From dc6156d0b8e2208e9bec8da8967fa5ce33109652 Mon Sep 17 00:00:00 2001 From: Greg Roach Date: Sat, 16 Nov 2019 17:36:11 +0000 Subject: Detect and close sessions - e.g. created by ninjafirewall --- app/Http/Middleware/UseSession.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/app/Http/Middleware/UseSession.php b/app/Http/Middleware/UseSession.php index 54f7cb8f9a..3fb28d5cb4 100644 --- a/app/Http/Middleware/UseSession.php +++ b/app/Http/Middleware/UseSession.php @@ -28,6 +28,11 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; +use function session_destroy; +use function session_status; + +use const PHP_SESSION_ACTIVE; + /** * Middleware to activate sessions. */ @@ -41,6 +46,12 @@ class UseSession implements MiddlewareInterface */ public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { + // Some sites (e.g. Wordpress/NinjaFirewall) use the PHP auto_prepend_file + // setting to run their own startup code - which may start a session. + if (session_status() === PHP_SESSION_ACTIVE) { + session_destroy(); + } + // Sessions Session::start($request); -- cgit v1.3