From f77e15bf444d8fb656b80944743ae3e94a6149a7 Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Sun, 13 Apr 2025 19:34:13 +0300
Subject: [PATCH] Implements the new session class

---
 app/classes/session.php |  2 +-
 app/pages/login.php     | 57 ++++++++++-------------------------------
 public_html/index.php   | 55 +++++++++++++++++++++------------------
 3 files changed, 45 insertions(+), 69 deletions(-)

diff --git a/app/classes/session.php b/app/classes/session.php
index 9028350..192ca67 100644
--- a/app/classes/session.php
+++ b/app/classes/session.php
@@ -17,7 +17,7 @@ class Session {
      * Start or resume a session with secure options
      */
     public static function startSession() {
-        session_name('totalmeet');
+        session_name('jilo');
         if (session_status() !== PHP_SESSION_ACTIVE && !headers_sent()) {
             session_start(self::$sessionOptions);
         }
diff --git a/app/pages/login.php b/app/pages/login.php
index 4d17b58..655f696 100644
--- a/app/pages/login.php
+++ b/app/pages/login.php
@@ -33,21 +33,23 @@ try {
     if ($action === 'verify' && isset($_SESSION['2fa_pending_user_id'])) {
         // Handle 2FA verification
         $code = $_POST['code'] ?? '';
-        $userId = $_SESSION['2fa_pending_user_id'];
-        $username = $_SESSION['2fa_pending_username'];
-        $rememberMe = isset($_SESSION['2fa_pending_remember']);
+        $pending2FA = Session::get2FAPending();
+
+        if (!$pending2FA) {
+            header('Location: ' . htmlspecialchars($app_root) . '?page=login');
+            exit();
+        }
 
         require_once '../app/classes/twoFactorAuth.php';
         $twoFactorAuth = new TwoFactorAuthentication($db);
 
-        if ($twoFactorAuth->verify($userId, $code)) {
+        if ($twoFactorAuth->verify($pending2FA['user_id'], $code)) {
             // Complete login
-            handleSuccessfulLogin($userId, $username, $rememberMe, $config, $logObject, $user_IP);
+            handleSuccessfulLogin($pending2FA['user_id'], $pending2FA['username'],
+                $pending2FA['remember_me'], $config, $logObject, $user_IP);
 
             // Clean up 2FA session data
-            unset($_SESSION['2fa_pending_user_id']);
-            unset($_SESSION['2fa_pending_username']);
-            unset($_SESSION['2fa_pending_remember']);
+            Session::clear2FAPending();
 
             exit();
         }
@@ -232,11 +234,8 @@ try {
                 switch ($loginResult['status']) {
                     case 'requires_2fa':
                         // Store pending 2FA info
-                        $_SESSION['2fa_pending_user_id'] = $loginResult['user_id'];
-                        $_SESSION['2fa_pending_username'] = $loginResult['username'];
-                        if (isset($formData['remember_me'])) {
-                            $_SESSION['2fa_pending_remember'] = true;
-                        }
+                        Session::store2FAPending($loginResult['user_id'], $loginResult['username'],
+                            isset($formData['remember_me']));
 
                         // Redirect to 2FA verification
                         header('Location: ?page=login&action=verify');
@@ -282,36 +281,8 @@ include '../app/templates/form-login.php';
  * Handle successful login by setting up session and cookies
  */
 function handleSuccessfulLogin($userId, $username, $rememberMe, $config, $logObject, $userIP) {
-    if ($rememberMe) {
-        // 30*24*60*60 = 30 days
-        $cookie_lifetime = 30 * 24 * 60 * 60;
-        $setcookie_lifetime = time() + 30 * 24 * 60 * 60;
-    } else {
-        // 0 - session end on browser close
-        $cookie_lifetime = 0;
-        $setcookie_lifetime = 0;
-    }
-
-    // Regenerate session ID to prevent session fixation
-    session_regenerate_id(true);
-
-    // set session lifetime and cookies
-    setcookie('username', $username, [
-        'expires' => $setcookie_lifetime,
-        'path'    => $config['folder'],
-        'domain'  => $config['domain'],
-        'secure'  => isset($_SERVER['HTTPS']),
-        'httponly' => true,
-        'samesite' => 'Strict'
-    ]);
-
-    // Set session variables
-    $_SESSION['user_id'] = $userId;
-    $_SESSION['USERNAME'] = $username;
-    $_SESSION['LAST_ACTIVITY'] = time();
-    if ($rememberMe) {
-        $_SESSION['REMEMBER_ME'] = true;
-    }
+    // Create authenticated session
+    Session::createAuthSession($userId, $username, $rememberMe, $config);
 
     // Log successful login
     $logObject->insertLog($userId, "Login: User \"$username\" logged in. IP: $userIP", 'user');
diff --git a/public_html/index.php b/public_html/index.php
index da170b1..efc3368 100644
--- a/public_html/index.php
+++ b/public_html/index.php
@@ -15,14 +15,18 @@
 // flush it later only when there is no redirect
 ob_start();
 
+// Start session before any session-dependent code
+require_once '../app/classes/session.php';
+Session::startSession();
+
 // Apply security headers
 require_once '../app/includes/security_headers_middleware.php';
 
 // sanitize all input vars that may end up in URLs or forms
 require '../app/includes/sanitize.php';
 
-session_name('jilo');
-session_start();
+// Check session validity
+$validSession = Session::isValidSession();
 
 // Initialize feedback message system
 require_once '../app/classes/feedback.php';
@@ -64,6 +68,8 @@ $allowed_urls = [
     'login',
     'logout',
     'register',
+
+    'about',
 ];
 
 // cnfig file
@@ -92,17 +98,26 @@ if ($config_file) {
 
 $app_root = $config['folder'];
 
-// check if logged in
-unset($currentUser);
-if (isset($_COOKIE['username'])) {
-    if ( !isset($_SESSION['username']) ) {
-        $_SESSION['username'] = $_COOKIE['username'];
-    }
-    $currentUser = htmlspecialchars($_SESSION['username']);
+// List of pages that don't require authentication
+$public_pages = ['login', 'register', 'help', 'about'];
+
+// Check if the requested page requires authentication
+if (!isset($_COOKIE['username']) && !$validSession && !in_array($page, $public_pages)) {
+    require_once '../app/includes/session_middleware.php';
+    applySessionMiddleware($config, $app_root);
 }
 
-// redirect to login
-if ( !isset($_COOKIE['username']) && ($page !== 'login' && $page !== 'register') ) {
+// Check session and redirect if needed
+$currentUser = null;
+if ($validSession) {
+    $currentUser = Session::getUsername();
+} else if (isset($_COOKIE['username']) && !in_array($page, $public_pages)) {
+    // Cookie exists but session is invalid - redirect to login
+    Feedback::flash('LOGIN', 'SESSION_TIMEOUT');
+    header('Location: ' . htmlspecialchars($app_root) . '?page=login&timeout=1');
+    exit();
+} else if (!in_array($page, $public_pages)) {
+    // No valid session or cookie, and not a public page
     header('Location: ' . htmlspecialchars($app_root) . '?page=login');
     exit();
 }
@@ -164,11 +179,10 @@ if ($page == 'logout') {
     $user_id = $userObject->getUserId($currentUser)[0]['id'];
 
     // clean up session
-    session_unset();
-    session_destroy();
+    Session::destroySession();
 
     // start new session for the login page
-    session_start();
+    Session::startSession();
 
     setcookie('username', "", time() - 100, $config['folder'], $config['domain'], isset($_SERVER['HTTPS']), true);
 
@@ -186,8 +200,7 @@ if ($page == 'logout') {
 } else {
 
     // if user is logged in, we need user details and rights
-    if (isset($currentUser)) {
-
+    if ($validSession) {
         // If by error a logged in user requests the login page
         if ($page === 'login') {
             header('Location: ' . htmlspecialchars($app_root));
@@ -211,18 +224,10 @@ if ($page == 'logout') {
         }
     }
 
-    // List of pages that don't require authentication
-    $public_pages = ['login', 'register'];
-
-    // Check if the requested page requires authentication
-    if (!in_array($page, $public_pages)) {
-        require_once '../app/includes/session_middleware.php';
-    }
-
     // page building
     include '../app/templates/page-header.php';
     include '../app/templates/page-menu.php';
-    if (isset($currentUser)) {
+    if ($validSession) {
         include '../app/templates/page-sidebar.php';
     }
     if (in_array($page, $allowed_urls)) {