From cee23ce48ea81612eefe30552da1cc286138af0b Mon Sep 17 00:00:00 2001
From: Minteck <contact@minteck.org>
Date: Sat, 5 Feb 2022 15:55:51 +0100
Subject: Update

---
 includes/session.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'includes/session.php')

diff --git a/includes/session.php b/includes/session.php
index 9f38ca4..bf642ed 100644
--- a/includes/session.php
+++ b/includes/session.php
@@ -5,11 +5,16 @@ $_CONFIG = json_decode(file_get_contents("/mnt/familine/private/FamilineConfig.j
 
 if ($_SERVER['REMOTE_ADDR'] !== "127.0.0.1" && $_SERVER['REMOTE_ADDR'] !== "::0") {
     if (isset($_COOKIE['FL_SESSION_TOKEN'])) {
+        if (strpos($_COOKIE['FL_SESSION_TOKEN'], ".") !== false || strpos($_COOKIE['FL_SESSION_TOKEN'], "/") !== false) {
+            header("Location: https://" . $_CONFIG["Global"]["domain"] . "/login/?r=" . urlencode("https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"));
+            die();
+        }
+
         if (file_exists("/mnt/familine/private/tokens/" . str_replace(".", "", str_replace("/", "", $_COOKIE['FL_SESSION_TOKEN'])))) {
             $_PROFILE = json_decode(file_get_contents("/mnt/familine/private/tokens/" . str_replace(".", "", str_replace("/", "", $_COOKIE['FL_SESSION_TOKEN']))), true);
 
             if (isset($_PROFILE['familine'])) {
-                header("Location: https://" . $_CONFIG["Global"]["domain"] . "/welcome");
+                header("Location: https://" . $_CONFIG["Global"]["domain"] . "/login/?r=" . urlencode("https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"));
                 die();
             }
 
@@ -17,11 +22,11 @@ if ($_SERVER['REMOTE_ADDR'] !== "127.0.0.1" && $_SERVER['REMOTE_ADDR'] !== "::0"
             $_SUID = $_PROFILE['login'];
             $_FULLNAME = $_PROFILE['name'];
         } else {
-            header("Location: https://" . $_CONFIG["Global"]["domain"] . "/welcome");
+            header("Location: https://" . $_CONFIG["Global"]["domain"] . "/login/?r=" . urlencode("https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"));
             die();
         }
     } else {
-        header("Location: https://" . $_CONFIG["Global"]["domain"] . "/welcome");
+        header("Location: https://" . $_CONFIG["Global"]["domain"] . "/login/?r=" . urlencode("https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"));
         die();
     }
 
-- 
cgit