Session validation improvement

like proposed her panique#885
kristuff · Jun 6, 2020 · 0e9ab7b · 0e9ab7b
1 parent 40a4380
commit 0e9ab7b
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/application/core/Auth.php b/application/core/Auth.php
@@ -72,7 +72,7 @@ public static function checkAdminAuthentication()
      */
     public static function checkSessionConcurrency(){
         if(Session::userIsLoggedIn()){
-            if(Session::isConcurrentSessionExists()){
+            if(Session::isSessionBroken()){
                 LoginModel::logout();
                 Redirect::home();
                 exit();

diff --git a/application/core/Session.php b/application/core/Session.php
@@ -84,8 +84,10 @@ public static function updateSessionId($userId, $sessionId = null)
     }
 
     /**
-     * checks for session concurrency
-     *
+     * checks for broken session 
+     * Session could be broken by Session concurrency or when user is deleted / suspended
+     * 
+     * - Session concurrency is done as the following:
      * This is done as the following:
      * UserA logs in with his session id('123') and it will be stored in the database.
      * Then, UserB logs in also using the same email and password of UserA from another PC,
@@ -94,14 +96,17 @@ public static function updateSessionId($userId, $sessionId = null)
      * Now, Whenever UserA performs any action,
      * You then check the session_id() against the last one stored in the database('456'),
      * If they don't match then log both of them out.
+     * 
+     * - Check for deleted / suspended users:
+     * Suspended/deleted users have no userSessionId anymore stored in database
      *
      * @access public
      * @static static method
      * @return bool
      * @see Session::updateSessionId()
      * @see http://stackoverflow.com/questions/6126285/php-stop-concurrent-user-logins
      */
-    public static function isConcurrentSessionExists()
+    public static function isSessionBroken()
     {
         $session_id = session_id();
         $userId     = Session::get('user_id');
@@ -117,7 +122,7 @@ public static function isConcurrentSessionExists()
             $result = $query->fetch();
             $userSessionId = !empty($result)? $result->session_id: null;
 
-            return $session_id !== $userSessionId;
+            return empty($userSessionId) || $session_id !== $userSessionId;
         }
 
         return false;