Bug fix in Session handler for multiples Bludit installation in the same root folder

2021-11-25 20:17:38 +01:00 · 2021-11-25 20:17:38 +01:00 · 320f9a2f0c
commit 320f9a2f0c
parent 9718e03590
4 changed files with 227 additions and 211 deletions
--- a/bl-kernel/boot/admin.php
+++ b/bl-kernel/boot/admin.php
@ -2,8 +2,8 @@

 // Start the session
 // If the session is not started the admin area is not available
-Session::start();
-if (Session::started()===false) {
+Session::start($site->urlPath(), $site->isHTTPS());
+if (!Session::started()) {
 	exit('Bludit CMS. Session initialization failed.');
 }

--- a/bl-kernel/helpers/session.class.php
+++ b/bl-kernel/helpers/session.class.php
@ -5,37 +5,33 @@ class Session {
    private static $started = false;
    private static $sessionName = 'BLUDIT-KEY';

-	public static function start()
+    public static function start($path, $secure)
    {
        // Try to set the session timeout on server side, 1 hour of timeout
        ini_set('session.gc_maxlifetime', SESSION_GC_MAXLIFETIME);

-		// If TRUE cookie will only be sent over secure connections.
-		$secure = false;
-
-		// If set to TRUE then PHP will attempt to send the httponly flag when setting the session cookie.
-		$httponly = true;
-
-		// Gets current cookies params.
+        // Gets current cookies parameters
        $cookieParams = session_get_cookie_params();

-		session_set_cookie_params(
-			SESSION_COOKIE_LIFE_TIME,
-			$cookieParams["path"],
-			$cookieParams["domain"],
-			$secure,
-			$httponly
-		);
+        if (empty($path)) {
+            $path = '/';
+        }

-		// Sets the session name to the one set above.
+        session_set_cookie_params([
+            'lifetime' => $cookieParams["lifetime"],
+            'path' => $path,
+            'domain' => $cookieParams["domain"],
+            'secure' => $secure,
+            'httponly' => true,
+            'samesite' => 'Lax'
+        ]);
+
+        // Sets the session name
        session_name(self::$sessionName);

-		// Start session.
+        // Start session
        self::$started = session_start();

-		// Regenerated the session, delete the old one. There are problems with AJAX.
-		//session_regenerate_id(true);
-
        if (!self::$started) {
            Log::set(__METHOD__.LOG_SEP.'Error occurred when trying to start the session.');
        }
--- a/bl-kernel/login.class.php
+++ b/bl-kernel/login.class.php
@ -3,6 +3,7 @@
 class Login {

    protected $users;
+    protected $site;

    function __construct()
    {
@ -12,9 +13,15 @@ class Login {
            $this->users = new Users();
        }

+        if (isset($GLOBALS['site'])) {
+            $this->site = $GLOBALS['site'];
+        } else {
+            $this->site = new Site();
+        }
+
        // Start the Session
        if (!Session::started()) {
-			Session::start();
+            Session::start($this->site->urlPath(), $this->site->isHTTPS());
        }
    }

--- a/bl-kernel/site.class.php
+++ b/bl-kernel/site.class.php
@ -332,6 +332,19 @@ class Site extends dbJSON
        return $this->getField('url');
    }

+
+    public function urlPath()
+    {
+        $url = $this->getField('url');
+        return parse_url($url, PHP_URL_PATH);
+    }
+
+    public function isHTTPS()
+    {
+        $url = $this->getField('url');
+        return parse_url($url, PHP_URL_SCHEME) === 'https';
+    }
+
    // Returns the protocol and the domain, without the base url
    // For example, http://www.domain.com
    public function domain()