login: Clear session data on expiration

This fixes an issue where the current session data is not retrieved from the database, because it is expired. However, the session-id is not reset either. Therefore, the session data with the new CSRF token is not updated in the database and the user may have trouble logging in. This problem manifests itself as a session expires. If a user clicks somewhere in the software and their session is now expired, a redirect to the login page is triggered. However, the CSRF token sent in the login page is not saved in the database. So when the user logs in, they are greeted with the CSRF failure message. This issue is addressed by retrieving the session data from the database, but clearing the content. Therefore it appears to the software as invalid and is properly reset and saved to the database, thereby avoiding the errors.

login: Clear session data on expiration
b14ee605 · Jared Hancock · d2ef3b1f · b14ee605
Commit b14ee605 authored 7 years ago by Jared Hancock
--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -178,10 +178,15 @@ extends SessionBackend {
    function read($id) {
        try {
-            $this->data = SessionData::objects()->filter([
+            $this->data = SessionData::objects()
-                'session_id' => $id,
+                ->filter(['session_id' => $id])
-                'session_expire__gt' => SqlFunction::NOW(),
+                ->annotate(['age' => SqlFunction::NOW()->minus(new SqlField('session_expire'))])
-            ])->one();
+                ->one();
+            if ($this->data->age > 0) {
+                // session_expire is in the past. Pretend it is expired and
+                // reset the data. This will assist with CSRF issues
+                $this->data->session_data='';
+            }
            $this->id = $id;
        }
        catch (DoesNotExist $e) {