Mirrors/ICEcoder
2
0
Fork 0
mirror of https://github.com/icecoder/ICEcoder.git synced 2026-03-03 07:13:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

Session improvements

Browse Source
This commit is contained in:
mattpass
2021-07-24 14:33:05 +01:00
parent e8ba59fe46
commit a5678eba26
1 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lib/settings-common.php
View File

@@ -14,23 +14,29 @@ $context = $systemClass->setStreamContext();
if(false === isset($_SESSION)) {
ini_set('session.use_cookies', '1'); // Use cookies not URL parameters
ini_set('session.use_only_cookies', '1'); // Force use of cookies and nothing else
ini_set('session.name', 'ICEcoder_Cookie'); // Set a seperate cookie session name
ini_set('session.name', 'ICEcoder'); // Set a seperate cookie name
ini_set('session.cookie_lifetime', '0'); // Until the browser restarts by default
ini_set('session.cookie_domain', ''); // This domain only
// ini_set('session.cookie_path', str_replace($_SERVER['DOCUMENT_ROOT'], '', dirname(dirname(__FILE__)))); // ICEcoder path only, fails ON IE
ini_set('session.use_trans_sid', '0'); // Ensure this insecure feature is disabled
ini_set('session.hash_function', 'sha512'); // Use Sha512 for session
ini_set('session.hash_bits_per_character', '6'); // Specify hash scheme of 0-9,a-v,A-Z,-,,
// ini_set('session.use_strict_mode', '1'); // Reject any session ID that was user provided and not generated by the session (since PHP 5.5.2)
ini_set('session.httponly', '1'); // Only allow http protocol (ie, not JS) access to the cookie (since PHP 5.2.0)
ini_set('session.use_strict_mode', true); // Reject any session ID that was user provided and not generated by the session
ini_set('session.httponly', true); // Only allow http protocol (ie, not JS) access to the cookie
ini_set('session.cookie_httponly', true); // Only allow cookie via http protocol (ie, not JS) access to the cookie
// ini_set('session.save_path', dirname(__FILE__) . '/../tmp'); // Localise the session files to /tmp
if(false === isset($_COOKIE['ICEcoder'])) {
$_COOKIE['ICEcoder'] = session_create_id();
}
session_id($_COOKIE['ICEcoder']);
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
ini_set('session.cookie_secure', '1'); // Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition
}
session_start(); // Finally, start the session!
if (false === isset($_SESSION['csrf'])){
session_regenerate_id(true); // Create a new ID to help prevent fixation
session_regenerate_id(true); // Create a new ID to help prevent fixation & hijacking
$_COOKIE['ICEcoder'] = session_id();
}
}