Invalidate expired sessions

This commit is contained in:
grandeljay 2022-11-08 12:42:36 +01:00
parent da791d3469
commit 36ba266587
4 changed files with 34 additions and 12 deletions

View file

@ -92,16 +92,26 @@ if (isset($_COOKIE[COOKIE_PERSISTENT]) && $database) {
$table_sessions_exists = $database->tableExists('sessions');
if ($table_sessions_exists) {
$persistent = $database
$sessions = $database
->query(
'SELECT *
FROM `sessions`
WHERE `session` = "' . $_COOKIE[COOKIE_PERSISTENT] . '";'
)
->fetch();
->fetchAll();
if (false !== $persistent) {
$_SESSION['user'] = User::getFromID($persistent['user']);
if (false !== $sessions) {
$_SESSION['user'] = new User();
foreach ($sessions as $session) {
$expires = strtotime($session['expires']);
if (time() < $expires) {
$_SESSION['user'] = User::getFromID($session['user']);
break;
}
}
}
}
}

View file

@ -3,10 +3,11 @@
/**
* Get cookie domain
*/
function getCookieDomain(): string {
function getCookieDomain(): string
{
$cookieDomain = $_SERVER['HTTP_HOST'];
if (defined('CHANNELS') && is_iterable(CHANNELS) && defined('ENV_IS_DEV') && ! ENV_IS_DEV) {
if (defined('CHANNELS') && is_iterable(CHANNELS) && defined('ENV_IS_DEV') && ! ENV_IS_DEV && '127.0.0.1' !== $_SERVER['REMOTE_ADDR']) {
foreach (CHANNELS as $channel) {
if ('stable' === $channel['branch']) {
$cookieDomain = $channel['host'];

View file

@ -44,12 +44,12 @@ if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
*/
if (isset($_POST['persistent'])) {
/** Cookie options */
$sessionPassword = md5(time() . rand(-2147483648, 2147483647));
$sessionLifetime = 2592000 * 4; // 4 Months
$sessionIsDev = defined('ENV_IS_DEV') && ENV_IS_DEV;
$sessionExpires = time() + $sessionLifetime;
$sessionIsDev = defined('ENV_IS_DEV') && ENV_IS_DEV || '127.0.0.1' === $_SERVER['REMOTE_ADDR'];
$sessionOptions = array (
'domain' => getCookieDomain(),
'expires' => time() + $sessionLifetime,
'expires' => $sessionExpires,
'httponly' => true,
'path' => '/',
'samesite' => 'None',
@ -57,15 +57,17 @@ if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
);
/** Set cookie */
setcookie(COOKIE_PERSISTENT, $sessionPassword, $sessionOptions);
setcookie(COOKIE_PERSISTENT, session_id(), $sessionOptions);
$database->query(
'INSERT INTO `sessions` (
`user`,
`session`
`session`,
`expires`
) VALUES (
' . $_SESSION['user']->id . ',
"' . $sessionPassword . '"
"' . session_id() . '",
"' . date('Y-m-d H:i:s', $sessionExpires) . '"
);'
);
}

9
src/update/0-8-0.sql Normal file
View file

@ -0,0 +1,9 @@
/**
* Sessions
*/
ALTER TABLE
`sessions`
ADD
COLUMN `expires` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP()
AFTER
`session`;