From be34857d71e0a89a2cacb5a6b1058ec07d3c80a7 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Tue, 15 May 2018 13:44:43 -0600
Subject: [PATCH] Change session ID on successful login, make sessions last at
 least 2 hours

---
 lib/login.php | 5 +++++
 required.php  | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/login.php b/lib/login.php
index 46d89e1..a9b290f 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -247,6 +247,11 @@ function doLoginUser($username) {
 
     if ($resp['status'] == "OK") {
         $userinfo = $resp['data'];
+        session_regenerate_id(true);
+        $newSession = session_id();
+        session_write_close();
+        session_id($newSession);
+        session_start();
         $_SESSION['username'] = $username;
         $_SESSION['uid'] = $userinfo['uid'];
         $_SESSION['email'] = $userinfo['email'];
diff --git a/required.php b/required.php
index 54cc46f..b4eab40 100644
--- a/required.php
+++ b/required.php
@@ -24,12 +24,13 @@ header('X-Frame-Options: "DENY"');
 header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
 $SECURE_NONCE = base64_encode(random_bytes(8));
 
-$session_length = 60 * 60; // 1 hour
+$session_length = 60 * 60 * 2; // 2 hours
+ini_set('session.gc_maxlifetime', $session_length);
 session_set_cookie_params($session_length, "/", null, false, false);
 
 session_start(); // stick some cookies in it
 // renew session cookie
-setcookie(session_name(), session_id(), time() + $session_length);
+//setcookie(session_name(), session_id(), time() + $session_length);
 
 $captcha_server = (CAPTCHA_ENABLED === true ? preg_replace("/http(s)?:\/\//", "", CAPTCHA_SERVER) : "");
 if ($_SESSION['mobile'] === TRUE) {