From 2b3a7171b3a84240d3a82b99c709236fa4adb5af Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 15 Jan 2022 21:26:22 +0000
Subject: [PATCH] Session management

---
 login.php | 5 +++--
 post.php  | 7 ++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/login.php b/login.php
index 2a924624..656c356c 100644
--- a/login.php
+++ b/login.php
@@ -24,9 +24,10 @@ if($config_https_only){
     ini_set("session.cookie_secure", True);
 }
 
-session_start();
-
 if(isset($_POST['login'])){
+
+  // Sessions should start after the user has POSTed data
+  session_start();
   
   $email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
   $password = $_POST['password'];
diff --git a/post.php b/post.php
index 4b57a1a0..6aae84a1 100644
--- a/post.php
+++ b/post.php
@@ -6640,12 +6640,17 @@ if(isset($_GET['export_client_pdf'])){
 
 if(isset($_GET['logout'])){
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Logout', log_action = 'Success', log_description = '$session_name logged out', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id");
+    mysqli_query($mysqli, "UPDATE users SET user_php_session = '' WHERE user_id = '$session_user_id'");
 
-    session_start();
+    setcookie("PHPSESSID", '', time() - 3600, "/");
+    unset($_COOKIE['PHPSESSID']);
 
     setcookie("user_encryption_session_key", '', time() - 3600, "/");
     unset($_COOKIE['user_encryption_session_key']);
 
+    setcookie("user_extension_key", '', time() - 3600, "/");
+    unset($_COOKIE['user_extension_key']);
+
     session_unset();
     session_destroy();