aboutsummaryrefslogtreecommitdiffhomepage
path: root/inc
diff options
context:
space:
mode:
authorNicolas LÅ“uillet <nicolas@loeuillet.org>2014-03-17 21:49:42 +0100
committerNicolas LÅ“uillet <nicolas@loeuillet.org>2014-03-17 21:49:42 +0100
commita7048bc45d63710b2e550b4ad467bd91e75c7acf (patch)
treed7e594c756792cbdd1bde8410ad9f82b286af9bc /inc
parent897b2b53029b8490cd7e9ea329d4151c2f6bd123 (diff)
parenteb5b677250d16e6831bda43661c82e730358de65 (diff)
downloadwallabag-a7048bc45d63710b2e550b4ad467bd91e75c7acf.tar.gz
wallabag-a7048bc45d63710b2e550b4ad467bd91e75c7acf.tar.zst
wallabag-a7048bc45d63710b2e550b4ad467bd91e75c7acf.zip
Merge pull request #567 from mariroz/fix-session-livetime
fix of #115 - stay connected and session livetime
Diffstat (limited to 'inc')
-rw-r--r--inc/3rdparty/Session.class.php26
-rwxr-xr-xinc/poche/Poche.class.php2
2 files changed, 21 insertions, 7 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php
index 599b68cd..4ee5d1da 100644
--- a/inc/3rdparty/Session.class.php
+++ b/inc/3rdparty/Session.class.php
@@ -31,9 +31,9 @@ class Session
31 public static $sessionName = ''; 31 public static $sessionName = '';
32 // If the user does not access any page within this time, 32 // If the user does not access any page within this time,
33 // his/her session is considered expired (3600 sec. = 1 hour) 33 // his/her session is considered expired (3600 sec. = 1 hour)
34 public static $inactivityTimeout = 86400; 34 public static $inactivityTimeout = 3600;
35 // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours) 35 // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
36 public static $longSessionTimeout = 604800; // 604800 = a week 36 public static $longSessionTimeout = 7776000; // 7776000 = 90 days
37 // If you get disconnected often or if your IP address changes often. 37 // If you get disconnected often or if your IP address changes often.
38 // Let you disable session cookie hijacking protection 38 // Let you disable session cookie hijacking protection
39 public static $disableSessionProtection = false; 39 public static $disableSessionProtection = false;
@@ -48,8 +48,13 @@ class Session
48 /** 48 /**
49 * Initialize session 49 * Initialize session
50 */ 50 */
51 public static function init() 51 public static function init($longlastingsession = false)
52 { 52 {
53 //check if session name is correct
54 if ( session_id() && session_id()!=self::$sessionName ) {
55 session_destroy();
56 }
57
53 // Force cookie path (but do not change lifetime) 58 // Force cookie path (but do not change lifetime)
54 $cookie = session_get_cookie_params(); 59 $cookie = session_get_cookie_params();
55 // Default cookie expiration and path. 60 // Default cookie expiration and path.
@@ -61,12 +66,19 @@ class Session
61 if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { 66 if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
62 $ssl = true; 67 $ssl = true;
63 } 68 }
64 session_set_cookie_params(self::$longSessionTimeout, $cookiedir, $_SERVER['HTTP_HOST'], $ssl); 69
70 if ( $longlastingsession ) {
71 session_set_cookie_params(self::$longSessionTimeout, $cookiedir, $_SERVER['HTTP_HOST'], $ssl, true);
72 }
73 else {
74 session_set_cookie_params('', $cookiedir, $_SERVER['HTTP_HOST'], $ssl, true);
75 }
76
65 // Use cookies to store session. 77 // Use cookies to store session.
66 ini_set('session.use_cookies', 1); 78 ini_set('session.use_cookies', 1);
67 // Force cookies for session (phpsessionID forbidden in URL) 79 // Force cookies for session (phpsessionID forbidden in URL)
68 ini_set('session.use_only_cookies', 1); 80 ini_set('session.use_only_cookies', 1);
69 if (!session_id()) { 81 if ( !session_id() ) {
70 // Prevent php to use sessionID in URL if cookies are disabled. 82 // Prevent php to use sessionID in URL if cookies are disabled.
71 ini_set('session.use_trans_sid', false); 83 ini_set('session.use_trans_sid', false);
72 if (!empty(self::$sessionName)) { 84 if (!empty(self::$sessionName)) {
@@ -115,6 +127,9 @@ class Session
115 if (self::banCanLogin()) { 127 if (self::banCanLogin()) {
116 if ($login === $loginTest && $password === $passwordTest) { 128 if ($login === $loginTest && $password === $passwordTest) {
117 self::banLoginOk(); 129 self::banLoginOk();
130
131 self::init($longlastingsession);
132
118 // Generate unique random number to sign forms (HMAC) 133 // Generate unique random number to sign forms (HMAC)
119 $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); 134 $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
120 $_SESSION['ip'] = self::_allIPs(); 135 $_SESSION['ip'] = self::_allIPs();
@@ -135,6 +150,7 @@ class Session
135 self::banLoginFailed(); 150 self::banLoginFailed();
136 } 151 }
137 152
153 self::init();
138 return false; 154 return false;
139 } 155 }
140 156
diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php
index f85bb86c..b1143d0b 100755
--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@@ -61,8 +61,6 @@ class Poche
61 private function init() 61 private function init()
62 { 62 {
63 Tools::initPhp(); 63 Tools::initPhp();
64 Session::$sessionName = 'poche';
65 Session::init();
66 64
67 if (isset($_SESSION['poche_user']) && $_SESSION['poche_user'] != array()) { 65 if (isset($_SESSION['poche_user']) && $_SESSION['poche_user'] != array()) {
68 $this->user = $_SESSION['poche_user']; 66 $this->user = $_SESSION['poche_user'];