4 files changed, 25 insertions, 4 deletions

diff --git a/controllers/base.php b/controllers/base.php
index a59220d3..da4ee8ae 100644
--- a/controllers/base.php
+++ b/controllers/base.php
@@ -57,7 +57,7 @@ abstract class Base
 
     public function beforeAction($controller, $action)
     {
-        $this->session->open(dirname($_SERVER['PHP_SELF']));
+        $this->session->open(dirname($_SERVER['PHP_SELF']), SESSION_SAVE_PATH);
 
         if (! isset($_SESSION['user']) && ! $this->noAuthAllowed($controller, $action)) {
             $this->response->redirect('?controller=user&action=login');
diff --git a/index.php b/index.php
index 6925570e..61a04537 100644
--- a/index.php
+++ b/index.php
@@ -9,5 +9,8 @@ if (file_exists('config.php')) require 'config.php';
 // Auto-refresh frequency in seconds for the public board view
 defined('AUTO_REFRESH_DURATION') or define('AUTO_REFRESH_DURATION', 60);
 
+// Custom session save path
+defined('SESSION_SAVE_PATH') or define('SESSION_SAVE_PATH', '');
+
 $router = new Router;
 $router->execute();
diff --git a/lib/session.php b/lib/session.php
index 5ea6ceb0..688004b3 100644
--- a/lib/session.php
+++ b/lib/session.php
@@ -2,21 +2,39 @@
 
 class Session
 {
-    const SESSION_LIFETIME = 2678400;
+    const SESSION_LIFETIME = 2678400; // 31 days
 
     public function open($base_path = '/', $save_path = '')
     {
         if ($save_path !== '') session_save_path($save_path);
 
+        // HttpOnly and secure flags for session cookie
         session_set_cookie_params(
             self::SESSION_LIFETIME,
-            $base_path,
+            $base_path ?: '/',
             null,
             isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on',
             true
         );
 
+        // Avoid session id in the URL
+        ini_set('session.use_only_cookies', true);
+
+        // Ensure session ID integrity
+        ini_set('session.entropy_file', '/dev/urandom');
+        ini_set('session.entropy_length', '32');
+        ini_set('session.hash_bits_per_character', 6);
+
+        // Custom session name
+        session_name('__S');
+
         session_start();
+
+        // Regenerate the session id to avoid session fixation issue
+        if (empty($_SESSION['__validated'])) {
+            session_regenerate_id(true);
+            $_SESSION['__validated'] = 1;
+        }
     }
 
     public function close()
diff --git a/models/user.php b/models/user.php
index 50e02fef..f80d5edf 100644
--- a/models/user.php
+++ b/models/user.php
@@ -88,7 +88,7 @@ class User extends Base
             new Validators\MinLength('password', t('The minimum length is %d characters', 6), 6),
             new Validators\Required('confirmation', t('The confirmation is required')),
             new Validators\Equals('password', 'confirmation', t('Passwords doesn\'t matches')),
-            new Validators\Integer('default_project_id', t('The value must be an integer')),
+            new Validators\Integer('default_project_id', t('This value must be an integer')),
             new Validators\Integer('is_admin', t('This value must be an integer')),
         ));