From a3555315b80da1b17d1b3eadb0243755ee4e5d14 Mon Sep 17 00:00:00 2001
From: Diego Najar <dignajar@gmail.com>
Date: Sun, 28 Nov 2021 12:45:31 +0100
Subject: [PATCH] bug fix on session and multiple paths

---
 bl-kernel/helpers/session.class.php | 28 +++++++++++++++-------------
 bl-kernel/login.class.php           |  8 +++++++-
 bl-kernel/site.class.php            | 12 ++++++++++++
 3 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/bl-kernel/helpers/session.class.php b/bl-kernel/helpers/session.class.php
index 993c340e..4946a9cb 100644
--- a/bl-kernel/helpers/session.class.php
+++ b/bl-kernel/helpers/session.class.php
@@ -5,27 +5,29 @@ class Session {
 	private static $started = false;
 	private static $sessionName = 'BLUDIT-KEY';
 
-	public static function start()
+	public static function start($path, $secure)
 	{
 		// Try to set the session timeout on server side, 1 hour of timeout
 		ini_set('session.gc_maxlifetime', SESSION_GC_MAXLIFETIME);
 
-		// If TRUE cookie will only be sent over secure connections.
-		$secure = false;
-
 		// If set to TRUE then PHP will attempt to send the httponly flag when setting the session cookie.
 		$httponly = true;
 
 		// Gets current cookies params.
 		$cookieParams = session_get_cookie_params();
 
-		session_set_cookie_params(
-			SESSION_COOKIE_LIFE_TIME,
-			$cookieParams["path"],
-			$cookieParams["domain"],
-			$secure,
-			$httponly
-		);
+        if (empty($path)) {
+			$httponly = true;
+            $path = '/';
+        }
+
+        session_set_cookie_params([
+            'lifetime' => $cookieParams["lifetime"],
+            'path' => $path,
+            'domain' => $cookieParams["domain"],
+            'secure' => $secure,
+            'httponly' => true
+        ]);
 
 		// Sets the session name to the one set above.
 		session_name(self::$sessionName);
@@ -73,11 +75,11 @@ class Session {
 		}
 		return false;
 	}
-	
+
 	public static function remove($key)
 	{
 		$key = 's_'.$key;
-		
+
 		unset($_SESSION[$key]);
 	}
 }
diff --git a/bl-kernel/login.class.php b/bl-kernel/login.class.php
index 5b92bada..756307db 100644
--- a/bl-kernel/login.class.php
+++ b/bl-kernel/login.class.php
@@ -12,9 +12,15 @@ class Login {
 			$this->users = new Users();
 		}
 
+        if (isset($GLOBALS['site'])) {
+            $this->site = $GLOBALS['site'];
+        } else {
+            $this->site = new Site();
+        }
+
 		// Start the Session
 		if (!Session::started()) {
-			Session::start();
+			Session::start($this->site->urlPath(), $this->site->isHTTPS());
 		}
 	}
 
diff --git a/bl-kernel/site.class.php b/bl-kernel/site.class.php
index 11285f82..f85cf739 100644
--- a/bl-kernel/site.class.php
+++ b/bl-kernel/site.class.php
@@ -340,6 +340,18 @@ class Site extends dbJSON {
 		return $this->getField('timezone');
 	}
 
+    public function urlPath()
+    {
+        $url = $this->getField('url');
+        return parse_url($url, PHP_URL_PATH);
+    }
+
+    public function isHTTPS()
+    {
+        $url = $this->getField('url');
+        return parse_url($url, PHP_URL_SCHEME) === 'https';
+    }
+
 	// Returns the current build / version of Bludit.
 	public function currentBuild()
 	{