Merge pull request #445 from IainKay/issue-434

Issue 434

public/include/classes/user.class.php

@@ -387,7 +387,16 @@ class User {
    **/
   public function logoutUser($redirect="index.php") {
     $this->debug->append("STA " . __METHOD__, 4);
+    // Unset all of the session variables
+    $_SESSION = array();
+    // As we're killing the sesison, also kill the cookie!
+    if (ini_get("session.use_cookies")) {
+        $params = session_get_cookie_params();
+        setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
+    }
+    // Destroy the session.
     session_destroy();
+    // Enforce generation of a new Session ID and delete the old
     session_regenerate_id(true);
     // Enforce a page reload
     header("Location: $redirect");

public/include/config/global.inc.dist.php

@@ -351,16 +351,49 @@ $config['memcache']['splay'] = 15;
 /**
  * Cookie configiration
  *
- * For multiple installations of this cookie change the cookie name
+ * You can configure the cookie behaviour to secure your cookies more than the PHP defaults
+ *
+ * For multiple installations of mmcfe-ng on the same domain you must change the cookie
+ * path or change the cookie name to avoid conflicts.
+ *
+ * Explanation:
+ * duration:
+ *   the amount of time, in seconds, that a cookie should persist in the users browser.
+ *   0 = until closed; 1440 = 24 minutes. Check your php.ini 'session.gc_maxlifetime' value
+ *   and ensure that it is at least the duration specified here.
+ *
+ * domain:
+ *   the only domain name that may access this cookie in the browser
+ *
+ * path:
+ *   the highest path on the domain that can access this cookie; i.e. if running two pools
+ *   from a single domain you might set the path /ltc/ and /ftc/ to separate user session
+ *   cookies between the two.
+ *
+ * httponly:
+ *   marks the cookie as accessible only through the HTTP protocol. The cookie can't be
+ *   accessed by scripting languages, such as JavaScript. This can help to reduce identity
+ *   theft through XSS attacks in most browsers.
+ *
+ * secure:
+ *   marks the cookie as accessible only through the HTTPS protocol. If you have a SSL
+ *   certificate installed on your domain name then this will stop a user accidently
+ *   accessing the site over a HTTP connection, without SSL, exposing their session cookie.
  *
  * Default:
- *   path    =  '/'
- *   name    =  'POOLERCOOKIE'
- *   domain  = ''
+ *   duration = '1440'
+ *   domain   = ''
+ *   path     = '/'
+ *   name     =  'POOLERCOOKIE'
+ *   httponly = true
+ *   secure   = false
  **/
+$config['cookie']['duration'] = '1440';
+$config['cookie']['domain'] = '';
 $config['cookie']['path'] = '/';
 $config['cookie']['name'] = 'POOLERCOOKIE';
-$config['cookie']['domain'] = '';
+$config['cookie']['httponly'] = true;
+$config['cookie']['secure'] = false;
 
 /**
  * Enable or disable the Smarty cache

public/index.php

@@ -24,13 +24,14 @@ define("BASEPATH", "./");
 // Our security check
 define("SECURITY", 1);
 
-// Start a session
-session_start();
-$session_id = session_id();
-
 // Include our configuration (holding defines for the requires)
 if (!include_once(BASEPATH . 'include/config/global.inc.php')) die('Unable to load site configuration');
 
+// Start a session
+session_set_cookie_params($config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
+session_start();
+$session_id = session_id();
+
 // Load Classes, they name defines the $ variable used
 // We include all needed files here, even though our templates could load them themself
 require_once(INCLUDE_DIR . '/autoloader.inc.php');