
            if ($login === $loginTest && $password === $passwordTest) {
                self::banLoginOk();
+
+                self::init($longlastingsession);
+
                // Generate unique random number to sign forms (HMAC)
                $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
                $_SESSION['ip'] = self::_allIPs();
@ -135,6 +150,7 @@ class Session
            self::banLoginFailed();
        }

+        self::init();
        return false;
    }

--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@ -61,8 +61,6 @@ class Poche
    private function init() 
    {
        Tools::initPhp();
-        Session::$sessionName = 'poche'; 
-        Session::init();

        if (isset($_SESSION['poche_user']) && $_SESSION['poche_user'] != array()) {
            $this->user = $_SESSION['poche_user'];
--- a/index.php
+++ b/index.php
@ -12,6 +12,12 @@ define ('POCHE', '1.5.3');
 require 'check_setup.php';
 require_once 'inc/poche/global.inc.php';

+# Start session
+Session::$sessionName = 'poche';
+if ( !isset($_GET['login']) ) {
+    Session::init();
+}
+
 # Start Poche
 $poche = new Poche();
 $notInstalledMessage = $poche -> getNotInstalledMessage();