From ee072130ceac08b47938f488859682f541b82c0d Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Tue, 13 Jan 2015 21:58:17 -0600
Subject: [PATCH] Session never expires
This patch sends updated session cookies to the browser when the session is
refreshed on the server. This allows the session cookie to expire on the
browser at the same time the session timeout occurs at the server. In the
event the session timeout is configured in osTicket not to expire, the
cookie will expire after seven days on the client browser, and will expire
in PHP when it is garbage collected sometime after 86400 seconds after the
time last refresh time.
Using this method, the session will never expire if the session timeout in
osTicket is configured to 0, and the session is refreshed at least daily.
---
include/class.usersession.php | 18 ++++++++++++++++++
logout.php | 5 +++++
scp/logout.php | 6 ++++++
3 files changed, 29 insertions(+)
diff --git a/include/class.usersession.php b/include/class.usersession.php
index 9e7fd277b..250f6c05f 100644
--- a/include/class.usersession.php
+++ b/include/class.usersession.php
@@ -133,6 +133,8 @@ class ClientSession extends EndUser {
}
function refreshSession($force=false){
+ global $cfg;
+
$time = $this->session->getLastUpdate($this->token);
// Deadband session token updates to once / 30-seconds
if (!$force && time() - $time < 30)
@@ -140,6 +142,13 @@ class ClientSession extends EndUser {
$this->token = $this->getSessionToken();
//TODO: separate expire time from hash??
+
+ setcookie(session_name(), session_id(),
+ ($time ?: time()) + ($cfg->getClientTimeout() ?: 604800),
+ ini_get('session.cookie_path'),
+ ini_get('session.cookie_domain'),
+ ini_get('session.cookie_secure'),
+ ini_get('session.cookie_httponly'));
}
function getSession() {
@@ -177,12 +186,21 @@ class StaffSession extends Staff {
}
function refreshSession($force=false){
+ global $cfg;
+
$time = $this->session->getLastUpdate($this->token);
// Deadband session token updates to once / 30-seconds
if (!$force && time() - $time < 30)
return;
$this->token=$this->getSessionToken();
+
+ setcookie(session_name(), session_id(),
+ ($time ?: time()) + ($cfg->getStaffTimeout() ?: 604800),
+ ini_get('session.cookie_path'),
+ ini_get('session.cookie_domain'),
+ ini_get('session.cookie_secure'),
+ ini_get('session.cookie_httponly'));
}
function getSession() {
diff --git a/logout.php b/logout.php
index 74d73cc37..11e0e11fb 100644
--- a/logout.php
+++ b/logout.php
@@ -19,6 +19,11 @@ require('client.inc.php');
if ($thisclient && $_GET['auth'] && $ost->validateLinkToken($_GET['auth']))
$thisclient->logOut();
+setcookie(session_name(), 'deleted', 1,
+ ini_get('session.cookie_path'),
+ ini_get('session.cookie_domain'),
+ ini_get('session.cookie_secure'),
+ ini_get('session.cookie_httponly'));
Http::redirect('index.php');
?>
diff --git a/scp/logout.php b/scp/logout.php
index bdc697c78..f51d9ed8a 100644
--- a/scp/logout.php
+++ b/scp/logout.php
@@ -31,6 +31,12 @@ TicketLock::removeStaffLocks($thisstaff->getId());
session_unset();
session_destroy();
+setcookie(session_name(), 'deleted', 1,
+ ini_get('session.cookie_path'),
+ ini_get('session.cookie_domain'),
+ ini_get('session.cookie_secure'),
+ ini_get('session.cookie_httponly'));
+
@header('Location: login.php');
require('login.php');
?>
--
GitLab