Merge pull request #655 from greezybacon/issue/653

Ensure cookie path is set for the session cookie Reviewed-By: Peter Rotich <peter@osticket.com>

Merge pull request #655 from greezybacon/issue/653
21a30356 · Peter Rotich · 1deeb3aa · a39f0899 · 21a30356 · 21a30356
Commit 21a30356 authored 11 years ago by Peter Rotich
--- a/include/class.config.php
+++ b/include/class.config.php
@@ -66,11 +66,10 @@ class Config {
            return $this->session[$key];
        elseif (isset($this->config[$key]))
            return $this->config[$key]['value'];
-        elseif ($default !== null)
-            return $this->set($key, $default);
        elseif (isset($this->defaults[$key]))
            return $this->defaults[$key];
-        return null;
+        return $default;
    }
    function exists($key) {

--- a/include/class.osticket.php
+++ b/include/class.osticket.php
@@ -352,6 +352,16 @@ class osTicket {
        return null;
    }
+    /**
+     * Returns TRUE if the request was made via HTTPS and false otherwise
+     */
+    function is_https() {
+        return (isset($_SERVER['HTTPS'])
+                && strtolower($_SERVER['HTTPS']) == 'on')
+            || (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])
+                && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https');
+    }
    /* returns true if script is being executed via commandline */
    function is_cli() {
        return (!strcasecmp(substr(php_sapi_name(), 0, 3), 'cli')

--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -21,7 +21,6 @@ class osTicketSession {
    var $id = '';
    function osTicketSession($ttl=0){
        $this->ttl =$ttl?$ttl:get_cfg_var('session.gc_maxlifetime');
        if(!$this->ttl)
            $this->ttl=SESSION_TTL;
@@ -40,6 +39,7 @@ class osTicketSession {
            register_shutdown_function('session_write_close');
        }
        //Start the session.
+        session_name('OSTSESSID');
        session_start();
    }

--- a/kb/kb.inc.php
+++ b/kb/kb.inc.php
@@ -13,7 +13,6 @@
    vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
-define('ROOT_PATH','../');
 require_once('../client.inc.php');
 require_once(INCLUDE_DIR.'class.faq.php');
 /* Bail out if knowledgebase is disabled or if we have no public-published FAQs. */

--- a/main.inc.php
+++ b/main.inc.php
@@ -34,8 +34,6 @@
    ini_set('session.use_trans_sid', 0);
    #No cache
    session_cache_limiter('nocache');
-    #Cookies
-    //ini_set('session.cookie_path','/osticket/');
    #Error reporting...Good idea to ENABLE error reporting to a file. i.e display_errors should be set to false
    $error_reporting = E_ALL & ~E_NOTICE;
@@ -62,7 +60,12 @@
    }
    #Set Dir constants
-    if(!defined('ROOT_PATH')) define('ROOT_PATH','./'); //root path. Damn directories
+    $here = substr(realpath(dirname(__file__)),
+        strlen($_SERVER['DOCUMENT_ROOT']));
+    // Determine the path in the URI used as the base of the osTicket
+    // installation
+    if (!defined('ROOT_PATH'))
+        define('ROOT_PATH', str_replace('\\', '/', $here.'/')); //root path. Damn directories
    define('ROOT_DIR',str_replace('\\\\', '/', realpath(dirname(__FILE__))).'/'); #Get real path for root dir ---linux and windows
    define('INCLUDE_DIR',ROOT_DIR.'include/'); //Change this if include is moved outside the web path.
@@ -128,6 +131,10 @@
    else
        require(INCLUDE_DIR.'mysql.php');
+    #Cookies
+    session_set_cookie_params(86400, ROOT_PATH, $_SERVER['HTTP_HOST'],
+        osTicket::is_https());
    #CURRENT EXECUTING SCRIPT.
    define('THISPAGE', Misc::currentURL());
    define('THISURI', $_SERVER['REQUEST_URI']);

--- a/pages/index.php
+++ b/pages/index.php
@@ -15,7 +15,6 @@
    vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 @chdir(realpath(dirname(__file__).'/../'));
-define('ROOT_PATH','../');
 require_once('client.inc.php');
 require_once(INCLUDE_DIR.'class.format.php');

--- a/scp/staff.inc.php
+++ b/scp/staff.inc.php
@@ -17,7 +17,6 @@ if(basename($_SERVER['SCRIPT_NAME'])==basename(__FILE__)) die('Access denied');
 if(!file_exists('../main.inc.php')) die('Fatal error... get technical support');
-define('ROOT_PATH','../'); //Path to the root dir.
 require_once('../main.inc.php');
 if(!defined('INCLUDE_DIR')) die('Fatal error... invalid setting.');
@@ -64,7 +63,7 @@ if(!$thisstaff || !is_object($thisstaff) || !$thisstaff->getId() || !$thisstaff-
        $msg = $_SESSION['_staff']['auth']['msg'];
        unset($_SESSION['_staff']['auth']['msg']);
    }
-    elseif ($thisstaff && !$thisstaff->isValid())
+    elseif (isset($_SESSION['_staff']['userID']) && !$thisstaff->isValid())
        $msg = 'Session timed out due to inactivity';
    else
        $msg = 'Authentication Required';