Commit 46ad1553 authored by Son Nguyen's avatar Son Nguyen Committed by Robert Lyon

Make session more secure. Bug 1508721

see more at http://php.net/manual/en/session.security.php

behatnotneeded

Change-Id: I70b427daa1ee29c233339ba245f56a02c1a8b3a5
(cherry picked from commit 38bfb5cf)
parent 254f4409
...@@ -15,22 +15,35 @@ defined('INTERNAL') || die(); ...@@ -15,22 +15,35 @@ defined('INTERNAL') || die();
// Set session settings // Set session settings
// //
session_name(get_config('cookieprefix') . 'mahara'); session_name(get_config('cookieprefix') . 'mahara');
$sessionpath = get_config('sessionpath'); // Secure session settings
ini_set('session.save_path', '3;' . $sessionpath); // See more at http://php.net/manual/en/session.security.php
ini_set('session.gc_divisor', 1000); ini_set('session.use_cookies', true);
ini_set('session.gc_maxlifetime', get_config('session_timeout'));
ini_set('session.use_only_cookies', true); ini_set('session.use_only_cookies', true);
ini_set('session.cookie_lifetime', 0);
ini_set('session.cookie_httponly', true);
if (is_https()) {
ini_set('session.cookie_secure', true);
}
if ($domain = get_config('cookiedomain')) { if ($domain = get_config('cookiedomain')) {
ini_set('session.cookie_domain', $domain); ini_set('session.cookie_domain', $domain);
} }
ini_set('session.cookie_path', get_mahara_install_subdirectory()); ini_set('session.cookie_path', get_mahara_install_subdirectory());
ini_set('session.cookie_httponly', 1);
ini_set('session.hash_bits_per_character', 4); ini_set('session.hash_bits_per_character', 4);
ini_set('session.hash_function', 0); ini_set('session.gc_divisor', 1000);
if (is_https()) { // session timeout must not exceed 30 days
ini_set('session.cookie_secure', true); if (get_config('session_timeout')) {
ini_set('session.gc_maxlifetime', min(get_config('session_timeout'), 60 * 60 * 24 * 30));
}
ini_set('session.use_trans_sid', false);
ini_set('session.referer_check', get_config('wwwroot'));
ini_set('session.hash_function', 'sha256'); // stronger hash functions are sha384 and sha512
if (version_compare(PHP_VERSION, '5.5.2') > 0) {
ini_set('session.use_strict_mode', true);
} }
$sessionpath = get_config('sessionpath');
ini_set('session.save_path', '3;' . $sessionpath);
// Attempt to create session directories // Attempt to create session directories
if (!is_dir("$sessionpath/0")) { if (!is_dir("$sessionpath/0")) {
// Create three levels of directories, named 0-9, a-f // Create three levels of directories, named 0-9, a-f
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment