Commit 46ad1553 authored by Son Nguyen's avatar Son Nguyen Committed by Robert Lyon

Make session more secure. Bug 1508721

see more at http://php.net/manual/en/session.security.php

behatnotneeded

Change-Id: I70b427daa1ee29c233339ba245f56a02c1a8b3a5
(cherry picked from commit 38bfb5cf)
parent 254f4409
......@@ -15,22 +15,35 @@ defined('INTERNAL') || die();
// Set session settings
//
session_name(get_config('cookieprefix') . 'mahara');
$sessionpath = get_config('sessionpath');
ini_set('session.save_path', '3;' . $sessionpath);
ini_set('session.gc_divisor', 1000);
ini_set('session.gc_maxlifetime', get_config('session_timeout'));
// Secure session settings
// See more at http://php.net/manual/en/session.security.php
ini_set('session.use_cookies', true);
ini_set('session.use_only_cookies', true);
ini_set('session.cookie_lifetime', 0);
ini_set('session.cookie_httponly', true);
if (is_https()) {
ini_set('session.cookie_secure', true);
}
if ($domain = get_config('cookiedomain')) {
ini_set('session.cookie_domain', $domain);
}
ini_set('session.cookie_path', get_mahara_install_subdirectory());
ini_set('session.cookie_httponly', 1);
ini_set('session.hash_bits_per_character', 4);
ini_set('session.hash_function', 0);
if (is_https()) {
ini_set('session.cookie_secure', true);
ini_set('session.gc_divisor', 1000);
// session timeout must not exceed 30 days
if (get_config('session_timeout')) {
ini_set('session.gc_maxlifetime', min(get_config('session_timeout'), 60 * 60 * 24 * 30));
}
ini_set('session.use_trans_sid', false);
ini_set('session.referer_check', get_config('wwwroot'));
ini_set('session.hash_function', 'sha256'); // stronger hash functions are sha384 and sha512
if (version_compare(PHP_VERSION, '5.5.2') > 0) {
ini_set('session.use_strict_mode', true);
}
$sessionpath = get_config('sessionpath');
ini_set('session.save_path', '3;' . $sessionpath);
// Attempt to create session directories
if (!is_dir("$sessionpath/0")) {
// Create three levels of directories, named 0-9, a-f
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment