Only remove the "remember me" cookie at submitting the auth form

author Sandro Santilli <strk@kbt.io>

Mon, 13 Mar 2017 10:57:10 +0000 (11:57 +0100)

committer Sandro Santilli <strk@kbt.io>

Mon, 13 Mar 2017 10:59:05 +0000 (11:59 +0100)
author Sandro Santilli <strk@kbt.io>
Mon, 13 Mar 2017 10:57:10 +0000 (11:57 +0100)
committer Sandro Santilli <strk@kbt.io>
Mon, 13 Mar 2017 10:59:05 +0000 (11:59 +0100)
diff --git a/include/auth.php b/include/auth.php

index 62ca3563a414488820f2d2bf211078dd0dfeaa45..8512abe4866cf7a7a62a8d94100e994711b33795 100644 (file)
--- a/include/auth.php
+++ b/include/auth.php
@@ -179,6 +179,10 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params'
                         goaway(z_root());
                 }
  
+               if ( ! $_POST['remember']) {
+                       new_cookie(0); // 0 means delete on browser exit
+               }
+
                 // if we haven't failed up this point, log them in.
                 $_SESSION['remember'] = $_POST['remember'];
                 $_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
diff --git a/include/security.php b/include/security.php

index 93df6ff2553266aca0d8f99011d26e6def9d3900..23fc400b3a12f9a34c3d1c8724fb9fea669dd7dd 100644 (file)
--- a/include/security.php
+++ b/include/security.php
@@ -141,9 +141,6 @@ function authenticate_success($user_record, $login_initial = false, $interactive
                         new_cookie(604800, $user_record);
                         unset($_SESSION['remember']);
                 }
-               else {
-                       new_cookie(0); // 0 means delete on browser exit
-               }
         }
author	Sandro Santilli <strk@kbt.io>
	Mon, 13 Mar 2017 10:57:10 +0000 (11:57 +0100)
committer	Sandro Santilli <strk@kbt.io>
	Mon, 13 Mar 2017 10:59:05 +0000 (11:59 +0100)
include/auth.php		patch \| blob \| history
include/security.php		patch \| blob \| history