// If the user does not access any page within this time,
// his/her session is considered expired (3600 sec. = 1 hour)
public static $inactivityTimeout = 3600;
+ // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
+ public static $longSessionTimeout = 7776000; // 7776000 = 90 days
// If you get disconnected often or if your IP address changes often.
// Let you disable session cookie hijacking protection
public static $disableSessionProtection = false;
/**
* Initialize session
*/
- public static function init()
+ public static function init($longlastingsession = false)
{
+ //check if session name is correct
+ if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) {
+ session_destroy();
+ }
+
// Force cookie path (but do not change lifetime)
$cookie = session_get_cookie_params();
// Default cookie expiration and path.
if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
$ssl = true;
}
- session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl);
+
+ if ( $longlastingsession ) {
+ session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true);
+ }
+ else {
+ session_set_cookie_params(0, $cookiedir, null, $ssl, true);
+ }
+ //set server side valid session timeout
+ //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application
+ ini_set('session.gc_maxlifetime', self::$longSessionTimeout);
+
// Use cookies to store session.
ini_set('session.use_cookies', 1);
// Force cookies for session (phpsessionID forbidden in URL)
ini_set('session.use_only_cookies', 1);
- if (!session_id()) {
+ if ( !session_id() ) {
// Prevent php to use sessionID in URL if cookies are disabled.
ini_set('session.use_trans_sid', false);
if (!empty(self::$sessionName)) {
$password,
$loginTest,
$passwordTest,
+ $longlastingsession,
$pValues = array())
{
self::banInit();
if (self::banCanLogin()) {
if ($login === $loginTest && $password === $passwordTest) {
self::banLoginOk();
+
+ self::init($longlastingsession);
+
// Generate unique random number to sign forms (HMAC)
$_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
$_SESSION['ip'] = self::_allIPs();
$_SESSION['username'] = $login;
// Set session expiration.
$_SESSION['expires_on'] = time() + self::$inactivityTimeout;
-
+ if ($longlastingsession) {
+ $_SESSION['longlastingsession'] = self::$longSessionTimeout;
+ $_SESSION['expires_on'] += $_SESSION['longlastingsession'];
+ }
+
foreach ($pValues as $key => $value) {
$_SESSION[$key] = $value;
}
self::banLoginFailed();
}
+ self::init();
return false;
}
*/
public static function logout()
{
- unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['poche_user']);
+ // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);
+
+ // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres)
+ $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params()));
+ $args[2] = time() - 3600;
+ call_user_func_array('setcookie', $args);
+ // Suppression physique de la session
+ session_destroy();
}
/**
|| (self::$disableSessionProtection === false
&& $_SESSION['ip'] !== self::_allIPs())
|| time() >= $_SESSION['expires_on']) {
- self::logout();
+ //self::logout();
return false;
}