hestiacp#1002 Limit session length

INACTIVE_SESSION_TIMEOUT is set 60 min by default need to be modifiable via UI

Author: jaapmarcus

install/hst-install-debian.sh

@@ -1660,6 +1660,11 @@ if [ "$mysql" = 'yes' ]; then
     source $HESTIA_INSTALL_DIR/phpmyadmin/pma.sh > /dev/null 2>&1
 fi
 
+#----------------------------------------------------------#
+#                     Limit PHP SESSIONS                   #
+#----------------------------------------------------------#
+
+echo "INACTIVE_SESSION_TIMEOUT='60'" >> $HESTIA/conf/hestia.conf
 
 #----------------------------------------------------------#
 #                   Configure Admin User                   #

install/hst-install-ubuntu.sh

@@ -1683,6 +1683,11 @@ else
     echo "API='no'" >> $HESTIA/conf/hestia.conf
 fi
 
+#----------------------------------------------------------#
+#                     Limit PHP SESSIONS                   #
+#----------------------------------------------------------#
+
+echo "INACTIVE_SESSION_TIMEOUT='60'" >> $HESTIA/conf/hestia.conf
 
 #----------------------------------------------------------#
 #                      Fix phpmyadmin                      #

install/upgrade/versions/latest.sh

@@ -56,3 +56,6 @@ if [ -f "$apt/postgresql.list" ]; then
         sed -i "s/http\:\/\/apt.postgresql.org/https\:\/\/apt.postgresql.org/g" $apt/postgresql.list
     fi
 fi
+
+# Limit PHP Session Live time 
+echo "INACTIVE_SESSION_TIMEOUT='60'" >> $HESTIA/conf/hestia.conf

web/inc/main.php

@@ -72,6 +72,18 @@
     }
 }
 
+if( NO_AUTH_REQUIRED !== true){
+    if(empty($_SESSION['LAST_ACTIVITY']) || empty($_SESSION['INACTIVE_SESSION_TIMEOUT'])){
+        session_destroy();
+        header("Location: /login/"); 
+    }else if ($_SESSION['INACTIVE_SESSION_TIMEOUT'] * 60 + $_SESSION['LAST_ACTIVITY'] < time()) {
+        session_destroy();
+        header("Location: /login/"); 
+    }else{
+        $_SESSION['LAST_ACTIVITY'] = time();
+    }
+}
+
 if (isset($_SESSION['language'])) {
     switch ($_SESSION['language']) {
         case 'ro':

web/login/index.php

@@ -1,7 +1,6 @@
 <?php
 
 define('NO_AUTH_REQUIRED',true);
-
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
@@ -12,8 +11,6 @@
     session_destroy();
 }
 
-
-
 // Login as someone else
 if (isset($_SESSION['user'])) {
     if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
@@ -116,7 +113,7 @@ function authenticate_user(){
                 // Define session user
                 $_SESSION['user'] = key($data);
                 $v_user = $_SESSION['user'];
-
+                $_SESSION['LAST_ACTIVITY'] = time();
                 // Define language
                 $output = '';
                 exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var);