Browse Source

Change session ID on successful login, make sessions last at least 2 hours

master
Skylar Ittner 1 year ago
parent
commit
be34857d71
2 changed files with 8 additions and 2 deletions
  1. 5
    0
      lib/login.php
  2. 3
    2
      required.php

+ 5
- 0
lib/login.php View File

@@ -247,6 +247,11 @@ function doLoginUser($username) {
247 247
 
248 248
     if ($resp['status'] == "OK") {
249 249
         $userinfo = $resp['data'];
250
+        session_regenerate_id(true);
251
+        $newSession = session_id();
252
+        session_write_close();
253
+        session_id($newSession);
254
+        session_start();
250 255
         $_SESSION['username'] = $username;
251 256
         $_SESSION['uid'] = $userinfo['uid'];
252 257
         $_SESSION['email'] = $userinfo['email'];

+ 3
- 2
required.php View File

@@ -24,12 +24,13 @@ header('X-Frame-Options: "DENY"');
24 24
 header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
25 25
 $SECURE_NONCE = base64_encode(random_bytes(8));
26 26
 
27
-$session_length = 60 * 60; // 1 hour
27
+$session_length = 60 * 60 * 2; // 2 hours
28
+ini_set('session.gc_maxlifetime', $session_length);
28 29
 session_set_cookie_params($session_length, "/", null, false, false);
29 30
 
30 31
 session_start(); // stick some cookies in it
31 32
 // renew session cookie
32
-setcookie(session_name(), session_id(), time() + $session_length);
33
+//setcookie(session_name(), session_id(), time() + $session_length);
33 34
 
34 35
 $captcha_server = (CAPTCHA_ENABLED === true ? preg_replace("/http(s)?:\/\//", "", CAPTCHA_SERVER) : "");
35 36
 if ($_SESSION['mobile'] === TRUE) {

Loading…
Cancel
Save