From 9ff74420bdd74835c0a115a4f1f1a6bbe81372be Mon Sep 17 00:00:00 2001
From: Flatlogic Bot <support@flatlogic.com>
Date: Sun, 15 Feb 2026 18:07:08 +0000
Subject: [PATCH] login update

---
 includes/auth_helper.php | 65 +++++++++++++++++++++++++++++-----------
 test_session.php         | 19 ++++++++++++
 2 files changed, 67 insertions(+), 17 deletions(-)
 create mode 100644 test_session.php

diff --git a/includes/auth_helper.php b/includes/auth_helper.php
index 539eee1..704e17f 100644
--- a/includes/auth_helper.php
+++ b/includes/auth_helper.php
@@ -1,14 +1,41 @@
 <?php
 declare(strict_types=1);
 
-session_start();
+/**
+ * Configure session for iframed environments (like Flatlogic preview)
+ */
+function start_secure_session() {
+    if (session_status() === PHP_SESSION_NONE) {
+        $secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') 
+            || ($_SERVER['SERVER_PORT'] == 443) 
+            || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https');
+        
+        // Use SameSite=None only if secure, otherwise use Lax
+        $samesite = $secure ? 'None' : 'Lax';
+        
+        session_set_cookie_params([
+            'lifetime' => 0,
+            'path' => '/',
+            'domain' => '',
+            'secure' => $secure,
+            'httponly' => true,
+            'samesite' => $samesite
+        ]);
+        
+        if (!session_start()) {
+            error_log("Failed to start session");
+        }
+    }
+}
+
+start_secure_session();
 
 /**
  * Authentication Helper
  */
 class Auth {
     public static function isLoggedIn(): bool {
-        return isset($_SESSION['user_id']);
+        return isset($_SESSION['user_id']) && !empty($_SESSION['user_id']);
     }
 
     public static function requireLogin(): void {
@@ -19,42 +46,46 @@ class Auth {
     }
 
     public static function login(int $userId, int $tenantId, string $role): void {
+        if (session_status() === PHP_SESSION_NONE) {
+            start_secure_session();
+        }
+        
         $_SESSION['user_id'] = $userId;
         $_SESSION['tenant_id'] = $tenantId;
         $_SESSION['role'] = $role;
         
-        // Ensure session is saved before any potential issues or redirects
+        // Important: Save session before geolocation which might be slow
         session_write_close();
-        // Re-open session if we need to write more later (unlikely here but good practice if we were to)
-        session_start();
-
+        
+        // Tracking
         $ip = self::getIpAddress();
         $country = self::getCountryFromIp($ip);
         $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? null;
 
         try {
-            // Record session
+            // Re-open to update tracking info in DB if we want, 
+            // but we can just use a fresh DB connection
             $stmt = db()->prepare("INSERT INTO user_sessions (user_id, ip_address, country, user_agent) VALUES (?, ?, ?, ?)");
             $stmt->execute([$userId, $ip, $country, $userAgent]);
 
-            // Update user
             $stmt = db()->prepare("UPDATE users SET last_login_at = NOW(), last_login_ip = ? WHERE id = ?");
             $stmt->execute([$ip, $userId]);
         } catch (\Throwable $e) {
-            // Log error but don't prevent login
             error_log("Auth::login tracking error: " . $e->getMessage());
         }
     }
 
     public static function logout(): void {
         if (session_status() === PHP_SESSION_NONE) {
-            session_start();
+            start_secure_session();
         }
         $_SESSION = [];
+        $params = session_get_cookie_params();
+        setcookie(session_name(), '', time() - 42000, 
+            $params["path"], $params["domain"], 
+            $params["secure"], $params["httponly"]
+        );
         session_destroy();
-        if (isset($_COOKIE[session_name()])) {
-            setcookie(session_name(), '', time() - 42000, '/');
-        }
         header('Location: login.php', true, 302);
         exit;
     }
@@ -80,14 +111,14 @@ class Auth {
                 return $data['country'] ?? 'Unknown';
             }
         } catch (\Throwable $e) {
-            // Ignore errors for geolocation
         }
         return 'Unknown';
     }
 
     public static function recordResetAttempt(string $email, string $ip): void {
-        // We could log this to a separate table or activity_log
-        $stmt = db()->prepare("INSERT INTO activity_log (tenant_id, action, details) VALUES (?, ?, ?)");
-        $stmt->execute([0, 'Password Reset Attempt', "Email: $email, IP: $ip"]);
+        try {
+            $stmt = db()->prepare("INSERT INTO activity_log (tenant_id, action, details) VALUES (?, ?, ?)");
+            $stmt->execute([0, 'Password Reset Attempt', "Email: $email, IP: $ip"]);
+        } catch (\Throwable $e) {}
     }
 }
diff --git a/test_session.php b/test_session.php
new file mode 100644
index 0000000..1dacd6e
--- /dev/null
+++ b/test_session.php
@@ -0,0 +1,19 @@
+<?php
+require_once __DIR__ . '/includes/auth_helper.php';
+
+if (!isset($_SESSION['test_counter'])) {
+    $_SESSION['test_counter'] = 0;
+}
+$_SESSION['test_counter']++;
+
+echo "<h1>Session Diagnostic</h1>";
+echo "<b>Counter:</b> " . $_SESSION['test_counter'] . " (Refresh to see if it increases)<br>";
+echo "<b>Session ID:</b> " . session_id() . "<br>";
+echo "<b>HTTPS:</b> " . (isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] : 'off') . "<br>";
+echo "<b>SameSite:</b> " . (session_get_cookie_params()['samesite'] ?? 'Not set') . "<br>";
+echo "<hr>";
+echo "<h3>If the counter doesn't increase on refresh:</h3>";
+echo "Your browser is likely blocking the session cookie because the preview is in an iframe. ";
+echo "I have set <code>SameSite=None; Secure</code> which should fix this, but some browsers require extra permissions or have strict privacy settings.";
+echo "<br><br><a href='test_session.php'>Click here to Refresh</a>";
+echo "<br><br><a href='login.php'>Go to Login</a>";