From 9ce7a5546c6d9cca8aa8be524d43c735e2bd7182 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Thu, 4 Apr 2013 15:33:14 +0400
Subject: [PATCH] implement some tweaks to session handling; properly remove
 session cookie if invalid/login failed

---
 api/index.php              | 1 +
 classes/handler/public.php | 4 ++--
 include/functions.php      | 3 ++-
 include/login_form.php     | 2 +-
 include/sessions.php       | 7 ++++---
 5 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/api/index.php b/api/index.php
index 50703175b..53b78b010 100644
--- a/api/index.php
+++ b/api/index.php
@@ -11,6 +11,7 @@
 	chdir("..");
 
 	define('TTRSS_SESSION_NAME', 'ttrss_api_sid');
+	define('NO_SESSION_AUTOSTART', true);
 
 	require_once "db.php";
 	require_once "db-prefs.php";
diff --git a/classes/handler/public.php b/classes/handler/public.php
index b8a32cd27..9304b0181 100644
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -515,7 +515,7 @@ class Handler_Public extends Handler {
 
 			$login = db_escape_string($this->link, $_POST["login"]);
 			$password = $_POST["password"];
-			$remember_me = $_POST["remember_me"];
+			/* $remember_me = $_POST["remember_me"];
 
 			if ($remember_me) {
 				session_set_cookie_params(SESSION_COOKIE_LIFETIME);
@@ -523,7 +523,7 @@ class Handler_Public extends Handler {
 				session_set_cookie_params(0);
 			}
 
-			@session_start();
+			@session_start(); */
 
 			if (authenticate_user($this->link, $login, $password)) {
 				$_POST["password"] = "";
diff --git a/include/functions.php b/include/functions.php
index 71fd16542..9c64fad9f 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -756,9 +756,10 @@
 				}
 
 				if (!$_SESSION["uid"]) {
-					render_login_form($link);
 					@session_destroy();
 					setcookie(session_name(), '', time()-42000, '/');
+
+					render_login_form($link);
 					exit;
 				}
 
diff --git a/include/login_form.php b/include/login_form.php
index 7ac7111c8..ca07ccfee 100644
--- a/include/login_form.php
+++ b/include/login_form.php
@@ -221,7 +221,7 @@ function bwLimitChange(elem) {
 			<label style='display : inline' for="bw_limit"><?php echo __("Use less traffic") ?></label>
 		</div>
 
-		<?php if (SESSION_COOKIE_LIFETIME > 0) { ?>
+		<?php if (false && SESSION_COOKIE_LIFETIME > 0) { /* disabled for now */ ?>
 
 		<div class="row">
 			<label>&nbsp;</label>
diff --git a/include/sessions.php b/include/sessions.php
index 0edda4ec7..402e8b8de 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -15,10 +15,11 @@
 		ini_set("session.cookie_secure", true);
 	}
 
-	ini_set("session.gc_probability", 50);
+	ini_set("session.gc_probability", 75);
 	ini_set("session.name", $session_name);
 	ini_set("session.use_only_cookies", true);
 	ini_set("session.gc_maxlifetime", $session_expire);
+	ini_set("session.cookie_lifetime", min(0, SESSION_COOKIE_LIFETIME));
 
 	global $session_connection;
 
@@ -181,8 +182,8 @@
 			"ttrss_destroy", "ttrss_gc");
 	}
 
-	if (!defined('TTRSS_SESSION_NAME') || TTRSS_SESSION_NAME != 'ttrss_api_sid') {
-		if (isset($_COOKIE[$session_name])) {
+	if (!defined('NO_SESSION_AUTOSTART')) {
+		if (isset($_COOKIE[session_name()])) {
 			@session_start();
 		}
 	}