From 837a8c58eaee64334565a1da110a0396d9ac9c88 Mon Sep 17 00:00:00 2001
From: Sebastian Grewe <sebastian@grewe.ca>
Date: Thu, 6 Feb 2014 09:17:09 +0100
Subject: [PATCH] [FIX] Smarty caching cross-sessions

Fixes #1691 and fixes #1684
---
 public/include/bootstrap.php | 13 ++++++++++++-
 public/index.php             | 10 ----------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/public/include/bootstrap.php b/public/include/bootstrap.php
index 98cf6d55..4d418ce4 100644
--- a/public/include/bootstrap.php
+++ b/public/include/bootstrap.php
@@ -18,6 +18,17 @@ if (!@include_once(BASEPATH . 'include/config/global.inc.php')) die('Unable to l
 if (!include_once(BASEPATH . 'include/config/security.inc.dist.php')) die('Unable to load base security config - '.$quickstartlink);
 if (@file_exists(BASEPATH . 'include/config/security.inc.php')) include_once(BASEPATH . 'include/config/security.inc.php');
 
+// start our session, we need it for smarty caching
+$session_start = @session_start();
+session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
+if (!$session_start) {
+    $log->log("info", "Forcing session id regeneration for ".$_SERVER['REMOTE_ADDR']." [hijack attempt?]");
+      session_destroy();
+      session_regenerate_id(true);
+        session_start();
+}
+@setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
+
 // Our default template to load, pages can overwrite this later
 $master_template = 'master.tpl';
 
@@ -25,4 +36,4 @@ $master_template = 'master.tpl';
 // We include all needed files here, even though our templates could load them themself
 require_once(INCLUDE_DIR . '/autoloader.inc.php');
 
-?>
\ No newline at end of file
+?>
diff --git a/public/index.php b/public/index.php
index 7784657c..1af0fa62 100644
--- a/public/index.php
+++ b/public/index.php
@@ -43,16 +43,6 @@ include_once('include/bootstrap.php');
 $hts = ($config['https_only'] && (!empty($_SERVER['QUERY_STRING']))) ? "https://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."?".$_SERVER['QUERY_STRING'] : "https://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME'];
 ($config['https_only'] && @!$_SERVER['HTTPS']) ? exit(header("Location: ".$hts)):0;
 
-$session_start = @session_start();
-session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
-if (!$session_start) {
-  $log->log("info", "Forcing session id regeneration for ".$_SERVER['REMOTE_ADDR']." [hijack attempt?]");
-  session_destroy();
-  session_regenerate_id(true);
-  session_start();
-}
-@setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
-
 // Rate limiting
 if ($config['memcache']['enabled'] && $config['mc_antidos']['enabled']) {
   if (PHP_OS == 'WINNT') {