1 files changed, 7 insertions, 5 deletions

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 563987b..676283c 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -26,6 +26,7 @@
  * NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP.php
  * file courtesy of Michael Retterklieber.
  */
+include_once('phpsessionmanager.inc');
 if (!$do_not_include_config_gui_inc) {
 	require_once("config.gui.inc");
 }
@@ -1747,12 +1748,11 @@ function session_auth() {
 		true
 	);
 
-	if (!session_id()) {
-		session_start();
-	}
+	phpsession_begin();
 
 	// Detect protocol change
 	if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) {
+		phpsession_end();
 		return false;
 	}
 
@@ -1770,6 +1770,7 @@ function session_auth() {
 			$_SESSION['user_radius_attributes'] = $attributes;
 			$_SESSION['last_access'] = time();
 			$_SESSION['protocol'] = $config['system']['webgui']['protocol'];
+			phpsession_end(true);
 			if (!isset($config['system']['webgui']['quietlogin'])) {
 				log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
 			}
@@ -1795,6 +1796,7 @@ function session_auth() {
 
 	/* Show login page if they aren't logged in */
 	if (empty($_SESSION['Logged_In'])) {
+		phpsession_end(true);
 		return false;
 	}
 
@@ -1842,7 +1844,7 @@ function session_auth() {
 		}
 
 		/* and destroy it */
-		session_destroy();
+		phpsession_destroy();
 
 		$scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]);
 		$scriptElms = count($scriptName);
@@ -1873,7 +1875,7 @@ function session_auth() {
 	if ($_REQUEST['enable_ajax']) {
 		unset($_SESSION['NO_AJAX']);
 	}
-
+	phpsession_end(true);
 	return true;
 }