mirror of
https://github.com/icecoder/ICEcoder.git
synced 2026-03-03 07:13:59 +01:00
Redone session params
No longer using session_start_safe() function because it caused more usage problems than it solved. Setting a load of new params now to give a much better setup.
This commit is contained in:
Matt Pass
@@ -15,35 +15,25 @@ $context = stream_context_create(array('http'=>
|
||||
)
|
||||
));
|
||||
|
||||
// Sets up a session, either with the default dir or local tmp dir
|
||||
function session_start_safe() {
|
||||
// Trying with the default
|
||||
session_save_path('');
|
||||
@session_start();
|
||||
if(!$_SESSION['working']) $_SESSION['working'] = true;
|
||||
session_write_close();
|
||||
session_unset();
|
||||
session_destroy();
|
||||
// Let's see if that worked
|
||||
@session_start();
|
||||
if($_SESSION['working']) {
|
||||
unset($_SESSION['working']);
|
||||
return; // we've got a working session
|
||||
} else {
|
||||
// Create a new session in the local tmp dir instead
|
||||
session_unset();
|
||||
session_destroy();
|
||||
session_save_path(dirname(__FILE__).'/../tmp');
|
||||
session_regenerate_id(true);
|
||||
@session_start();
|
||||
}
|
||||
}
|
||||
|
||||
// Start a session if we haven't already
|
||||
if(!isset($_SESSION)) {
|
||||
// Make the session cookie HTTP only
|
||||
session_set_cookie_params(0, '/', '', false, true);
|
||||
session_start_safe();
|
||||
ini_set('session.use_cookies','1'); // Use cookies not URL parameters
|
||||
ini_set('session.use_only_cookies','1'); // Force use of cookies and nothing else
|
||||
ini_set('session.name','ICEcoder_Cookie'); // Set a seperate cookie session name
|
||||
ini_set('session.cookie_lifetime','0'); // Until the browser restarts by default
|
||||
ini_set('session.cookie_domain',''); // This domain only
|
||||
ini_set('session.cookie_path',dirname(__FILE__).'../'); // ICEcoder path only
|
||||
ini_set('session.use_trans_sid','0'); // Ensure this insecure feature is disabled
|
||||
ini_set('session.hash_function','sha512'); // Use Sha512 for session
|
||||
ini_set('session.hash_bits_per_character','6'); // Specify hash scheme of 0-9,a-v,A-Z,-,,
|
||||
ini_set('session.use_strict_mode','1'); // Reject any session ID that was user provided and not generated by the session
|
||||
ini_set('session.httponly','1'); // Only allow http protocol (ie, not JS) access to the cookie
|
||||
ini_set('session.save_path',dirname(__FILE__).'/../tmp'); // Localise the session files to /tmp
|
||||
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
|
||||
ini_set('session.cookie_secure','1'); // Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition
|
||||
}
|
||||
session_regenerate_id(true); // Create a new ID to help prevent fixation
|
||||
@session_start(); // Finally, start the session!
|
||||
}
|
||||
|
||||
// Set the language file, if now possible
|
||||
@@ -186,4 +176,4 @@ if (!function_exists('array_replace_recursive')) {
|
||||
return $base;
|
||||
}
|
||||
}
|
||||
?>
|
||||
?>
|
||||
Reference in New Issue
Block a user