diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/session.php | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/lib/session.php b/lib/session.php index 5ea6ceb0..688004b3 100644 --- a/lib/session.php +++ b/lib/session.php @@ -2,21 +2,39 @@ class Session { - const SESSION_LIFETIME = 2678400; + const SESSION_LIFETIME = 2678400; // 31 days public function open($base_path = '/', $save_path = '') { if ($save_path !== '') session_save_path($save_path); + // HttpOnly and secure flags for session cookie session_set_cookie_params( self::SESSION_LIFETIME, - $base_path, + $base_path ?: '/', null, isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on', true ); + // Avoid session id in the URL + ini_set('session.use_only_cookies', true); + + // Ensure session ID integrity + ini_set('session.entropy_file', '/dev/urandom'); + ini_set('session.entropy_length', '32'); + ini_set('session.hash_bits_per_character', 6); + + // Custom session name + session_name('__S'); + session_start(); + + // Regenerate the session id to avoid session fixation issue + if (empty($_SESSION['__validated'])) { + session_regenerate_id(true); + $_SESSION['__validated'] = 1; + } } public function close() |