10 files changed, 68 insertions, 22 deletions

diff --git a/app/Auth/RememberMe.php b/app/Auth/RememberMe.php
index 2585e96c..cb8a9b44 100644
--- a/app/Auth/RememberMe.php
+++ b/app/Auth/RememberMe.php
@@ -95,7 +95,7 @@ class RememberMe extends Base
                 // Update the sequence
                 $this->writeCookie(
                     $record['token'],
-                    $this->update($record['token'], $record['sequence']),
+                    $this->update($record['token']),
                     $record['expiration']
                 );
 
@@ -136,7 +136,7 @@ class RememberMe extends Base
                 // Update the sequence
                 $this->writeCookie(
                     $record['token'],
-                    $this->update($record['token'], $record['sequence']),
+                    $this->update($record['token']),
                     $record['expiration']
                 );
             }
@@ -237,17 +237,15 @@ class RememberMe extends Base
      *
      * @access public
      * @param  string   $token        Session token
-     * @param  string   $sequence     Sequence token
      * @return string
      */
-    public function update($token, $sequence)
+    public function update($token)
     {
         $new_sequence = Security::generateToken();
 
         $this->db
              ->table(self::TABLE)
              ->eq('token', $token)
-             ->eq('sequence', $sequence)
              ->update(array('sequence' => $new_sequence));
 
         return $new_sequence;
diff --git a/app/Controller/App.php b/app/Controller/App.php
index 9ac9d012..c88fd928 100644
--- a/app/Controller/App.php
+++ b/app/Controller/App.php
@@ -15,6 +15,16 @@ use Helper;
 class App extends Base
 {
     /**
+     * Check if the user is connected
+     *
+     * @access public
+     */
+    public function status()
+    {
+        $this->response->text('OK');
+    }
+
+    /**
      * Dashboard for the current user
      *
      * @access public
diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index c1753c97..92a3d068 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -140,7 +140,7 @@ abstract class Base
     public function beforeAction($controller, $action)
     {
         // Start the session
-        $this->session->open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH);
+        $this->session->open(BASE_URL_DIRECTORY);
 
         // HTTP secure headers
         $this->response->csp(array('style-src' => "'self' 'unsafe-inline'"));
@@ -161,6 +161,11 @@ abstract class Base
 
         // Authentication
         if (! $this->authentication->isAuthenticated($controller, $action)) {
+
+            if ($this->request->isAjax()) {
+                $this->response->text('Not Authorized', 401);
+            }
+
             $this->response->redirect('?controller=user&action=login&redirect_query='.urlencode($this->request->getQueryString()));
         }
 
diff --git a/app/Controller/Board.php b/app/Controller/Board.php
index f04e847f..7d498f81 100644
--- a/app/Controller/Board.php
+++ b/app/Controller/Board.php
@@ -342,7 +342,7 @@ class Board extends Base
         if ($project_id > 0 && $this->request->isAjax()) {
 
             if (! $this->projectPermission->isUserAllowed($project_id, $this->acl->getUserId())) {
-                $this->response->status(401);
+                $this->response->text('Forbidden', 403);
             }
 
             $values = $this->request->getJson();
@@ -366,7 +366,7 @@ class Board extends Base
             }
         }
         else {
-            $this->response->status(401);
+            $this->response->status(403);
         }
     }
 
@@ -383,7 +383,7 @@ class Board extends Base
             $timestamp = $this->request->getIntegerParam('timestamp');
 
             if ($project_id > 0 && ! $this->projectPermission->isUserAllowed($project_id, $this->acl->getUserId())) {
-                $this->response->text('Not Authorized', 401);
+                $this->response->text('Forbidden', 403);
             }
 
             if ($this->project->isModifiedSince($project_id, $timestamp)) {
@@ -402,7 +402,7 @@ class Board extends Base
             }
         }
         else {
-            $this->response->status(401);
+            $this->response->status(403);
         }
     }
 
diff --git a/app/Core/Session.php b/app/Core/Session.php
index e50c36b3..3305eca3 100644
--- a/app/Core/Session.php
+++ b/app/Core/Session.php
@@ -36,14 +36,9 @@ class Session
      *
      * @access public
      * @param  string   $base_path    Cookie path
-     * @param  string   $save_path    Custom session save path
      */
-    public function open($base_path = '/', $save_path = '')
+    public function open($base_path = '/')
     {
-        if ($save_path !== '') {
-            session_save_path($save_path);
-        }
-
         // HttpOnly and secure flags for session cookie
         session_set_cookie_params(
             self::SESSION_LIFETIME,
@@ -56,12 +51,15 @@ class Session
         // Avoid session id in the URL
         ini_set('session.use_only_cookies', '1');
 
+        // Enable strict mode
+        ini_set('session.use_strict_mode', '1');
+
         // Ensure session ID integrity
         ini_set('session.entropy_file', '/dev/urandom');
         ini_set('session.entropy_length', '32');
         ini_set('session.hash_bits_per_character', 6);
 
-        // If session was autostarted with session.auto_start = 1 in php.ini destroy it, otherwise we cannot login
+        // If session was autostarted with session.auto_start = 1 in php.ini destroy it
         if (isset($_SESSION)) {
             session_destroy();
         }
diff --git a/app/Model/Acl.php b/app/Model/Acl.php
index 4a5032d3..4a07d116 100644
--- a/app/Model/Acl.php
+++ b/app/Model/Acl.php
@@ -31,7 +31,7 @@ class Acl extends Base
      * @var array
      */
     private $user_actions = array(
-        'app' => array('index', 'preview'),
+        'app' => array('index', 'preview', 'status'),
         'project' => array('index', 'show', 'exporttasks', 'exportdaily', 'share', 'edit', 'update', 'users', 'remove', 'duplicate', 'disable', 'enable', 'activity', 'search', 'tasks', 'create', 'save'),
         'board' => array('index', 'show', 'save', 'check', 'changeassignee', 'updateassignee', 'changecategory', 'updatecategory', 'movecolumn', 'edit', 'update', 'add', 'confirm', 'remove', 'subtasks', 'togglesubtask', 'attachments', 'comments', 'description'),
         'user' => array('edit', 'forbidden', 'logout', 'show', 'external', 'unlinkgoogle', 'unlinkgithub', 'sessions', 'removesession', 'last', 'notifications', 'password'),
diff --git a/app/Template/layout.php b/app/Template/layout.php
index 31a4c407..562d26e1 100644
--- a/app/Template/layout.php
+++ b/app/Template/layout.php
@@ -24,7 +24,7 @@
 
         <title><?= isset($title) ? Helper\escape($title) : 'Kanboard' ?></title>
     </head>
-    <body>
+    <body data-status-url="<?= Helper\u('app', 'status') ?>" data-login-url="<?= Helper\u('user', 'login') ?>">
     <?php if (isset($no_layout) && $no_layout): ?>
         <?= $content_for_layout ?>
     <?php else: ?>
diff --git a/app/constants.php b/app/constants.php
index 93075892..aa417d88 100644
--- a/app/constants.php
+++ b/app/constants.php
@@ -1,8 +1,5 @@
 <?php
 
-// Custom session save path
-defined('SESSION_SAVE_PATH') or define('SESSION_SAVE_PATH', '');
-
 // Application version
 defined('APP_VERSION') or define('APP_VERSION', 'master');
 
diff --git a/assets/js/app.js b/assets/js/app.js
index 65cc824a..ff584d87 100644
--- a/assets/js/app.js
+++ b/assets/js/app.js
@@ -128,6 +128,22 @@ var Kanboard = (function() {
             $(".preview-area").hide();
         },
 
+        // Check session and redirect to the login page if not logged
+        CheckSession: function() {
+
+            if (Kanboard.IsVisible() && ! $(".form-login").length) {
+                $.ajax({
+                    cache: false,
+                    url: $("body").data("status-url"),
+                    statusCode: {
+                        401: function(data) {
+                            window.location = $("body").data("login-url");
+                        }
+                    }
+                });
+            }
+        },
+
         // Common init
         Init: function() {
 
@@ -151,6 +167,9 @@ var Kanboard = (function() {
             // Markdown Preview for textareas
             $("#markdown-preview").click(Kanboard.MarkdownPreview);
             $("#markdown-write").click(Kanboard.MarkdownWriter);
+
+            // Check the session every 10s
+            window.setInterval(Kanboard.CheckSession, 10000);
         }
     };
 
diff --git a/assets/js/base.js b/assets/js/base.js
index d6c332f4..30463970 100644
--- a/assets/js/base.js
+++ b/assets/js/base.js
@@ -113,6 +113,22 @@ var Kanboard = (function() {
             $(".preview-area").hide();
         },
 
+        // Check session and redirect to the login page if not logged
+        CheckSession: function() {
+
+            if (Kanboard.IsVisible() && ! $(".form-login").length) {
+                $.ajax({
+                    cache: false,
+                    url: $("body").data("status-url"),
+                    statusCode: {
+                        401: function(data) {
+                            window.location = $("body").data("login-url");
+                        }
+                    }
+                });
+            }
+        },
+
         // Common init
         Init: function() {
 
@@ -136,6 +152,9 @@ var Kanboard = (function() {
             // Markdown Preview for textareas
             $("#markdown-preview").click(Kanboard.MarkdownPreview);
             $("#markdown-write").click(Kanboard.MarkdownWriter);
+
+            // Check the session every 10s
+            window.setInterval(Kanboard.CheckSession, 10000);
         }
     };