Use identifier to prevent login of multiple instances of lychee #344

php/api.php

@@ -63,7 +63,8 @@ if (!empty($_POST['function'])||!empty($_GET['function'])) {
 	if (isset($_POST['function']))	$fn = $_POST['function'];
 	else							$fn = $_GET['function'];
 
-	if (isset($_SESSION['login'])&&$_SESSION['login']==true) {
+	if ((isset($_SESSION['login'])&&$_SESSION['login']===true)&&
+		(isset($_SESSION['identifier'])&&$_SESSION['identifier']===$settings['identifier'])) {
 
 		###
 		# Admin Access

php/modules/Session.php

@@ -44,6 +44,9 @@ class Session extends Module {
 		unset($return['config']['username']);
 		unset($return['config']['password']);
 
+		# Remove identifier from response
+		unset($return['config']['identifier']);
+
 		# Path to Lychee for the server-import dialog
 		$return['config']['location'] = LYCHEE;
 
@@ -99,15 +102,13 @@ class Session extends Module {
 		# Check login with crypted hash
 		if ($this->settings['username']===$username&&
 			$this->settings['password']===$password) {
-				$_SESSION['login'] = true;
+				$_SESSION['login']		= true;
+				$_SESSION['identifier']	= $this->settings['identifier'];
 				return true;
 		}
 
 		# No login
-		if ($this->noLogin()===true) {
-			$_SESSION['login'] = true;
-			return true;
-		}
+		if ($this->noLogin()===true) return true;
 
 		# Call plugins
 		$this->plugins(__METHOD__, 1, func_get_args());
@@ -124,7 +125,8 @@ class Session extends Module {
 		# Check if login credentials exist and login if they don't
 		if ($this->settings['username']===''&&
 			$this->settings['password']==='') {
-				$_SESSION['login'] = true;
+				$_SESSION['login']		= true;
+				$_SESSION['identifier']	= $this->settings['identifier'];
 				return true;
 		}
 
@@ -137,6 +139,9 @@ class Session extends Module {
 		# Call plugins
 		$this->plugins(__METHOD__, 0, func_get_args());
 
+		$_SESSION['login']		= null;
+		$_SESSION['identifier']	= null;
+
 		session_destroy();
 
 		# Call plugins