stop using temporary cookies for logged in users and set a timeout instead....

stop using temporary cookies for logged in users and set a timeout instead. Sessions should now timeout after 48 hours of inactivity, or 8 days since authenticating, whichever comes first. Also fix a bug where we tried to delete users sessions before actually figuring out who they were which stopped logout functioning correctly

lib/session.php

@@ -24,8 +24,9 @@ public	$data='';		// Var/array for session persistant data
 public	$token='';		// session identifier
 public  $logintime='';  // Time which user last gave us credentials
 public	$lastseen='';		// Time of last page request
-private	$timeout = 2880;	// Idle timeout limit in minutes (session deleted)
+private	$timeout = 2880;	// Idle timeout limit in minutes (session deleted), 2880 == 48 hours
 private $secure_timeout = 30;   // Idle timeout limit in minutes (consider session less secure, require reauth for sensitive ops)
+private $max_session_length = 11520; // maximum length of a session, 11520 == 8 days
 private	$table = "session";	// session storage table (const)
 private $datahash='';		// hash of data field
 
@@ -39,6 +40,7 @@ private $datahash='';		// hash of data field
 		$token = $this->genSessionID(); 
 		$DB->Execute("insert into {$this->table} (hash, lastseen, ip) values (?,NOW(),?)", array($token, $_SERVER['REMOTE_ADDR']));
 		setcookie("sucssite_session", $token, NULL, "/", $preferred_hostname);
+		setcookie("sucssite_loggedin", "false");
 		$this->token = $token;
 		return;
 	}
@@ -49,7 +51,7 @@ private $datahash='';		// hash of data field
 		// is user coming from the IP address they were when they logged in?
 		if ($detail['ip'] != $_SERVER['REMOTE_ADDR']) {
 			return false;
-		} elseif (time() > ($self->logintime + $secure_timeout)) {
+		} elseif (time() > ($this->logintime + $this->secure_timeout)) {
 		// has it been too long since we last asked for credentials?
 			return false;
 		}
@@ -69,7 +71,6 @@ private $datahash='';		// hash of data field
 			return;
 		}
 
-
 		// The possible form elements
 		$submit = @$_POST['Login'];
 		$logout = @$_POST['Logout'];
@@ -80,13 +81,11 @@ private $datahash='';		// hash of data field
 		$this->loggedin = FALSE;
 
 		// Time out any old sessions
-		$DB->Execute("delete from {$this->table} where lastseen < NOW() - '{$this->timeout} minutes'::reltime");
+		$DB->Execute(
+			"delete from {$this->table} where lastseen < NOW() - '{$this->timeout} minutes'::reltime".
+			"or logintime < NOW() - '{$this->max_session_length} minutes'::reltime"
+		);
 
-		// Log them out if they ask
-		if ($logout=="Logout") {
-			$this->logout();
-			return;
-		}
 
 		// the possible token data passed from a form
 		if (isset($_REQUEST['token'])) 
@@ -99,6 +98,12 @@ private $datahash='';		// hash of data field
 
 		if (isset($token)) $this->token = $token;
 
+		// Log them out if they ask
+		if ($logout=="Logout") {
+			$this->logout();
+			return;
+		}
+
 		// Okay, so we still dont have a session id
 		// so issue a new one and go back to core
 		if (!isset($token))  
@@ -308,11 +313,11 @@ private $datahash='';		// hash of data field
 		// so generate a new one with the secure flag set
 		$oldtoken = $this->token;
 		$this->token = $this->genSessionID();
-		setcookie("sucssite_session", $this->token, NULL, "/", $preferred_hostname, TRUE);
+		setcookie("sucssite_session", $this->token, time() + $this->max_session_length * 60, "/", $preferred_hostname, TRUE);
 
 		// set a cookie as a hint that we're logged in
 		// this can be checked for to allow redirecting to SSL to get the secure cookie
-		setcookie("sucssite_loggedin", "true");
+		setcookie("sucssite_loggedin", "true", time() + $this->max_session_length * 60);
 
 		// Update the session, filling in the blanks
 		$DB->Execute("update {$this->table} set hash=?, username=?, logintime='NOW()', lastseen='NOW()', ip=? where hash=?",