Fix #9664: PHP session cookies were not destroyed, and session_clean(…

…) was never called. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5593 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · Sep 27, 2008 · cbd8c1e · cbd8c1e
1 parent 3a60178
commit cbd8c1e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/core/authentication_api.php b/core/authentication_api.php
@@ -265,6 +265,8 @@ function auth_logout() {
 			auth_http_set_logout_pending( true );
 		}
 
+		session_clean();
+
 		return true;
 	}
 

diff --git a/core/session_api.php b/core/session_api.php
@@ -58,6 +58,8 @@ function __construct() {
 		session_cache_limiter( 'private_no_expire' );
 		if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
 			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true, true );
+		} else {
+			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), false, true );
 		}
 		session_start();
 		$this->id = session_id();
@@ -85,6 +87,10 @@ function delete( $p_name ) {
 	}
 
 	function destroy() {
+		if ( isset( $_COOKIE[ session_name() ] ) && !headers_sent() ) {
+			gpc_set_cookie( session_name(), '', time() - 42000 );
+		}
+
 		unset( $_SESSION );
 		session_destroy();
 	}