diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php index 53b86d6f..a363ff58 100644 --- a/public/include/classes/user.class.php +++ b/public/include/classes/user.class.php @@ -387,7 +387,16 @@ class User { **/ public function logoutUser($redirect="index.php") { $this->debug->append("STA " . __METHOD__, 4); + // Unset all of the session variables + $_SESSION = array(); + // As we're killing the sesison, also kill the cookie! + if (ini_get("session.use_cookies")) { + $params = session_get_cookie_params(); + setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]); + } + // Destroy the session. session_destroy(); + // Enforce generation of a new Session ID and delete the old session_regenerate_id(true); // Enforce a page reload header("Location: $redirect"); diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php index b564d6a9..6bc611d7 100644 --- a/public/include/config/global.inc.dist.php +++ b/public/include/config/global.inc.dist.php @@ -351,16 +351,49 @@ $config['memcache']['splay'] = 15; /** * Cookie configiration * - * For multiple installations of this cookie change the cookie name + * You can configure the cookie behaviour to secure your cookies more than the PHP defaults + * + * For multiple installations of mmcfe-ng on the same domain you must change the cookie + * path or change the cookie name to avoid conflicts. + * + * Explanation: + * duration: + * the amount of time, in seconds, that a cookie should persist in the users browser. + * 0 = until closed; 1440 = 24 minutes. Check your php.ini 'session.gc_maxlifetime' value + * and ensure that it is at least the duration specified here. + * + * domain: + * the only domain name that may access this cookie in the browser + * + * path: + * the highest path on the domain that can access this cookie; i.e. if running two pools + * from a single domain you might set the path /ltc/ and /ftc/ to separate user session + * cookies between the two. + * + * httponly: + * marks the cookie as accessible only through the HTTP protocol. The cookie can't be + * accessed by scripting languages, such as JavaScript. This can help to reduce identity + * theft through XSS attacks in most browsers. + * + * secure: + * marks the cookie as accessible only through the HTTPS protocol. If you have a SSL + * certificate installed on your domain name then this will stop a user accidently + * accessing the site over a HTTP connection, without SSL, exposing their session cookie. * * Default: - * path = '/' - * name = 'POOLERCOOKIE' - * domain = '' + * duration = '1440' + * domain = '' + * path = '/' + * name = 'POOLERCOOKIE' + * httponly = true + * secure = false **/ +$config['cookie']['duration'] = '1440'; +$config['cookie']['domain'] = ''; $config['cookie']['path'] = '/'; $config['cookie']['name'] = 'POOLERCOOKIE'; -$config['cookie']['domain'] = ''; +$config['cookie']['httponly'] = true; +$config['cookie']['secure'] = false; /** * Enable or disable the Smarty cache diff --git a/public/index.php b/public/index.php index 36360172..b33c7556 100644 --- a/public/index.php +++ b/public/index.php @@ -24,13 +24,14 @@ define("BASEPATH", "./"); // Our security check define("SECURITY", 1); -// Start a session -session_start(); -$session_id = session_id(); - // Include our configuration (holding defines for the requires) if (!include_once(BASEPATH . 'include/config/global.inc.php')) die('Unable to load site configuration'); +// Start a session +session_set_cookie_params($config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']); +session_start(); +$session_id = session_id(); + // Load Classes, they name defines the $ variable used // We include all needed files here, even though our templates could load them themself require_once(INCLUDE_DIR . '/autoloader.inc.php');