Merge branch 'saas-sessionoptimizations' into saas-3.x-sessionoptimizations

Conflicts:
	airtime_mvc/application/Bootstrap.php
	airtime_mvc/application/configs/constants.php
	airtime_mvc/application/controllers/LoginController.php
	airtime_mvc/application/controllers/UserController.php
	airtime_mvc/public/js/airtime/preferences/preferences.js

airtime_mvc/application/common/SecurityHelper.php

@@ -12,4 +12,12 @@ class SecurityHelper {
         }
         return $arr;
     }
+
+    public static function verifyCSRFToken($observedToken) {
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $observedToken;
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        return ($observed_csrf_token == $expected_csrf_token);
+    }
 }

airtime_mvc/application/common/SessionHelper.php

@@ -0,0 +1,13 @@
+<?php
+
+class SessionHelper
+{
+    public static function reopenSessionForWriting() {
+        //PHP will send double Set-Cookie headers if we reopen the
+        //session for writing, and this breaks IE8 and some other browsers.
+        //This hacky workaround prevents double headers. Background here:
+        // https://bugs.php.net/bug.php?id=38104
+        ini_set('session.cache_limiter', null);
+        session_start(); // Reopen the session for writing (without resending the Set-Cookie header)
+    }
+}

airtime_mvc/application/common/TaskManager.php

@@ -114,6 +114,9 @@ final class TaskManager {
      *              otherwise false
      */
     private function _isUserSessionRequest() {
+        if (!Zend_Session::isStarted()) {
+            return false;
+        }
         $auth = Zend_Auth::getInstance();
         $data = $auth->getStorage()->read();
         return !empty($data);