From 699eb91e77546c3a32f2082fd599eb6b259f2dc6 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Fri, 14 Feb 2014 09:53:59 -0600
Subject: [PATCH] auth: Force session token update on login

---
 include/class.client.php      | 2 +-
 include/class.staff.php       | 2 +-
 include/class.usersession.php | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/class.client.php b/include/class.client.php
index b5d062c95..078b21bfd 100644
--- a/include/class.client.php
+++ b/include/class.client.php
@@ -209,7 +209,7 @@ class Client {
                 $_SESSION['_client']['token'] = $user->getSessionToken();
                 $_SESSION['TZ_OFFSET'] = $cfg->getTZoffset();
                 $_SESSION['TZ_DST'] = $cfg->observeDaylightSaving();
-                $user->refreshSession(); //set the hash.
+                $user->refreshSession(true); //set the hash.
                 //Log login info...
                 $msg=sprintf('%s/%s logged in [%s]', $ticket->getEmail(), $ticket->getExtId(), $_SERVER['REMOTE_ADDR']);
                 $ost->logDebug('User login', $msg);
diff --git a/include/class.staff.php b/include/class.staff.php
index 391e0fa03..34a35e008 100644
--- a/include/class.staff.php
+++ b/include/class.staff.php
@@ -660,7 +660,7 @@ class Staff {
         //Now set session crap and lets roll baby!
         $_SESSION['_staff'] = array(); //clear.
         $_SESSION['_staff']['userID'] = $user->getId();
-        $user->refreshSession(); //set the hash.
+        $user->refreshSession(true); //set the hash.
         $_SESSION['TZ_OFFSET'] = $user->getTZoffset();
         $_SESSION['TZ_DST'] = $user->observeDaylight();
 
diff --git a/include/class.usersession.php b/include/class.usersession.php
index d65a64719..85aa876eb 100644
--- a/include/class.usersession.php
+++ b/include/class.usersession.php
@@ -129,10 +129,10 @@ class ClientSession extends Client {
         return $this->session->isvalidSession($_SESSION['_client']['token'],$cfg->getClientTimeout(),false)?true:false;
     }
 
-    function refreshSession(){
+    function refreshSession($force=false){
         $time = $this->session->getLastUpdate($_SESSION['_client']['token']);
         // Deadband session token updates to once / 30-seconds
-        if (time() - $time < 30)
+        if (!$force && time() - $time < 30)
             return;
         $_SESSION['_client']['token']=$this->getSessionToken();
         //TODO: separate expire time from hash??
@@ -170,10 +170,10 @@ class StaffSession extends Staff {
         return $this->session->isvalidSession($_SESSION['_staff']['token'],$cfg->getStaffTimeout(),$cfg->enableStaffIPBinding())?true:false;
     }
 
-    function refreshSession(){
+    function refreshSession($force=false){
         $time = $this->session->getLastUpdate($_SESSION['_staff']['token']);
         // Deadband session token updates to once / 30-seconds
-        if (time() - $time < 30)
+        if (!$force && time() - $time < 30)
             return;
 
         $_SESSION['_staff']['token']=$this->getSessionToken();
-- 
GitLab