diff options
Diffstat (limited to 'inc')
-rw-r--r-- | inc/3rdparty/Session.class.php | 26 | ||||
-rwxr-xr-x | inc/poche/Poche.class.php | 2 |
2 files changed, 21 insertions, 7 deletions
diff --git a/inc/3rdparty/Session.class.php b/inc/3rdparty/Session.class.php index 599b68cd..4ee5d1da 100644 --- a/inc/3rdparty/Session.class.php +++ b/inc/3rdparty/Session.class.php | |||
@@ -31,9 +31,9 @@ class Session | |||
31 | public static $sessionName = ''; | 31 | public static $sessionName = ''; |
32 | // If the user does not access any page within this time, | 32 | // If the user does not access any page within this time, |
33 | // his/her session is considered expired (3600 sec. = 1 hour) | 33 | // his/her session is considered expired (3600 sec. = 1 hour) |
34 | public static $inactivityTimeout = 86400; | 34 | public static $inactivityTimeout = 3600; |
35 | // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours) | 35 | // Extra timeout for long sessions (if enabled) (82800 sec. = 23 hours) |
36 | public static $longSessionTimeout = 604800; // 604800 = a week | 36 | public static $longSessionTimeout = 7776000; // 7776000 = 90 days |
37 | // If you get disconnected often or if your IP address changes often. | 37 | // If you get disconnected often or if your IP address changes often. |
38 | // Let you disable session cookie hijacking protection | 38 | // Let you disable session cookie hijacking protection |
39 | public static $disableSessionProtection = false; | 39 | public static $disableSessionProtection = false; |
@@ -48,8 +48,13 @@ class Session | |||
48 | /** | 48 | /** |
49 | * Initialize session | 49 | * Initialize session |
50 | */ | 50 | */ |
51 | public static function init() | 51 | public static function init($longlastingsession = false) |
52 | { | 52 | { |
53 | //check if session name is correct | ||
54 | if ( session_id() && session_id()!=self::$sessionName ) { | ||
55 | session_destroy(); | ||
56 | } | ||
57 | |||
53 | // Force cookie path (but do not change lifetime) | 58 | // Force cookie path (but do not change lifetime) |
54 | $cookie = session_get_cookie_params(); | 59 | $cookie = session_get_cookie_params(); |
55 | // Default cookie expiration and path. | 60 | // Default cookie expiration and path. |
@@ -61,12 +66,19 @@ class Session | |||
61 | if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { | 66 | if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") { |
62 | $ssl = true; | 67 | $ssl = true; |
63 | } | 68 | } |
64 | session_set_cookie_params(self::$longSessionTimeout, $cookiedir, $_SERVER['HTTP_HOST'], $ssl); | 69 | |
70 | if ( $longlastingsession ) { | ||
71 | session_set_cookie_params(self::$longSessionTimeout, $cookiedir, $_SERVER['HTTP_HOST'], $ssl, true); | ||
72 | } | ||
73 | else { | ||
74 | session_set_cookie_params('', $cookiedir, $_SERVER['HTTP_HOST'], $ssl, true); | ||
75 | } | ||
76 | |||
65 | // Use cookies to store session. | 77 | // Use cookies to store session. |
66 | ini_set('session.use_cookies', 1); | 78 | ini_set('session.use_cookies', 1); |
67 | // Force cookies for session (phpsessionID forbidden in URL) | 79 | // Force cookies for session (phpsessionID forbidden in URL) |
68 | ini_set('session.use_only_cookies', 1); | 80 | ini_set('session.use_only_cookies', 1); |
69 | if (!session_id()) { | 81 | if ( !session_id() ) { |
70 | // Prevent php to use sessionID in URL if cookies are disabled. | 82 | // Prevent php to use sessionID in URL if cookies are disabled. |
71 | ini_set('session.use_trans_sid', false); | 83 | ini_set('session.use_trans_sid', false); |
72 | if (!empty(self::$sessionName)) { | 84 | if (!empty(self::$sessionName)) { |
@@ -115,6 +127,9 @@ class Session | |||
115 | if (self::banCanLogin()) { | 127 | if (self::banCanLogin()) { |
116 | if ($login === $loginTest && $password === $passwordTest) { | 128 | if ($login === $loginTest && $password === $passwordTest) { |
117 | self::banLoginOk(); | 129 | self::banLoginOk(); |
130 | |||
131 | self::init($longlastingsession); | ||
132 | |||
118 | // Generate unique random number to sign forms (HMAC) | 133 | // Generate unique random number to sign forms (HMAC) |
119 | $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); | 134 | $_SESSION['uid'] = sha1(uniqid('', true).'_'.mt_rand()); |
120 | $_SESSION['ip'] = self::_allIPs(); | 135 | $_SESSION['ip'] = self::_allIPs(); |
@@ -135,6 +150,7 @@ class Session | |||
135 | self::banLoginFailed(); | 150 | self::banLoginFailed(); |
136 | } | 151 | } |
137 | 152 | ||
153 | self::init(); | ||
138 | return false; | 154 | return false; |
139 | } | 155 | } |
140 | 156 | ||
diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index f85bb86c..b1143d0b 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php | |||
@@ -61,8 +61,6 @@ class Poche | |||
61 | private function init() | 61 | private function init() |
62 | { | 62 | { |
63 | Tools::initPhp(); | 63 | Tools::initPhp(); |
64 | Session::$sessionName = 'poche'; | ||
65 | Session::init(); | ||
66 | 64 | ||
67 | if (isset($_SESSION['poche_user']) && $_SESSION['poche_user'] != array()) { | 65 | if (isset($_SESSION['poche_user']) && $_SESSION['poche_user'] != array()) { |
68 | $this->user = $_SESSION['poche_user']; | 66 | $this->user = $_SESSION['poche_user']; |