From 1fc40c3e3fce7f85c2a46cce95e4cb683a20c481 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Wed, 15 Jan 2014 10:18:32 -0600
Subject: [PATCH] Don't update the session unless it changes

And deadband session token updates to 1 per 30 seconds
---
 include/class.ostsession.php  |  5 +++++
 include/class.usersession.php | 19 +++++++++++++++++--
 scp/ajax.php                  |  1 +
 scp/autocron.php              |  1 +
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/include/class.ostsession.php b/include/class.ostsession.php
index 78b118299..d27debae7 100644
--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -18,6 +18,7 @@ class osTicketSession {
 
     var $ttl = SESSION_TTL;
     var $data = '';
+    var $data_hash = '';
     var $id = '';
 
     function osTicketSession($ttl=0){
@@ -87,12 +88,16 @@ class osTicketSession {
                 list($this->data)=db_fetch_row($res);
             $this->id = $id;
         }
+        $this->data_hash = md5($this->data);
         return $this->data;
     }
 
     function write($id, $data){
         global $thisstaff;
 
+        if (md5($data) == $this->data_hash)
+            return;
+
         $ttl = ($this && get_class($this) == 'osTicketSession')
             ? $this->getTTL() : SESSION_TTL;
 
diff --git a/include/class.usersession.php b/include/class.usersession.php
index c24bb76ab..e77f65fac 100644
--- a/include/class.usersession.php
+++ b/include/class.usersession.php
@@ -66,6 +66,14 @@ class UserSession {
       return($token);
    }
 
+   function getLastUpdate($htoken) {
+       if (!$htoken)
+           return 0;
+
+       @list($hash,$expire,$ip)=explode(":",$htoken);
+       return $expire;
+   }
+
    function isvalidSession($htoken,$maxidletime=0,$checkip=false){
         global $cfg;
 
@@ -122,7 +130,10 @@ class ClientSession extends Client {
     }
 
     function refreshSession(){
-        global $_SESSION;
+        $time = $this->session->getLastUpdate($_SESSION['_client']['token']);
+        // Deadband session token updates to once / 30-seconds
+        if (time() - $time < 30)
+            return;
         $_SESSION['_client']['token']=$this->getSessionToken();
         //TODO: separate expire time from hash??
     }
@@ -160,7 +171,11 @@ class StaffSession extends Staff {
     }
 
     function refreshSession(){
-        global $_SESSION;
+        $time = $this->session->getLastUpdate($_SESSION['_staff']['token']);
+        // Deadband session token updates to once / 30-seconds
+        if (time() - $time < 30)
+            return;
+
         $_SESSION['_staff']['token']=$this->getSessionToken();
     }
 
diff --git a/scp/ajax.php b/scp/ajax.php
index bc6c920bc..a5e56bd40 100644
--- a/scp/ajax.php
+++ b/scp/ajax.php
@@ -21,6 +21,7 @@ function staffLoginPage($msg='Unauthorized') {
     exit;
 }
 
+define('AJAX_REQUEST', 1);
 require('staff.inc.php');
 
 //Clean house...don't let the world see your crap.
diff --git a/scp/autocron.php b/scp/autocron.php
index ec7cb4c74..1e2460786 100644
--- a/scp/autocron.php
+++ b/scp/autocron.php
@@ -14,6 +14,7 @@
 
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
+define('AJAX_REQUEST', 1);
 require('staff.inc.php');
 ignore_user_abort(1);//Leave me a lone bro!
 @set_time_limit(0); //useless when safe_mode is on
-- 
GitLab