1 files changed, 8 insertions, 3 deletions

diff --git a/private/session.php b/private/session.php
index d55d34d..bc30d3e 100644
--- a/private/session.php
+++ b/private/session.php
@@ -4,11 +4,16 @@ global $_CONFIG;
 $_CONFIG = json_decode(file_get_contents("/mnt/familine/private/FamilineConfig.json"), true);
 
 if (isset($_COOKIE['FL_SESSION_TOKEN'])) {
+    if (strpos($_COOKIE['FL_SESSION_TOKEN'], ".") !== false || strpos($_COOKIE['FL_SESSION_TOKEN'], "/") !== false) {
+        header("Location: https://" . $_CONFIG["Global"]["domain"] . "/login/?r=" . urlencode("https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"));
+        die();
+    }
+
     if (file_exists("/mnt/familine/private/tokens/" . str_replace(".", "", str_replace("/", "", $_COOKIE['FL_SESSION_TOKEN'])))) {
         $_PROFILE = json_decode(file_get_contents("/mnt/familine/private/tokens/" . str_replace(".", "", str_replace("/", "", $_COOKIE['FL_SESSION_TOKEN']))), true);
 
         if (isset($_PROFILE['familine'])) {
-            header("Location: https://" . $_CONFIG["Global"]["domain"] . "/welcome");
+            header("Location: https://" . $_CONFIG["Global"]["domain"] . "/login/?r=" . urlencode("https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"));
             die();
         }
 
@@ -16,11 +21,11 @@ if (isset($_COOKIE['FL_SESSION_TOKEN'])) {
         $_SUID = $_PROFILE['login'];
         $_FULLNAME = $_PROFILE['name'];
     } else {
-        header("Location: https://" . $_CONFIG["Global"]["domain"] . "/welcome");
+        header("Location: https://" . $_CONFIG["Global"]["domain"] . "/login/?r=" . urlencode("https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"));
         die();
     }
 } else {
-    header("Location: https://" . $_CONFIG["Global"]["domain"] . "/welcome");
+    header("Location: https://" . $_CONFIG["Global"]["domain"] . "/login/?r=" . urlencode("https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"));
     die();
 }