app/Core/Session.php


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

<?php

namespace Core;

use ArrayAccess;

/**
 * Session class
 *
 * @package  core
 * @author   Frederic Guillot
 */
class Session implements ArrayAccess
{
    /**
     * Return true if the session is open
     *
     * @static
     * @access public
     * @return boolean
     */
    public static function isOpen()
    {
        return session_id() !== '';
    }

    /**
     * Open a session
     *
     * @access public
     * @param  string   $base_path    Cookie path
     */
    public function open($base_path = '/')
    {
        // HttpOnly and secure flags for session cookie
        session_set_cookie_params(
            SESSION_DURATION,
            $base_path ?: '/',
            null,
            Request::isHTTPS(),
            true
        );

        // Avoid session id in the URL
        ini_set('session.use_only_cookies', '1');

        // Enable strict mode
        ini_set('session.use_strict_mode', '1');

        // Ensure session ID integrity
        ini_set('session.entropy_file', '/dev/urandom');
        ini_set('session.entropy_length', '32');
        ini_set('session.hash_bits_per_character', 6);

        // If the session was autostarted with session.auto_start = 1 in php.ini destroy it
        if (isset($_SESSION)) {
            session_destroy();
        }

        // Custom session name
        session_name('__S');

        // Start the session
        session_start();

        // Regenerate the session id to avoid session fixation issue
        if (empty($_SESSION['__validated'])) {
            session_regenerate_id(true);
            $_SESSION['__validated'] = 1;
        }
    }

    /**
     * Destroy the session
     *
     * @access public
     */
    public function close()
    {
        // Flush all sessions variables
        $_SESSION = array();

        // Destroy the session cookie
        $params = session_get_cookie_params();

        setcookie(
            session_name(),
            '',
            time() - 42000,
            $params['path'],
            $params['domain'],
            $params['secure'],
            $params['httponly']
        );

        // Destroy session data
        session_destroy();
    }

    /**
     * Register a flash message (success notification)
     *
     * @access public
     * @param  string   $message   Message
     */
    public function flash($message)
    {
        $_SESSION['flash_message'] = $message;
    }

    /**
     * Register a flash error message (error notification)
     *
     * @access public
     * @param  string   $message   Message
     */
    public function flashError($message)
    {
        $_SESSION['flash_error_message'] = $message;
    }

    public function offsetSet($offset, $value)
    {
        $_SESSION[$offset] = $value;
    }

    public function offsetExists($offset)
    {
        return isset($_SESSION[$offset]);
    }

    public function offsetUnset($offset)
    {
        unset($_SESSION[$offset]);
    }

    public function offsetGet($offset)
    {
        return isset($_SESSION[$offset]) ? $_SESSION[$offset] : null;
    }
}