diff options
| author | redmatrix <git@macgirvin.com> | 2016-05-16 17:07:39 -0700 |
|---|---|---|
| committer | redmatrix <git@macgirvin.com> | 2016-05-16 17:07:39 -0700 |
| commit | 2dcedd69519a40ca0f40bf7b8b86423e98c778c9 (patch) | |
| tree | f1b7073db839da520319de458d7dc9280163aa62 | |
| parent | c8322e89c66703f111b40f8bc321d5ab32299da1 (diff) | |
| download | volse-hubzilla-2dcedd69519a40ca0f40bf7b8b86423e98c778c9.tar.gz volse-hubzilla-2dcedd69519a40ca0f40bf7b8b86423e98c778c9.tar.bz2 volse-hubzilla-2dcedd69519a40ca0f40bf7b8b86423e98c778c9.zip | |
more work on sessions and cookies, as some anomalies appeared in caldav and firefox which suggested deeper issues
| -rw-r--r-- | Zotlabs/Web/Session.php | 31 | ||||
| -rwxr-xr-x | boot.php | 1 | ||||
| -rw-r--r-- | include/Contact.php | 2 | ||||
| -rw-r--r-- | include/api.php | 2 | ||||
| -rw-r--r-- | include/auth.php | 16 | ||||
| -rw-r--r-- | include/cli_startup.php | 3 | ||||
| -rwxr-xr-x | index.php | 11 |
7 files changed, 40 insertions, 26 deletions
diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index 248da51a7..df7249a34 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -13,8 +13,8 @@ namespace Zotlabs\Web; class Session { - private static $handler = null; - private static $session_started = false; + static private $handler = null; + static private $session_started = false; public function init() { @@ -29,7 +29,7 @@ class Session { */ $handler = new \Zotlabs\Web\SessionHandler(); - self::$handler = $handler; + $this->handler = $handler; $x = session_set_save_handler($handler,false); if(! $x) @@ -38,11 +38,12 @@ class Session { // Force cookies to be secure (https only) if this site is SSL enabled. // Must be done before session_start(). + $arr = session_get_cookie_params(); session_set_cookie_params( ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0), ((isset($arr['path'])) ? $arr['path'] : '/'), - ((isset($arr['domain'])) ? $arr['domain'] : App::get_hostname()), + (($arr['domain']) ? $arr['domain'] : \App::get_hostname()), ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), ((isset($arr['httponly'])) ? $arr['httponly'] : true) ); @@ -53,7 +54,7 @@ class Session { public function start() { session_start(); - self::$session_started = true; + $this->session_started = true; } /** @@ -62,8 +63,8 @@ class Session { * @return void */ - static public function nuke() { - self::new_cookie(0); // 0 means delete on browser exit + public function nuke() { + $this->new_cookie(0); // 0 means delete on browser exit if($_SESSION && count($_SESSION)) { foreach($_SESSION as $k => $v) { unset($_SESSION[$k]); @@ -77,21 +78,23 @@ class Session { $old_sid = session_id(); - if(self::$handler && self::$session_started) { + $arr = session_get_cookie_params(); + + if($this->handler && $this->session_started) { session_regenerate_id(true); // force SessionHandler record creation with the new session_id // which occurs as a side effect of read() - self::$handler->read(session_id()); + $this->handler->read(session_id()); } else logger('no session handler'); if (x($_COOKIE, 'jsdisabled')) { - setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime); + setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); } - setcookie(session_name(),session_id(),$newxtime); + setcookie(session_name(),session_id(),$newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); $arr = array('expire' => $xtime); call_hooks('new_cookie', $arr); @@ -100,12 +103,14 @@ class Session { public function extend_cookie() { + $arr = session_get_cookie_params(); + // if there's a long-term cookie, extend it $xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 ); if($xtime) - setcookie(session_name(),session_id(),(time() + $xtime)); + setcookie(session_name(),session_id(),(time() + $xtime), '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); $arr = array('expire' => $xtime); call_hooks('extend_cookie', $arr); @@ -152,7 +157,7 @@ class Session { // check any difference at all logger('Session address changed. Paranoid setting in effect, blocking session. ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); - self::nuke(); + $this->nuke(); goaway(z_root()); break; } @@ -700,6 +700,7 @@ class App { private static $perms = null; // observer permissions private static $widgets = array(); // widgets for this page + public static $session = null; public static $groups; public static $language; public static $langsave; diff --git a/include/Contact.php b/include/Contact.php index e011c60c8..8ad67c28e 100644 --- a/include/Contact.php +++ b/include/Contact.php @@ -389,7 +389,7 @@ function channel_remove($channel_id, $local = true, $unset_session=false) { proc_run('php','include/directory.php',$channel_id); if($channel_id == local_channel() && $unset_session) { - \Zotlabs\Web\Session::nuke(); + App::$session->nuke(); goaway(z_root()); } diff --git a/include/api.php b/include/api.php index 3b2c71923..5f4d4bedb 100644 --- a/include/api.php +++ b/include/api.php @@ -486,7 +486,7 @@ require_once('include/api_auth.php'); function api_account_logout(&$a, $type){ require_once('include/auth.php'); - \Zotlabs\Web\Session::nuke(); + App::$session->nuke(); return api_apply_template("user", $type, array('$user' => null)); } diff --git a/include/auth.php b/include/auth.php index 9643da8eb..01fcf0094 100644 --- a/include/auth.php +++ b/include/auth.php @@ -101,7 +101,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && // process logout request $args = array('channel_id' => local_channel()); call_hooks('logging_out', $args); - \Zotlabs\Web\Session::nuke(); + App::$session->nuke(); info( t('Logged out.') . EOL); goaway(z_root()); } @@ -117,7 +117,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && intval(ACCOUNT_ROLE_ADMIN) ); if($x) { - \Zotlabs\Web\Session::new_cookie(60 * 60 * 24); // one day + App::$session->new_cookie(60 * 60 * 24); // one day $_SESSION['last_login_date'] = datetime_convert(); unset($_SESSION['visitor_id']); // no longer a visitor authenticate_success($x[0], true, true); @@ -141,7 +141,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && if(x($_SESSION, 'uid') || x($_SESSION, 'account_id')) { - Zotlabs\Web\Session::return_check(); + App::$session->return_check(); $r = q("select * from account where account_id = %d limit 1", intval($_SESSION['account_id']) @@ -155,14 +155,14 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && } if(strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) { $_SESSION['last_login_date'] = datetime_convert(); - Zotlabs\Web\Session::extend_cookie(); + App::$session->extend_cookie(); $login_refresh = true; } authenticate_success($r[0], false, false, false, $login_refresh); } else { $_SESSION['account_id'] = 0; - \Zotlabs\Web\Session::nuke(); + App::$session->nuke(); goaway(z_root()); } } // end logged in user returning @@ -170,7 +170,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && else { if(isset($_SESSION)) { - \Zotlabs\Web\Session::nuke(); + App::$session->nuke(); } // handle a fresh login request @@ -242,11 +242,11 @@ else { if($_POST['remember_me']) { $_SESSION['remember_me'] = 1; - \Zotlabs\Web\Session::new_cookie(31449600); // one year + App::$session->new_cookie(31449600); // one year } else { $_SESSION['remember_me'] = 0; - \Zotlabs\Web\Session::new_cookie(0); // 0 means delete on browser exit + App::$session->new_cookie(0); // 0 means delete on browser exit } // if we haven't failed up this point, log them in. diff --git a/include/cli_startup.php b/include/cli_startup.php index a99164d4c..a33f7acb0 100644 --- a/include/cli_startup.php +++ b/include/cli_startup.php @@ -30,7 +30,8 @@ function cli_startup() { unset($db_host, $db_port, $db_user, $db_pass, $db_data, $db_type); }; - \Zotlabs\Web\Session::init(); + App::$session = new Zotlabs\Web\Session(); + App::$session->init(); load_config('system'); @@ -62,7 +62,8 @@ if(! App::$install) { load_config('system'); load_config('feature'); - \Zotlabs\Web\Session::init(); + App::$session = new \Zotlabs\Web\Session(); + App::$session->init(); load_hooks(); call_hooks('init_1'); @@ -84,7 +85,13 @@ if(! App::$install) { * */ -\Zotlabs\Web\Session::start(); + if(App::$session) { + App::$session->start(); + } + else { + session_start(); + register_shutdown_function('session_write_close'); + } /** * Language was set earlier, but we can over-ride it in the session. |