Adds session management

app/includes/session_middleware.php

@@ -0,0 +1,49 @@
+<?php
+
+/**
+ * Session Middleware
+ * 
+ * Validates session status and handles session timeout.
+ * This middleware should be included in all protected pages.
+ */
+
+// Start session if not already started
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
+// Check if user is logged in
+if (!isset($_SESSION['USER_ID'])) {
+    header('Location: ' . $app_root . '?page=login');
+    exit();
+}
+
+// Check session timeout
+$session_timeout = isset($_SESSION['REMEMBER_ME']) ? (30 * 24 * 60 * 60) : 1440; // 30 days or 24 minutes
+if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $session_timeout)) {
+    // Session has expired
+    session_unset();
+    session_destroy();
+    setcookie('username', '', [
+        'expires' => time() - 3600,
+        'path' => $config['folder'],
+        'domain' => $config['domain'],
+        'secure' => isset($_SERVER['HTTPS']),
+        'httponly' => true,
+        'samesite' => 'Strict'
+    ]);
+    header('Location: ' . $app_root . '?page=login&timeout=1');
+    exit();
+}
+
+// Update last activity time
+$_SESSION['LAST_ACTIVITY'] = time();
+
+// Regenerate session ID periodically (every 30 minutes)
+if (!isset($_SESSION['CREATED'])) {
+    $_SESSION['CREATED'] = time();
+} else if (time() - $_SESSION['CREATED'] > 1800) {
+    // Regenerate session ID and update creation time
+    session_regenerate_id(true);
+    $_SESSION['CREATED'] = time();
+}

app/pages/login.php

@@ -82,6 +82,16 @@ try {
                     $gc_maxlifetime = 1440;
                 }
 
+                // Configure secure session settings
+                ini_set('session.cookie_httponly', 1);
+                ini_set('session.use_only_cookies', 1);
+                ini_set('session.cookie_secure', isset($_SERVER['HTTPS']) ? 1 : 0);
+                ini_set('session.cookie_samesite', 'Strict');
+                ini_set('session.gc_maxlifetime', $gc_maxlifetime);
+
+                // Regenerate session ID to prevent session fixation
+                session_regenerate_id(true);
+
                 // set session lifetime and cookies
                 setcookie('username', $username, [
                     'expires'	=> $setcookie_lifetime,
@@ -92,6 +102,14 @@ try {
                     'samesite'	=> 'Strict'
                 ]);
 
+                // Set session variables
+                $_SESSION['USER_ID'] = $userObject->getUserId($username)[0]['id'];
+                $_SESSION['USERNAME'] = $username;
+                $_SESSION['LAST_ACTIVITY'] = time();
+                if (isset($formData['remember_me'])) {
+                    $_SESSION['REMEMBER_ME'] = true;
+                }
+
                 // Log successful login
                 $user_id = $userObject->getUserId($username)[0]['id'];
                 $logObject->insertLog($user_id, "Login: User \"$username\" logged in. IP: $user_IP", 'user');

public_html/index.php

@@ -29,11 +29,9 @@ $security = SecurityHelper::getInstance();
 // Verify CSRF token for POST requests
 verifyCsrfToken();
 
-// Initialize message system
+// Initialize feedback message system
-require_once '../app/classes/messages.php';
+require_once '../app/classes/feedback.php';
-$messages = [];
+$system_messages = [];
-
-//include '../app/includes/messages.php';
 
 require '../app/includes/errors.php';
 
@@ -211,6 +209,14 @@ if ($page == 'logout') {
         }
     }
 
+    // List of pages that don't require authentication
+    $public_pages = ['login', 'register'];
+
+    // Check if the requested page requires authentication
+    if (!in_array($page, $public_pages)) {
+        require_once '../app/includes/session_middleware.php';
+    }
+
     // page building
     include '../app/templates/page-header.php';
     include '../app/templates/page-menu.php';