diff --git a/adm_program/installation/update.php b/adm_program/installation/update.php index e33d09d45..5a6e6c1f5 100644 --- a/adm_program/installation/update.php +++ b/adm_program/installation/update.php @@ -64,19 +64,12 @@ // TODO } -// determine session id -if (array_key_exists(COOKIE_PREFIX . '_SESSION_ID', $_COOKIE)) { - $gSessionId = $_COOKIE[COOKIE_PREFIX . '_SESSION_ID']; -} else { - $gSessionId = session_id(); -} - // create session object if (array_key_exists('gCurrentSession', $_SESSION)) { $gCurrentSession = $_SESSION['gCurrentSession']; } else { // create new session object and store it in PHP session - $gCurrentSession = new Session($gDb, $gSessionId, COOKIE_PREFIX); + $gCurrentSession = new Session($gDb, COOKIE_PREFIX); $_SESSION['gCurrentSession'] = $gCurrentSession; } diff --git a/adm_program/modules/profile/profile_photo_edit.php b/adm_program/modules/profile/profile_photo_edit.php index caab1b31a..731c3f8b7 100644 --- a/adm_program/modules/profile/profile_photo_edit.php +++ b/adm_program/modules/profile/profile_photo_edit.php @@ -120,7 +120,7 @@ // Foto aus Session entfernen und neues Einlesen des Users veranlassen $gCurrentSession->setValue('ses_binary', ''); $gCurrentSession->save(); - $gCurrentSession->reloadSession($user->getValue('usr_id')); + $gCurrentSession->reload($user->getValue('usr_id')); $gDb->endTransaction(); } } @@ -166,7 +166,7 @@ else { $user->setValue('usr_photo', ''); $user->save(); - $gCurrentSession->reloadSession($user->getValue('usr_id')); + $gCurrentSession->reload($user->getValue('usr_id')); } // Loeschen erfolgreich -> Rueckgabe fuer XMLHttpRequest diff --git a/adm_program/modules/profile/roles_save.php b/adm_program/modules/profile/roles_save.php index 29ed1d54e..d61082d80 100644 --- a/adm_program/modules/profile/roles_save.php +++ b/adm_program/modules/profile/roles_save.php @@ -220,7 +220,7 @@ } // refresh session user object to update the user rights because of the new or removed role -$gCurrentSession->reloadSession($user->getValue('usr_id')); +$gCurrentSession->reload($user->getValue('usr_id')); // Check if a new user get's at least one role if ($getNewUser > 0 && $assignedCount === 0) { diff --git a/adm_program/system/bootstrap/constants.php b/adm_program/system/bootstrap/constants.php index 38fcf3811..76ec1e561 100755 --- a/adm_program/system/bootstrap/constants.php +++ b/adm_program/system/bootstrap/constants.php @@ -155,7 +155,11 @@ // create an installation unique cookie prefix and remove special characters if (isset($g_adm_db)) { - $cookiePrefix = 'ADMIDIO_' . $g_organization . '_' . DB_NAME . '_' . TABLE_PREFIX; + if (isset($gDebug)) { + $cookiePrefix = 'ADMIDIO_' . $g_organization . '_' . DB_NAME . '_' . TABLE_PREFIX; + } else { + $cookiePrefix = 'ADMIDIO_' . $g_organization . '_' . TABLE_PREFIX; + } } else { $cookiePrefix = 'ADMIDIO_' . TABLE_PREFIX; } diff --git a/adm_program/system/classes/AutoLogin.php b/adm_program/system/classes/AutoLogin.php index 57212834d..4bc1756ad 100644 --- a/adm_program/system/classes/AutoLogin.php +++ b/adm_program/system/classes/AutoLogin.php @@ -18,11 +18,11 @@ * **Code examples** * ``` * // create a valid user login for a Admidio session from auto login - * $autoLogin = new AutoLogin($gDb, $gSessionId); + * $autoLogin = new AutoLogin($gDb, $sessionId); * $autoLogin->setValidLogin($gCurrentSession, $_COOKIE['ADMIDIO_ID']); * * // delete an auto login - * $autoLogin = new AutoLogin($gDb, $gSessionId); + * $autoLogin = new AutoLogin($gDb, $sessionId); * $autoLogin->delete(); * ``` */ diff --git a/adm_program/system/classes/Session.php b/adm_program/system/classes/Session.php index 82cfe2dd5..219f3d9a6 100644 --- a/adm_program/system/classes/Session.php +++ b/adm_program/system/classes/Session.php @@ -53,25 +53,29 @@ class Session extends TableAccess * Constructor that will create an object of a recordset of the table adm_sessions. * If the id is set than the specific session will be loaded. * @param Database $database Object of the class Database. This should be the default global object **$gDb**. - * @param int|string $session The recordset of the session with this id will be loaded. - * The session can be the table id or the alphanumeric session id. - * If id isn't set than an empty object of the table is created. * @param string $cookiePrefix The prefix that is used for cookies */ - public function __construct(Database $database, $session = 0, $cookiePrefix = '') + public function __construct(Database $database, $cookiePrefix = '') { parent::__construct($database, TBL_SESSIONS, 'ses'); + // determine session id + if (array_key_exists(COOKIE_PREFIX . '_SESSION_ID', $_COOKIE)) { + $sessionId = $_COOKIE[COOKIE_PREFIX . '_SESSION_ID']; + } else { + $sessionId = session_id(); + } + $this->cookieAutoLoginId = $cookiePrefix . '_AUTO_LOGIN_ID'; - if (is_int($session)) { - $this->readDataById($session); + if (is_int($sessionId)) { + $this->readDataById($sessionId); } else { - $this->readDataByColumns(array('ses_session_id' => $session)); + $this->readDataByColumns(array('ses_session_id' => $sessionId)); if ($this->newRecord) { // if PHP session id was commited then store them in that field - $this->setValue('ses_session_id', $session); + $this->setValue('ses_session_id', $sessionId); $this->setValue('ses_timestamp', DATETIME_NOW); } } @@ -286,7 +290,7 @@ public function refreshAutoLogin() * Reload session data from database table adm_sessions. If IP address check is activated than check if the IP * address has changed. Refresh AutoLogin with new auto_login_id. */ - public function refreshSession() + public function refresh() { // read session data from database to update the renew flag $this->readDataById((int) $this->getValue('ses_id')); @@ -316,6 +320,18 @@ public function refreshSession() } } + /** + * This method will replace the current session ID with a new one, and keep the current session information. + * The new session id will be stored in the database. + */ + public function regenerateId() + { + session_regenerate_id(); + + $this->setValue('ses_session_id', session_id()); + $this->save(); + } + /** * This method will reload all stored objects of all active sessions. The session will be * reloaded if the user will open a new page. @@ -331,7 +347,7 @@ public function reloadAllSessions() * and reloaded if the user opens a new page. * @param int $userId Id of the user whose session should be relaoded. */ - public function reloadSession(int $userId) + public function reload(int $userId) { $sql = 'UPDATE ' . TBL_SESSIONS . ' SET ses_reload = true WHERE ses_usr_id = ? -- $userId'; diff --git a/adm_program/system/classes/TableMembers.php b/adm_program/system/classes/TableMembers.php index 4b70d4407..eae604ceb 100644 --- a/adm_program/system/classes/TableMembers.php +++ b/adm_program/system/classes/TableMembers.php @@ -159,7 +159,7 @@ public function delete() } // renew user object of the affected user because of edited role assignment - $GLOBALS['gCurrentSession']->reloadSession((int) $this->getValue('mem_usr_id')); + $GLOBALS['gCurrentSession']->reload($this->getValue('mem_usr_id')); return parent::delete(); } @@ -182,7 +182,7 @@ public function save($updateFingerPrint = true) if ($returnStatus && $gCurrentSession instanceof Session) { // renew user object of the affected user because of edited role assignment - $gCurrentSession->reloadSession((int) $this->getValue('mem_usr_id')); + $gCurrentSession->reload($this->getValue('mem_usr_id')); } if ($newRecord && is_object($gChangeNotification)) { diff --git a/adm_program/system/classes/User.php b/adm_program/system/classes/User.php index 07cf42b86..e20c1e70a 100644 --- a/adm_program/system/classes/User.php +++ b/adm_program/system/classes/User.php @@ -496,7 +496,7 @@ public function checkRolesRight($right = null) */ public function checkLogin($password, $setAutoLogin = false, $updateSessionCookies = true, $updateHash = true, $isAdministrator = false) { - global $gLogger, $gSettingsManager, $gCurrentSession, $gSessionId, $installedDbVersion, $gL10n; + global $gLogger, $gSettingsManager, $gCurrentSession, $installedDbVersion, $gL10n; if ($this->hasMaxInvalidLogins()) { throw new AdmException($gL10n->get('SYS_LOGIN_MAX_INVALID_LOGIN')); @@ -542,7 +542,8 @@ public function checkLogin($password, $setAutoLogin = false, $updateSessionCooki if ($updateSessionCookies) { // set cookie for session id - Session::setCookie(COOKIE_PREFIX . '_SESSION_ID', $gSessionId); + $gCurrentSession->regenerateId(); + Session::setCookie(COOKIE_PREFIX . '_SESSION_ID', $gCurrentSession->getValue('ses_session_id')); // count logins and update login dates $this->saveChangesWithoutRights(); @@ -1697,7 +1698,7 @@ public function save($updateFingerPrint = true) if ($this->columnsValueChanged && $gCurrentSession instanceof Session) { // now set reload the session of the user, // because he has new data and maybe new rights - $gCurrentSession->reloadSession($usrId); + $gCurrentSession->reload($usrId); } // The record is a new record, which was just stored to the database // for the first time => record it as a user creation now diff --git a/adm_program/system/common.php b/adm_program/system/common.php index 611e8ef68..99f2165fa 100644 --- a/adm_program/system/common.php +++ b/adm_program/system/common.php @@ -46,13 +46,6 @@ // TODO } -// determine session id -if (array_key_exists(COOKIE_PREFIX . '_SESSION_ID', $_COOKIE)) { - $gSessionId = $_COOKIE[COOKIE_PREFIX . '_SESSION_ID']; -} else { - $gSessionId = session_id(); -} - if (array_key_exists('gCurrentSession', $_SESSION)) { // read session object from PHP session /** @@ -60,7 +53,7 @@ * validates the session against the stored session in the database */ $gCurrentSession = $_SESSION['gCurrentSession']; - $gCurrentSession->refreshSession(); + $gCurrentSession->refresh(); } // Session handling @@ -92,7 +85,7 @@ $gCurrentSession->initializeObjects(); } else { // create new session object and store it in PHP session - $gCurrentSession = new Session($gDb, $gSessionId, COOKIE_PREFIX); + $gCurrentSession = new Session($gDb, COOKIE_PREFIX); $_SESSION['gCurrentSession'] = $gCurrentSession; }