Skip to content
This repository was archived by the owner on Dec 14, 2023. It is now read-only.

Commit a5678eb

Browse files
author
mattpass
committed
Session improvements
1 parent e8ba59f commit a5678eb

File tree

1 file changed

+10
-4
lines changed

1 file changed

+10
-4
lines changed

lib/settings-common.php

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,23 +14,29 @@
1414
if(false === isset($_SESSION)) {
1515
ini_set('session.use_cookies', '1'); // Use cookies not URL parameters
1616
ini_set('session.use_only_cookies', '1'); // Force use of cookies and nothing else
17-
ini_set('session.name', 'ICEcoder_Cookie'); // Set a seperate cookie session name
17+
ini_set('session.name', 'ICEcoder'); // Set a seperate cookie name
1818
ini_set('session.cookie_lifetime', '0'); // Until the browser restarts by default
1919
ini_set('session.cookie_domain', ''); // This domain only
2020
// ini_set('session.cookie_path', str_replace($_SERVER['DOCUMENT_ROOT'], '', dirname(dirname(__FILE__)))); // ICEcoder path only, fails ON IE
2121
ini_set('session.use_trans_sid', '0'); // Ensure this insecure feature is disabled
2222
ini_set('session.hash_function', 'sha512'); // Use Sha512 for session
2323
ini_set('session.hash_bits_per_character', '6'); // Specify hash scheme of 0-9,a-v,A-Z,-,,
24-
// ini_set('session.use_strict_mode', '1'); // Reject any session ID that was user provided and not generated by the session (since PHP 5.5.2)
25-
ini_set('session.httponly', '1'); // Only allow http protocol (ie, not JS) access to the cookie (since PHP 5.2.0)
24+
ini_set('session.use_strict_mode', true); // Reject any session ID that was user provided and not generated by the session
25+
ini_set('session.httponly', true); // Only allow http protocol (ie, not JS) access to the cookie
26+
ini_set('session.cookie_httponly', true); // Only allow cookie via http protocol (ie, not JS) access to the cookie
2627
// ini_set('session.save_path', dirname(__FILE__) . '/../tmp'); // Localise the session files to /tmp
28+
if(false === isset($_COOKIE['ICEcoder'])) {
29+
$_COOKIE['ICEcoder'] = session_create_id();
30+
}
31+
session_id($_COOKIE['ICEcoder']);
2732

2833
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
2934
ini_set('session.cookie_secure', '1'); // Only allows access to session ID when protocol is HTTPS, switched on under 'if https' condition
3035
}
3136
session_start(); // Finally, start the session!
3237
if (false === isset($_SESSION['csrf'])){
33-
session_regenerate_id(true); // Create a new ID to help prevent fixation
38+
session_regenerate_id(true); // Create a new ID to help prevent fixation & hijacking
39+
$_COOKIE['ICEcoder'] = session_id();
3440
}
3541
}
3642

0 commit comments

Comments
 (0)