From a5678eba26d403b522c3206b025a718b81eebcf4 Mon Sep 17 00:00:00 2001
From: mattpass <matt@helical-levity.com>
Date: Sat, 24 Jul 2021 14:33:05 +0100
Subject: [PATCH] Session improvements

---
 lib/settings-common.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/settings-common.php b/lib/settings-common.php
index 6d0cf1d..e3ede92 100644
--- a/lib/settings-common.php
+++ b/lib/settings-common.php
@@ -14,23 +14,29 @@ $context = $systemClass->setStreamContext();
 if(false === isset($_SESSION)) {
 	ini_set('session.use_cookies', '1');                         // Use cookies not URL parameters
 	ini_set('session.use_only_cookies', '1');                    // Force use of cookies and nothing else
-	ini_set('session.name', 'ICEcoder_Cookie');	                 // Set a seperate cookie session name
+	ini_set('session.name', 'ICEcoder');	                     // Set a seperate cookie name
 	ini_set('session.cookie_lifetime', '0');                     // Until the browser restarts by default
 	ini_set('session.cookie_domain', '');                        // This domain only
 //	ini_set('session.cookie_path', str_replace($_SERVER['DOCUMENT_ROOT'], '', dirname(dirname(__FILE__)))); // ICEcoder path only, fails ON IE
 	ini_set('session.use_trans_sid', '0');                       // Ensure this insecure feature is disabled
 	ini_set('session.hash_function', 'sha512');                  // Use Sha512 for session
 	ini_set('session.hash_bits_per_character', '6');             // Specify hash scheme of 0-9,a-v,A-Z,-,,
-//	ini_set('session.use_strict_mode', '1');                     // Reject any session ID that was user provided and not generated by the session (since PHP 5.5.2)
-	ini_set('session.httponly', '1');                            // Only allow http protocol (ie, not JS) access to the cookie (since PHP 5.2.0)
+	ini_set('session.use_strict_mode', true);                    // Reject any session ID that was user provided and not generated by the session
+	ini_set('session.httponly', true);                           // Only allow http protocol (ie, not JS) access to the cookie
+	ini_set('session.cookie_httponly', true);                    // Only allow cookie via http protocol (ie, not JS) access to the cookie
 //	ini_set('session.save_path', dirname(__FILE__) . '/../tmp'); // Localise the session files to /tmp
+	if(false === isset($_COOKIE['ICEcoder'])) {
+		$_COOKIE['ICEcoder'] = session_create_id();
+	}
+	session_id($_COOKIE['ICEcoder']);
 
 	if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
 		ini_set('session.cookie_secure', '1');                   // Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition
 	}
 	session_start();                                             // Finally, start the session!
 	if (false === isset($_SESSION['csrf'])){
-		session_regenerate_id(true);                             // Create a new ID to help prevent fixation
+		session_regenerate_id(true);                             // Create a new ID to help prevent fixation & hijacking
+		$_COOKIE['ICEcoder'] = session_id();
 	}
 }