Merge pull request #1139 from Admidio/change-new-cookie-value-at-login

set new cookie value after valid login

adm_program/installation/update.php

@@ -64,19 +64,12 @@
     // TODO
 }
 
-// determine session id
-if (array_key_exists(COOKIE_PREFIX . '_SESSION_ID', $_COOKIE)) {
-    $gSessionId = $_COOKIE[COOKIE_PREFIX . '_SESSION_ID'];
-} else {
-    $gSessionId = session_id();
-}
-
 // create session object
 if (array_key_exists('gCurrentSession', $_SESSION)) {
     $gCurrentSession = $_SESSION['gCurrentSession'];
 } else {
     // create new session object and store it in PHP session
-    $gCurrentSession = new Session($gDb, $gSessionId, COOKIE_PREFIX);
+    $gCurrentSession = new Session($gDb, COOKIE_PREFIX);
     $_SESSION['gCurrentSession'] = $gCurrentSession;
 }
 

adm_program/modules/profile/profile_photo_edit.php

@@ -120,7 +120,7 @@
             // Foto aus Session entfernen und neues Einlesen des Users veranlassen
             $gCurrentSession->setValue('ses_binary', '');
             $gCurrentSession->save();
-            $gCurrentSession->reloadSession($user->getValue('usr_id'));
+            $gCurrentSession->reload($user->getValue('usr_id'));
             $gDb->endTransaction();
         }
     }
@@ -166,7 +166,7 @@
     else {
         $user->setValue('usr_photo', '');
         $user->save();
-        $gCurrentSession->reloadSession($user->getValue('usr_id'));
+        $gCurrentSession->reload($user->getValue('usr_id'));
     }
 
     // Loeschen erfolgreich -> Rueckgabe fuer XMLHttpRequest

adm_program/modules/profile/roles_save.php

@@ -220,7 +220,7 @@
 }
 
 // refresh session user object to update the user rights because of the new or removed role
-$gCurrentSession->reloadSession($user->getValue('usr_id'));
+$gCurrentSession->reload($user->getValue('usr_id'));
 
 // Check if a new user get's at least one role
 if ($getNewUser > 0 && $assignedCount === 0) {

adm_program/system/bootstrap/constants.php

@@ -155,7 +155,11 @@
 
 // create an installation unique cookie prefix and remove special characters
 if (isset($g_adm_db)) {
-    $cookiePrefix = 'ADMIDIO_' . $g_organization . '_' . DB_NAME . '_' . TABLE_PREFIX;
+    if (isset($gDebug)) {
+        $cookiePrefix = 'ADMIDIO_' . $g_organization . '_' . DB_NAME . '_' . TABLE_PREFIX;
+    } else {
+        $cookiePrefix = 'ADMIDIO_' . $g_organization . '_' . TABLE_PREFIX;
+    }
 } else {
     $cookiePrefix = 'ADMIDIO_' . TABLE_PREFIX;
 }

adm_program/system/classes/AutoLogin.php

@@ -18,11 +18,11 @@
  * **Code examples**
  * ```
  * // create a valid user login for a Admidio session from auto login
- * $autoLogin = new AutoLogin($gDb, $gSessionId);
+ * $autoLogin = new AutoLogin($gDb, $sessionId);
  * $autoLogin->setValidLogin($gCurrentSession, $_COOKIE['ADMIDIO_ID']);
  *
  * // delete an auto login
- * $autoLogin = new AutoLogin($gDb, $gSessionId);
+ * $autoLogin = new AutoLogin($gDb, $sessionId);
  * $autoLogin->delete();
  * ```
  */

adm_program/system/classes/Session.php

@@ -53,25 +53,29 @@ class Session extends TableAccess
      * Constructor that will create an object of a recordset of the table adm_sessions.
      * If the id is set than the specific session will be loaded.
      * @param Database   $database     Object of the class Database. This should be the default global object **$gDb**.
-     * @param int|string $session      The recordset of the session with this id will be loaded.
-     *                                 The session can be the table id or the alphanumeric session id.
-     *                                 If id isn't set than an empty object of the table is created.
      * @param string     $cookiePrefix The prefix that is used for cookies
      */
-    public function __construct(Database $database, $session = 0, $cookiePrefix = '')
+    public function __construct(Database $database, $cookiePrefix = '')
     {
         parent::__construct($database, TBL_SESSIONS, 'ses');
 
+        // determine session id
+        if (array_key_exists(COOKIE_PREFIX . '_SESSION_ID', $_COOKIE)) {
+            $sessionId = $_COOKIE[COOKIE_PREFIX . '_SESSION_ID'];
+        } else {
+            $sessionId = session_id();
+        }
+
         $this->cookieAutoLoginId = $cookiePrefix . '_AUTO_LOGIN_ID';
 
-        if (is_int($session)) {
-            $this->readDataById($session);
+        if (is_int($sessionId)) {
+            $this->readDataById($sessionId);
         } else {
-            $this->readDataByColumns(array('ses_session_id' => $session));
+            $this->readDataByColumns(array('ses_session_id' => $sessionId));
 
             if ($this->newRecord) {
                 // if PHP session id was commited then store them in that field
-                $this->setValue('ses_session_id', $session);
+                $this->setValue('ses_session_id', $sessionId);
                 $this->setValue('ses_timestamp', DATETIME_NOW);
             }
         }
@@ -286,7 +290,7 @@ public function refreshAutoLogin()
      * Reload session data from database table adm_sessions. If IP address check is activated than check if the IP
      * address has changed. Refresh AutoLogin with new auto_login_id.
      */
-    public function refreshSession()
+    public function refresh()
     {
         // read session data from database to update the renew flag
         $this->readDataById((int) $this->getValue('ses_id'));
@@ -316,6 +320,18 @@ public function refreshSession()
         }
     }
 
+    /**
+     * This method will replace the current session ID with a new one, and keep the current session information.
+     * The new session id will be stored in the database.
+     */
+    public function regenerateId()
+    {
+        session_regenerate_id();
+
+        $this->setValue('ses_session_id', session_id());
+        $this->save();
+    }
+
     /**
      * This method will reload all stored objects of all active sessions. The session will be
      * reloaded if the user will open a new page.
@@ -331,7 +347,7 @@ public function reloadAllSessions()
      * and reloaded if the user opens a new page.
      * @param int $userId Id of the user whose session should be relaoded.
      */
-    public function reloadSession(int $userId)
+    public function reload(int $userId)
     {
         $sql = 'UPDATE ' . TBL_SESSIONS . ' SET ses_reload = true
                  WHERE ses_usr_id = ?  -- $userId';

adm_program/system/classes/TableMembers.php

@@ -159,7 +159,7 @@ public function delete()
         }
 
         // renew user object of the affected user because of edited role assignment
-        $GLOBALS['gCurrentSession']->reloadSession((int) $this->getValue('mem_usr_id'));
+        $GLOBALS['gCurrentSession']->reload($this->getValue('mem_usr_id'));
 
         return parent::delete();
     }
@@ -182,7 +182,7 @@ public function save($updateFingerPrint = true)
 
         if ($returnStatus && $gCurrentSession instanceof Session) {
             // renew user object of the affected user because of edited role assignment
-            $gCurrentSession->reloadSession((int) $this->getValue('mem_usr_id'));
+            $gCurrentSession->reload($this->getValue('mem_usr_id'));
         }
 
         if ($newRecord && is_object($gChangeNotification)) {

adm_program/system/classes/User.php

@@ -496,7 +496,7 @@ public function checkRolesRight($right = null)
      */
     public function checkLogin($password, $setAutoLogin = false, $updateSessionCookies = true, $updateHash = true, $isAdministrator = false)
     {
-        global $gLogger, $gSettingsManager, $gCurrentSession, $gSessionId, $installedDbVersion, $gL10n;
+        global $gLogger, $gSettingsManager, $gCurrentSession, $installedDbVersion, $gL10n;
 
         if ($this->hasMaxInvalidLogins()) {
             throw new AdmException($gL10n->get('SYS_LOGIN_MAX_INVALID_LOGIN'));
@@ -542,7 +542,8 @@ public function checkLogin($password, $setAutoLogin = false, $updateSessionCooki
 
         if ($updateSessionCookies) {
             // set cookie for session id
-            Session::setCookie(COOKIE_PREFIX . '_SESSION_ID', $gSessionId);
+            $gCurrentSession->regenerateId();
+            Session::setCookie(COOKIE_PREFIX . '_SESSION_ID', $gCurrentSession->getValue('ses_session_id'));
 
             // count logins and update login dates
             $this->saveChangesWithoutRights();
@@ -1697,7 +1698,7 @@ public function save($updateFingerPrint = true)
         if ($this->columnsValueChanged && $gCurrentSession instanceof Session) {
             // now set reload the session of the user,
             // because he has new data and maybe new rights
-            $gCurrentSession->reloadSession($usrId);
+            $gCurrentSession->reload($usrId);
         }
         // The record is a new record, which was just stored to the database
         // for the first time => record it as a user creation now

adm_program/system/common.php

@@ -46,21 +46,14 @@
     // TODO
 }
 
-// determine session id
-if (array_key_exists(COOKIE_PREFIX . '_SESSION_ID', $_COOKIE)) {
-    $gSessionId = $_COOKIE[COOKIE_PREFIX . '_SESSION_ID'];
-} else {
-    $gSessionId = session_id();
-}
-
 if (array_key_exists('gCurrentSession', $_SESSION)) {
     // read session object from PHP session
     /**
      * @var Session $gCurrentSession The global session object that will store the other global objects and
      *                               validates the session against the stored session in the database
      */
     $gCurrentSession = $_SESSION['gCurrentSession'];
-    $gCurrentSession->refreshSession();
+    $gCurrentSession->refresh();
 }
 
 // Session handling
@@ -92,7 +85,7 @@
         $gCurrentSession->initializeObjects();
     } else {
         // create new session object and store it in PHP session
-        $gCurrentSession = new Session($gDb, $gSessionId, COOKIE_PREFIX);
+        $gCurrentSession = new Session($gDb, COOKIE_PREFIX);
         $_SESSION['gCurrentSession'] = $gCurrentSession;
     }