From d50d4b0aab919296c0f5bf5f62f5a929f9734de7 Mon Sep 17 00:00:00 2001
From: grandeljay <github@grandels.email>
Date: Sun, 17 Dec 2023 12:43:59 +0100
Subject: [PATCH] fix: session not persisting

---
 index.php                     |  3 +--
 src/classes/wishthis/User.php | 22 ++++++++++++++++------
 src/update/1-1-1.sql          |  5 +++++
 3 files changed, 22 insertions(+), 8 deletions(-)
 create mode 100644 src/update/1-1-1.sql

diff --git a/index.php b/index.php
index 17d8ffeb..83f87e14 100644
--- a/index.php
+++ b/index.php
@@ -51,8 +51,7 @@ if (file_exists($configPath)) {
  */
 session_start(
     array(
-        'name'            => 'wishthis',
-        'cookie_lifetime' => \ini_get('session.gc_maxlifetime') ?: 1440,
+        'name' => 'wishthis',
     )
 );
 
diff --git a/src/classes/wishthis/User.php b/src/classes/wishthis/User.php
index 298b4b15..bd5b1a10 100644
--- a/src/classes/wishthis/User.php
+++ b/src/classes/wishthis/User.php
@@ -249,7 +249,7 @@ class User
      */
     public function isLoggedIn(): bool
     {
-        if (!isset($_COOKIE['wishthis'])) {
+        if (!isset($_COOKIE['wishthis'], $_COOKIE['wishthis_session'])) {
             return false;
         }
 
@@ -267,7 +267,7 @@ class User
                FROM `sessions`
               WHERE `session` = :session',
             array(
-                'session' => $_COOKIE['wishthis'],
+                'session' => $_COOKIE['wishthis_session'],
             )
         )
         ->fetch();
@@ -447,6 +447,9 @@ class User
 
         session_destroy();
         unset($_SESSION);
+
+        /** Delete cookie */
+        \setcookie('wishthis_session', '', time() - 3600);
     }
 
     public function delete(): void
@@ -554,13 +557,16 @@ class User
 
     public function refreshSession(int $forUser = 0): void
     {
-        $sessionId              = $_COOKIE['wishthis'];
-        $sessionDurationSeconds = \ini_get('session.gc_maxlifetime') ?: 1440;
+        $sessionId              = $_COOKIE['wishthis_session']
+                               ?? \password_hash(\bin2hex(\random_bytes(32)), \PASSWORD_BCRYPT);
+        $sessionDurationSeconds = 1440;
 
         if ($this->stayLoggedIn) {
-            $sessionDurationSeconds = 31104000; // One year
+            $sessionDurationSeconds = 7776000; /** Three months */
         }
 
+        $sessionExpires = time() + $sessionDurationSeconds;
+
         if (0 === $forUser) {
             $forUser = $this->id;
         }
@@ -573,6 +579,10 @@ class User
         );
         $database->connect();
 
+        /** Create cookie */
+        \setcookie('wishthis_session', $sessionId, $sessionExpires, '/');
+        $_COOKIE['wishthis_session'] = $sessionId;
+
         /** Delete outdated sessions */
         $database
         ->query(
@@ -602,7 +612,7 @@ class User
                       WHERE `session` = :session
                         AND `user` = :user',
                     array(
-                        'expires' => date('Y-m-d H:i', time() + $sessionDurationSeconds),
+                        'expires' => date('Y-m-d H:i', $sessionExpires),
                         'session' => $sessionId,
                         'user'    => $forUser,
                     )
diff --git a/src/update/1-1-1.sql b/src/update/1-1-1.sql
new file mode 100644
index 00000000..0c299423
--- /dev/null
+++ b/src/update/1-1-1.sql
@@ -0,0 +1,5 @@
+/**
+ * Sessions
+ */
+  ALTER TABLE `sessions`
+CHANGE COLUMN `session` `session` VARCHAR(60) NOT NULL;