Merge pull request #1677 from greezybacon/issue/session-expire

Session never expires Reviewed-By: Peter Rotich <peter@osticket.com>

Merge pull request #1677 from greezybacon/issue/session-expire
2bda5c9b · Peter Rotich · f87318be · fc5480f9 · 2bda5c9b · 2bda5c9b
Commit 2bda5c9b authored 10 years ago by Peter Rotich
--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -69,6 +69,23 @@ class osTicketSession {
        $this->destroy($oldId);
    }

+    static function destroyCookie() {
+        setcookie(session_name(), 'deleted', 1,
+            ini_get('session.cookie_path'),
+            ini_get('session.cookie_domain'),
+            ini_get('session.cookie_secure'),
+            ini_get('session.cookie_httponly'));
+    }
+
+    static function renewCookie($baseTime=false, $window=false) {
+        setcookie(session_name(), session_id(),
+            ($baseTime ?: time()) + ($window ?: SESSION_TTL),
+            ini_get('session.cookie_path'),
+            ini_get('session.cookie_domain'),
+            ini_get('session.cookie_secure'),
+            ini_get('session.cookie_httponly'));
+    }
+
    function open($save_path, $session_name){
        return (true);
    }

--- a/include/class.usersession.php
+++ b/include/class.usersession.php
@@ -133,6 +133,8 @@ class ClientSession extends EndUser {
    }

    function refreshSession($force=false){
+        global $cfg;
+
        $time = $this->session->getLastUpdate($this->token);
        // Deadband session token updates to once / 30-seconds
        if (!$force && time() - $time < 30)
@@ -140,6 +142,8 @@ class ClientSession extends EndUser {

        $this->token = $this->getSessionToken();
        //TODO: separate expire time from hash??
+
+        osTicketSession::renewCookie($time, $cfg->getClientSessionTimeout());
    }

    function getSession() {
@@ -177,12 +181,16 @@ class StaffSession extends Staff {
    }

    function refreshSession($force=false){
+        global $cfg;
+
        $time = $this->session->getLastUpdate($this->token);
        // Deadband session token updates to once / 30-seconds
        if (!$force && time() - $time < 30)
            return;

        $this->token=$this->getSessionToken();
+
+        osTicketSession::renewCookie($time, $cfg->getStaffSessionTimeout());
    }

    function getSession() {

--- a/logout.php
+++ b/logout.php
@@ -19,6 +19,7 @@ require('client.inc.php');
 if ($thisclient && $_GET['auth'] && $ost->validateLinkToken($_GET['auth']))
   $thisclient->logOut();

+osTicketSession::destroyCookie();

 Http::redirect('index.php');
 ?>
--- a/scp/logout.php
+++ b/scp/logout.php
@@ -31,6 +31,8 @@ TicketLock::removeStaffLocks($thisstaff->getId());
 session_unset();
 session_destroy();

+osTicketSession::destroyCookie();
+
 @header('Location: login.php');
 require('login.php');
 ?>