summaryrefslogtreecommitdiff
path: root/app/Core/Session/SessionManager.php
blob: 4f9f2c0ad654f1fb15cf4c72b06f67b8d00e299a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
<?php

namespace Kanboard\Core\Session;

use Kanboard\Core\Base;

/**
 * Session Manager
 *
 * @package  session
 * @author   Frederic Guillot
 */
class SessionManager extends Base
{
    /**
     * Event names
     *
     * @var string
     */
    const EVENT_DESTROY = 'session.destroy';

    /**
     * Return true if the session is open
     *
     * @static
     * @access public
     * @return boolean
     */
    public static function isOpen()
    {
        return session_id() !== '';
    }

    /**
     * Create a new session
     *
     * @access public
     */
    public function open()
    {
        $this->configure();

        if (ini_get('session.auto_start') == 1) {
            session_destroy();
        }

        session_name('KB_SID');
        session_start();

        $this->sessionStorage->setStorage($_SESSION);
    }

    /**
     * Destroy the session
     *
     * @access public
     */
    public function close()
    {
        $this->dispatcher->dispatch(self::EVENT_DESTROY);

        // Destroy the session cookie
        $params = session_get_cookie_params();

        setcookie(
            session_name(),
            '',
            time() - 42000,
            $params['path'],
            $params['domain'],
            $params['secure'],
            $params['httponly']
        );

        session_unset();
        session_destroy();
    }

    /**
     * Define session settings
     *
     * @access private
     */
    private function configure()
    {
        // Session cookie: HttpOnly and secure flags
        session_set_cookie_params(
            SESSION_DURATION,
            $this->helper->url->dir() ?: '/',
            null,
            $this->request->isHTTPS(),
            true
        );

        // Avoid session id in the URL
        ini_set('session.use_only_cookies', '1');
        ini_set('session.use_trans_sid', '0');

        // Enable strict mode
        ini_set('session.use_strict_mode', '1');

        // Better session hash
        ini_set('session.hash_function', '1'); // 'sha512' is not compatible with FreeBSD, only MD5 '0' and SHA-1 '1' seems to work
        ini_set('session.hash_bits_per_character', 6);

        // Set an additional entropy
        ini_set('session.entropy_file', '/dev/urandom');
        ini_set('session.entropy_length', '256');
    }
}