Recover missing session variables from cookie

[lbdroid]

When the server clears out the session, we lose the data stored in it.
This takes that data and stores it in a cookie, and when the data is
lost, recovers it from the cookie.

This fixes #5

[Aidenir]

This will not work, since it allows a user to login as a regular user, then edit the cookie and change the role to 'admin', the refresh and get all albums. I'm not sure of all privileges this user gets access to this way, but after a quick investigation I could get all albums and view the images in them, even though the user I was logged in as didn't have access to them.

Another way this could be implemented would be to store what this commit stores in the cookie in the session table instead. Since the lycheesession cookie is nothing but an ID, it can't be manipulated by the client.

[lbdroid]

Doesn't really make it any worse than depending on the integrity of the session id for maintaining security. All a baddie would have to do is catch or guess a legitimately logged in admin user's session id, and they can take over the whole system. The reality is that security on lychee is... incredibly superficial.

[Aidenir]

Intercepting a valid session id is much more difficult to do (assuming https is configured), I personally can't think of any way of doing this except a traditional MITM, which can theoretically be done on every site.
Guessing the custom lychee session is not really feasable either since its a sha1 hash of the username and password (and identifier and expire time), and if this info is known you could just login as the user.
I have no idea how the php session id is generated and whether or not that would be possible to brute force.

I would actually claim that the authentication system used is pretty solid. The authorization parts in the api calls however is a different issue, which I haven't though too much about.