diff --git a/include/class.auth.php b/include/class.auth.php index ff8b54466e493ebb40ae48723c3668fd9a280d15..a7dbfecbdcb294451544c0716623f07fb1f0f086 100644 --- a/include/class.auth.php +++ b/include/class.auth.php @@ -346,6 +346,7 @@ abstract class StaffAuthenticationBackend extends AuthenticationBackend { global $ost; $_SESSION['_auth']['staff'] = array(); + unset($_SESSION[':token']['staff']); $ost->logDebug('Staff logout', sprintf("%s logged out [%s]", $staff->getUserName(), @@ -462,6 +463,7 @@ abstract class UserAuthenticationBackend extends AuthenticationBackend { global $ost; $_SESSION['_auth']['user'] = array(); + unset($_SESSION[':token']['client']); $ost->logDebug('User logout', sprintf("%s logged out [%s]", $user->getUserName(), $_SERVER['REMOTE_ADDR'])); diff --git a/include/class.ostsession.php b/include/class.ostsession.php index d27debae7a795859e7b37a0596e19516ee4aa1bc..db51e89e771caaaff6fe9bdb1d3e2808b96e548c 100644 --- a/include/class.ostsession.php +++ b/include/class.ostsession.php @@ -88,14 +88,14 @@ class osTicketSession { list($this->data)=db_fetch_row($res); $this->id = $id; } - $this->data_hash = md5($this->data); + $this->data_hash = md5($id.$this->data); return $this->data; } function write($id, $data){ global $thisstaff; - if (md5($data) == $this->data_hash) + if (md5($id.$data) == $this->data_hash) return; $ttl = ($this && get_class($this) == 'osTicketSession') diff --git a/include/class.usersession.php b/include/class.usersession.php index 4e2440dd57831fe5e8a9f53aac0b190f0d5643ca..92e7f4380da5c9381f95a73c40e8c61b637a6cdc 100644 --- a/include/class.usersession.php +++ b/include/class.usersession.php @@ -114,9 +114,11 @@ class UserSession { class ClientSession extends EndUser { var $session; + var $token; function __construct($user) { parent::__construct($user); + $this->token = &$_SESSION[':token']['client']; // XXX: Change the key to user-id $this->session= new UserSession($user->getUserName()); } @@ -127,15 +129,15 @@ class ClientSession extends EndUser { if(!$this->getId() || $this->session->getSessionId()!=session_id()) return false; - return $this->session->isvalidSession($_SESSION['_client']['token'],$cfg->getClientTimeout(),false)?true:false; + return $this->session->isvalidSession($this->token,$cfg->getClientTimeout(),false)?true:false; } function refreshSession(){ - $time = $this->session->getLastUpdate($_SESSION['_client']['token']); + $time = $this->session->getLastUpdate($this->token); // Deadband session token updates to once / 30-seconds if (time() - $time < 30) return; - $_SESSION['_client']['token']=$this->getSessionToken(); + $this->token = $this->getSessionToken(); //TODO: separate expire time from hash?? } @@ -156,9 +158,11 @@ class ClientSession extends EndUser { class StaffSession extends Staff { var $session; + var $token; function __construct($var) { parent::__construct($var); + $this->token = &$_SESSION[':token']['staff']; $this->session= new UserSession($this->getId()); } @@ -168,16 +172,16 @@ class StaffSession extends Staff { if(!$this->getId() || $this->session->getSessionId()!=session_id()) return false; - return $this->session->isvalidSession($_SESSION['_staff']['token'],$cfg->getStaffTimeout(),$cfg->enableStaffIPBinding())?true:false; + return $this->session->isvalidSession($this->token,$cfg->getStaffTimeout(),$cfg->enableStaffIPBinding())?true:false; } function refreshSession(){ - $time = $this->session->getLastUpdate($_SESSION['_staff']['token']); + $time = $this->session->getLastUpdate($this->token); // Deadband session token updates to once / 30-seconds if (time() - $time < 30) return; - $_SESSION['_staff']['token']=$this->getSessionToken(); + $this->token=$this->getSessionToken(); } function getSession() {