summaryrefslogtreecommitdiff
path: root/app/Core/Session.php
blob: 3305eca3be7e0e3b06193716fe93a4951336cfe8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<?php

namespace Core;

/**
 * Session class
 *
 * @package  core
 * @author   Frederic Guillot
 */
class Session
{
    /**
     * Sesion lifetime
     *
     * http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
     *
     * @var integer
     */
    const SESSION_LIFETIME = 0; // Until the browser is closed

    /**
     * Return true if the session is open
     *
     * @static
     * @access public
     * @return boolean
     */
    public static function isOpen()
    {
        return session_id() !== '';
    }

    /**
     * Open a session
     *
     * @access public
     * @param  string   $base_path    Cookie path
     */
    public function open($base_path = '/')
    {
        // HttpOnly and secure flags for session cookie
        session_set_cookie_params(
            self::SESSION_LIFETIME,
            $base_path ?: '/',
            null,
            Request::isHTTPS(),
            true
        );

        // Avoid session id in the URL
        ini_set('session.use_only_cookies', '1');

        // Enable strict mode
        ini_set('session.use_strict_mode', '1');

        // Ensure session ID integrity
        ini_set('session.entropy_file', '/dev/urandom');
        ini_set('session.entropy_length', '32');
        ini_set('session.hash_bits_per_character', 6);

        // If session was autostarted with session.auto_start = 1 in php.ini destroy it
        if (isset($_SESSION)) {
            session_destroy();
        }

        // Custom session name
        session_name('__S');

        // Start the session
        session_start();

        // Regenerate the session id to avoid session fixation issue
        if (empty($_SESSION['__validated'])) {
            session_regenerate_id(true);
            $_SESSION['__validated'] = 1;
        }
    }

    /**
     * Destroy the session
     *
     * @access public
     */
    public function close()
    {
        // Flush all sessions variables
        $_SESSION = array();

        // Destroy the session cookie
        if (ini_get('session.use_cookies')) {
            $params = session_get_cookie_params();

            setcookie(
                session_name(),
                '',
                time() - 42000,
                $params['path'],
                $params['domain'],
                $params['secure'],
                $params['httponly']
            );
        }

        // Destroy session data
        session_destroy();
    }

    /**
     * Register a flash message (success notification)
     *
     * @access public
     * @param  string   $message   Message
     */
    public function flash($message)
    {
        $_SESSION['flash_message'] = $message;
    }

    /**
     * Register a flash error message (error notification)
     *
     * @access public
     * @param  string   $message   Message
     */
    public function flashError($message)
    {
        $_SESSION['flash_error_message'] = $message;
    }
}