diff --git a/index.php b/index.php index 17d8ffeb..83f87e14 100644 --- a/index.php +++ b/index.php @@ -51,8 +51,7 @@ if (file_exists($configPath)) { */ session_start( array( - 'name' => 'wishthis', - 'cookie_lifetime' => \ini_get('session.gc_maxlifetime') ?: 1440, + 'name' => 'wishthis', ) ); diff --git a/src/classes/wishthis/User.php b/src/classes/wishthis/User.php index 298b4b15..bd5b1a10 100644 --- a/src/classes/wishthis/User.php +++ b/src/classes/wishthis/User.php @@ -249,7 +249,7 @@ class User */ public function isLoggedIn(): bool { - if (!isset($_COOKIE['wishthis'])) { + if (!isset($_COOKIE['wishthis'], $_COOKIE['wishthis_session'])) { return false; } @@ -267,7 +267,7 @@ class User FROM `sessions` WHERE `session` = :session', array( - 'session' => $_COOKIE['wishthis'], + 'session' => $_COOKIE['wishthis_session'], ) ) ->fetch(); @@ -447,6 +447,9 @@ class User session_destroy(); unset($_SESSION); + + /** Delete cookie */ + \setcookie('wishthis_session', '', time() - 3600); } public function delete(): void @@ -554,13 +557,16 @@ class User public function refreshSession(int $forUser = 0): void { - $sessionId = $_COOKIE['wishthis']; - $sessionDurationSeconds = \ini_get('session.gc_maxlifetime') ?: 1440; + $sessionId = $_COOKIE['wishthis_session'] + ?? \password_hash(\bin2hex(\random_bytes(32)), \PASSWORD_BCRYPT); + $sessionDurationSeconds = 1440; if ($this->stayLoggedIn) { - $sessionDurationSeconds = 31104000; // One year + $sessionDurationSeconds = 7776000; /** Three months */ } + $sessionExpires = time() + $sessionDurationSeconds; + if (0 === $forUser) { $forUser = $this->id; } @@ -573,6 +579,10 @@ class User ); $database->connect(); + /** Create cookie */ + \setcookie('wishthis_session', $sessionId, $sessionExpires, '/'); + $_COOKIE['wishthis_session'] = $sessionId; + /** Delete outdated sessions */ $database ->query( @@ -602,7 +612,7 @@ class User WHERE `session` = :session AND `user` = :user', array( - 'expires' => date('Y-m-d H:i', time() + $sessionDurationSeconds), + 'expires' => date('Y-m-d H:i', $sessionExpires), 'session' => $sessionId, 'user' => $forUser, ) diff --git a/src/update/1-1-1.sql b/src/update/1-1-1.sql new file mode 100644 index 00000000..0c299423 --- /dev/null +++ b/src/update/1-1-1.sql @@ -0,0 +1,5 @@ +/** + * Sessions + */ + ALTER TABLE `sessions` +CHANGE COLUMN `session` `session` VARCHAR(60) NOT NULL;