From 59da10b649808cd0359068d0447f30fc5560f44e Mon Sep 17 00:00:00 2001 From: Clemens Schwaighofer Date: Thu, 2 Jun 2022 16:35:40 +0900 Subject: [PATCH] Session class update with session destroy / start wrapper session start wrapper as protected method session destroy wrapper with _SESSION array unset --- www/lib/CoreLibs/Create/Session.php | 59 ++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/www/lib/CoreLibs/Create/Session.php b/www/lib/CoreLibs/Create/Session.php index 448b0e77..f1d20f6e 100644 --- a/www/lib/CoreLibs/Create/Session.php +++ b/www/lib/CoreLibs/Create/Session.php @@ -18,6 +18,19 @@ class Session /** @var string list for errors */ private $session_intern_error_str = ''; + /** + * Start session + * startSession should be called for complete check + * If this is called without any name set before the php.ini name is + * used. + * + * @return void + */ + protected function startSessionCall(): void + { + session_start(); + } + /** * init a session, if array is empty or array does not have session_name set * then no auto init is run @@ -58,19 +71,6 @@ class Session return true; } - /** - * Start session - * startSession should be called for complete check - * If this is called without any name set before the php.ini name is - * used. - * - * @return void - */ - public function startSessionCall(): void - { - session_start(); - } - /** * Return set error string, empty if none set * Error strings are only set in the startSession method @@ -206,6 +206,39 @@ class Session return session_write_close(); } + /** + * Proper destroy a session + * - unset the _SESSION array + * - unset cookie if cookie on and we have not strict mode + * - destroy session + * + * @return bool + */ + public function sessionDestroy(): bool + { + $_SESSION = []; + if ( + ini_get('session.use_cookies') && + !ini_get('session.use_strict_mode') + ) { + $session_name = $this->getSessionName(); + if ($session_name === false) { + $session_name = ''; + } + $params = session_get_cookie_params(); + setcookie( + (string)$session_name, + '', + time() - 42000, + $params['path'], + $params['domain'], + $params['secure'], + $params['httponly'] + ); + } + return session_destroy(); + } + /** * get session status * PHP_SESSION_DISABLED if sessions are disabled.