1 files changed, 33 insertions, 7 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php
index b30a31f3..59dfbe67 100644
--- a/inc/3rdparty/Session.class.php
+++ b/inc/3rdparty/Session.class.php
@@ -31,9 +31,9 @@ class Session
    public static $sessionName = '';
    // If the user does not access any page within this time,
    // his/her session is considered expired (3600 sec. = 1 hour)
-    public static $inactivityTimeout = 86400;
+    public static $inactivityTimeout = 3600;
    // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
-    public static $longSessionTimeout = 31536000;
+    public static $longSessionTimeout = 7776000; // 7776000 = 90 days
    // If you get disconnected often or if your IP address changes often.
    // Let you disable session cookie hijacking protection
    public static $disableSessionProtection = false;
@@ -48,8 +48,13 @@ class Session
    /**
     * Initialize session
     */
-    public static function init()
+    public static function init($longlastingsession = false)
    {
+        //check if session name is correct
+        if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) || $longlastingsession ) {
+            session_destroy();
+        }
        // Force cookie path (but do not change lifetime)
        $cookie = session_get_cookie_params();
        // Default cookie expiration and path.
@@ -61,12 +66,22 @@ class Session
        if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
            $ssl = true;
        }
-        session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl);
+        if ( $longlastingsession ) {
+            session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true);
+        }
+        else {
+            session_set_cookie_params(0, $cookiedir, null, $ssl, true);
+        }
+        //set server side valid session timeout
+        //WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application
+        ini_set('session.gc_maxlifetime', self::$longSessionTimeout);
        // Use cookies to store session.
        ini_set('session.use_cookies', 1);
        // Force cookies for session  (phpsessionID forbidden in URL)
        ini_set('session.use_only_cookies', 1);
-        if (!session_id()) {
+        if ( !session_id() ) {
            // Prevent php to use sessionID in URL if cookies are disabled.
            ini_set('session.use_trans_sid', false);
            if (!empty(self::$sessionName)) {
@@ -115,6 +130,9 @@ class Session
        if (self::banCanLogin()) {
            if ($login === $loginTest && $password === $passwordTest) {
                self::banLoginOk();
+                self::init($longlastingsession);
                // Generate unique random number to sign forms (HMAC)
                $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
                $_SESSION['ip'] = self::_allIPs();
@@ -135,6 +153,7 @@ class Session
            self::banLoginFailed();
        }
+        self::init();
        return false;
    }
@@ -143,7 +162,14 @@ class Session
     */
    public static function logout()
    {
-        unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);
+        // unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);
+        
+        // Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres)
+        $args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params()));
+        $args[2] = time() - 3600;
+        call_user_func_array('setcookie', $args);
+        // Suppression physique de la session
+        session_destroy();
    }
    /**
@@ -157,7 +183,7 @@ class Session
            || (self::$disableSessionProtection === false
                && $_SESSION['ip'] !== self::_allIPs())
            || time() >= $_SESSION['expires_on']) {
-            self::logout();
+            //self::logout();
            return false;
        }

diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php index b30a31f3..59dfbe67 100644 --- a/inc/3rdparty/Session.class.php +++ b/inc/3rdparty/Session.class.php
@@ -31,9 +31,9 @@ class Session
31	public static $sessionName = '';	31	public static $sessionName = '';
32	// If the user does not access any page within this time,	32	// If the user does not access any page within this time,
33	// his/her session is considered expired (3600 sec. = 1 hour)	33	// his/her session is considered expired (3600 sec. = 1 hour)
34	public static $inactivityTimeout = 86400;	34	public static $inactivityTimeout = 3600;
35	// Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)	35	// Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours)
36	public static $longSessionTimeout = 31536000;	36	public static $longSessionTimeout = 7776000; // 7776000 = 90 days
37	// If you get disconnected often or if your IP address changes often.	37	// If you get disconnected often or if your IP address changes often.
38	// Let you disable session cookie hijacking protection	38	// Let you disable session cookie hijacking protection
39	public static $disableSessionProtection = false;	39	public static $disableSessionProtection = false;
@@ -48,8 +48,13 @@ class Session
48	/**	48	/**
49	* Initialize session	49	* Initialize session
50	*/	50	*/
51	public static function init()	51	public static function init($longlastingsession = false)
52	{	52	{
		53	//check if session name is correct
		54	if ( (session_id() && !empty(self::$sessionName) && session_name()!=self::$sessionName) \|\| $longlastingsession ) {
		55	session_destroy();
		56	}
		57
53	// Force cookie path (but do not change lifetime)	58	// Force cookie path (but do not change lifetime)
54	$cookie = session_get_cookie_params();	59	$cookie = session_get_cookie_params();
55	// Default cookie expiration and path.	60	// Default cookie expiration and path.
@@ -61,12 +66,22 @@ class Session
61	if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {	66	if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
62	$ssl = true;	67	$ssl = true;
63	}	68	}
64	session_set_cookie_params($cookie['lifetime'], $cookiedir, $_SERVER['HTTP_HOST'], $ssl);	69
		70	if ( $longlastingsession ) {
		71	session_set_cookie_params(self::$longSessionTimeout, $cookiedir, null, $ssl, true);
		72	}
		73	else {
		74	session_set_cookie_params(0, $cookiedir, null, $ssl, true);
		75	}
		76	//set server side valid session timeout
		77	//WARNING! this may not work in shared session environment. See http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime about min value: it can be set in any application
		78	ini_set('session.gc_maxlifetime', self::$longSessionTimeout);
		79
65	// Use cookies to store session.	80	// Use cookies to store session.
66	ini_set('session.use_cookies', 1);	81	ini_set('session.use_cookies', 1);
67	// Force cookies for session (phpsessionID forbidden in URL)	82	// Force cookies for session (phpsessionID forbidden in URL)
68	ini_set('session.use_only_cookies', 1);	83	ini_set('session.use_only_cookies', 1);
69	if (!session_id()) {	84	if ( !session_id() ) {
70	// Prevent php to use sessionID in URL if cookies are disabled.	85	// Prevent php to use sessionID in URL if cookies are disabled.
71	ini_set('session.use_trans_sid', false);	86	ini_set('session.use_trans_sid', false);
72	if (!empty(self::$sessionName)) {	87	if (!empty(self::$sessionName)) {
@@ -115,6 +130,9 @@ class Session
115	if (self::banCanLogin()) {	130	if (self::banCanLogin()) {
116	if ($login === $loginTest && $password === $passwordTest) {	131	if ($login === $loginTest && $password === $passwordTest) {
117	self::banLoginOk();	132	self::banLoginOk();
		133
		134	self::init($longlastingsession);
		135
118	// Generate unique random number to sign forms (HMAC)	136	// Generate unique random number to sign forms (HMAC)
119	$_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());	137	$_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand());
120	$_SESSION['ip'] = self::_allIPs();	138	$_SESSION['ip'] = self::_allIPs();
@@ -135,6 +153,7 @@ class Session
135	self::banLoginFailed();	153	self::banLoginFailed();
136	}	154	}
137		155
		156	self::init();
138	return false;	157	return false;
139	}	158	}
140		159
@@ -143,7 +162,14 @@ class Session
143	*/	162	*/
144	public static function logout()	163	public static function logout()
145	{	164	{
146	unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);	165	// unset($_SESSION['uid'],$_SESSION['ip'],$_SESSION['expires_on'],$_SESSION['tokens'], $_SESSION['login'], $_SESSION['pass'], $_SESSION['longlastingsession'], $_SESSION['poche_user']);
		166
		167	// Destruction du cookie (le code peut paraître complexe mais c'est pour être certain de reprendre les mêmes paramètres)
		168	$args = array_merge(array(session_name(), ''), array_values(session_get_cookie_params()));
		169	$args[2] = time() - 3600;
		170	call_user_func_array('setcookie', $args);
		171	// Suppression physique de la session
		172	session_destroy();
147	}	173	}
148		174
149	/**	175	/**
@@ -157,7 +183,7 @@ class Session
157	\|\| (self::$disableSessionProtection === false	183	\|\| (self::$disableSessionProtection === false
158	&& $_SESSION['ip'] !== self::_allIPs())	184	&& $_SESSION['ip'] !== self::_allIPs())
159	\|\| time() >= $_SESSION['expires_on']) {	185	\|\| time() >= $_SESSION['expires_on']) {
160	self::logout();	186	//self::logout();
161		187
162	return false;	188	return false;
163	}	189	}