Invalidate expired sessions

index.php

@@ -92,16 +92,26 @@ if (isset($_COOKIE[COOKIE_PERSISTENT]) && $database) {
     $table_sessions_exists = $database->tableExists('sessions');
 
     if ($table_sessions_exists) {
-        $persistent = $database
+        $sessions = $database
         ->query(
             'SELECT *
                FROM `sessions`
               WHERE `session` = "' . $_COOKIE[COOKIE_PERSISTENT] . '";'
         )
-        ->fetch();
+        ->fetchAll();
 
-        if (false !== $persistent) {
-            $_SESSION['user'] = User::getFromID($persistent['user']);
+        if (false !== $sessions) {
+            $_SESSION['user'] = new User();
+
+            foreach ($sessions as $session) {
+                $expires = strtotime($session['expires']);
+
+                if (time() < $expires) {
+                    $_SESSION['user'] = User::getFromID($session['user']);
+
+                    break;
+                }
+            }
         }
     }
 }

src/functions/getCookieDomain.php

@@ -3,10 +3,11 @@
 /**
  * Get cookie domain
  */
-function getCookieDomain(): string {
+function getCookieDomain(): string
+{
     $cookieDomain = $_SERVER['HTTP_HOST'];
 
-    if (defined('CHANNELS') && is_iterable(CHANNELS) && defined('ENV_IS_DEV') && ! ENV_IS_DEV) {
+    if (defined('CHANNELS') && is_iterable(CHANNELS) && defined('ENV_IS_DEV') && ! ENV_IS_DEV && '127.0.0.1' !== $_SERVER['REMOTE_ADDR']) {
         foreach (CHANNELS as $channel) {
             if ('stable' === $channel['branch']) {
                 $cookieDomain = $channel['host'];

src/pages/login.php

@@ -44,12 +44,12 @@ if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
          */
         if (isset($_POST['persistent'])) {
             /** Cookie options */
-            $sessionPassword = md5(time() . rand(-2147483648, 2147483647));
             $sessionLifetime = 2592000 * 4; // 4 Months
-            $sessionIsDev    = defined('ENV_IS_DEV') && ENV_IS_DEV;
+            $sessionExpires  = time() + $sessionLifetime;
+            $sessionIsDev    = defined('ENV_IS_DEV') && ENV_IS_DEV || '127.0.0.1' === $_SERVER['REMOTE_ADDR'];
             $sessionOptions  = array (
                 'domain'   => getCookieDomain(),
-                'expires'  => time() + $sessionLifetime,
+                'expires'  => $sessionExpires,
                 'httponly' => true,
                 'path'     => '/',
                 'samesite' => 'None',
@@ -57,15 +57,17 @@ if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
             );
 
             /** Set cookie */
-            setcookie(COOKIE_PERSISTENT, $sessionPassword, $sessionOptions);
+            setcookie(COOKIE_PERSISTENT, session_id(), $sessionOptions);
 
             $database->query(
                 'INSERT INTO `sessions` (
                     `user`,
-                    `session`
+                    `session`,
+                    `expires`
                 ) VALUES (
                      ' . $_SESSION['user']->id . ',
-                    "' . $sessionPassword . '"
+                    "' . session_id() . '",
+                    "' . date('Y-m-d H:i:s', $sessionExpires) . '"
                 );'
             );
         }

src/update/0-8-0.sql

@@ -0,0 +1,9 @@
+/**
+ * Sessions
+ */
+ALTER TABLE
+    `sessions`
+ADD
+    COLUMN `expires` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP()
+AFTER
+    `session`;