1 files changed, 102 insertions, 0 deletions

diff --git a/app/Core/Session/SessionManager.php b/app/Core/Session/SessionManager.php
new file mode 100644
index 00000000..6153efeb
--- /dev/null
+++ b/app/Core/Session/SessionManager.php
@@ -0,0 +1,102 @@
+<?php
+
+namespace Kanboard\Core\Session;
+
+use Kanboard\Core\Base;
+use Kanboard\Core\Http\Request;
+
+/**
+ * Session Manager
+ *
+ * @package  session
+ * @author   Frederic Guillot
+ */
+class SessionManager extends Base
+{
+    /**
+     * Return true if the session is open
+     *
+     * @static
+     * @access public
+     * @return boolean
+     */
+    public static function isOpen()
+    {
+        return session_id() !== '';
+    }
+
+    /**
+     * Create a new session
+     *
+     * @access public
+     */
+    public function open()
+    {
+        $this->configure();
+
+        if (ini_get('session.auto_start') == 1) {
+            session_destroy();
+        }
+
+        session_name('KB_SID');
+        session_start();
+
+        $this->container['sessionStorage']->setStorage($_SESSION);
+    }
+
+    /**
+     * Destroy the session
+     *
+     * @access public
+     */
+    public function close()
+    {
+        // Destroy the session cookie
+        $params = session_get_cookie_params();
+
+        setcookie(
+            session_name(),
+            '',
+            time() - 42000,
+            $params['path'],
+            $params['domain'],
+            $params['secure'],
+            $params['httponly']
+        );
+
+        session_unset();
+        session_destroy();
+    }
+
+    /**
+     * Define session settings
+     *
+     * @access private
+     */
+    private function configure()
+    {
+        // Session cookie: HttpOnly and secure flags
+        session_set_cookie_params(
+            SESSION_DURATION,
+            $this->helper->url->dir() ?: '/',
+            null,
+            Request::isHTTPS(),
+            true
+        );
+
+        // Avoid session id in the URL
+        ini_set('session.use_only_cookies', '1');
+        ini_set('session.use_trans_sid', '0');
+
+        // Enable strict mode
+        ini_set('session.use_strict_mode', '1');
+
+        // Better session hash
+        ini_set('session.hash_function', 'sha512');
+        ini_set('session.hash_bits_per_character', 6);
+
+        // Set an additional entropy
+        ini_set('session.entropy_file', '/dev/urandom');
+        ini_set('session.entropy_length', '256');
+    }
+}