diff options
author | Philip Häusler <msquare@notrademark.de> | 2014-09-20 18:31:59 +0200 |
---|---|---|
committer | Philip Häusler <msquare@notrademark.de> | 2014-09-20 18:31:59 +0200 |
commit | 50fea6d371492741f442067199d7c32c3432d6e0 (patch) | |
tree | 3374588e9a27b3819c608da29fbbb504ff3debe9 | |
parent | dd3de2d47d7632d12b11cc9b5beb1a373e78a2c8 (diff) |
fix session security issue (same session on multiple instances)
-rw-r--r-- | includes/helper/session_helper.php | 30 | ||||
-rw-r--r-- | public/index.php | 2 |
2 files changed, 32 insertions, 0 deletions
diff --git a/includes/helper/session_helper.php b/includes/helper/session_helper.php new file mode 100644 index 00000000..4063ff69 --- /dev/null +++ b/includes/helper/session_helper.php @@ -0,0 +1,30 @@ +<?php +/** + * Set lifetime of php session. + * + * @param int $lifetime + * Lifetime in minutes + * @param string $application_name + * Name of the application + */ +function session_lifetime($lifetime, $application_name) { + // Set session save path and name + $session_save_path = rtrim(session_save_path(), '/') . '/' . $application_name; + if (! file_exists($session_save_path)) + mkdir($session_save_path); + if (file_exists($session_save_path)) + session_save_path($session_save_path); + session_name($application_name); + + // Set session lifetime + ini_set('session.gc_maxlifetime', $lifetime * 60); + ini_set('session.gc_probability', 1); + ini_set('session.gc_divisor', 100); + + // Cookie settings (lifetime) + ini_set('session.cookie_secure', ! (preg_match("/^localhost/", $_SERVER["HTTP_HOST"]) || isset($_GET['debug']))); + ini_set('session.use_only_cookies', true); + ini_set('session.cookie_lifetime', $lifetime * 60); +} + +?>
\ No newline at end of file diff --git a/public/index.php b/public/index.php index 9c9cd53f..0d1184bc 100644 --- a/public/index.php +++ b/public/index.php @@ -35,6 +35,7 @@ require_once realpath(__DIR__ . '/../includes/helper/internationalization_helper require_once realpath(__DIR__ . '/../includes/helper/message_helper.php'); require_once realpath(__DIR__ . '/../includes/helper/error_helper.php'); require_once realpath(__DIR__ . '/../includes/helper/email_helper.php'); +require_once realpath(__DIR__ . '/../includes/helper/session_helper.php'); require_once realpath(__DIR__ . '/../config/config.default.php'); if (file_exists(realpath(__DIR__ . '/../config/config.php'))) @@ -60,6 +61,7 @@ require_once realpath(__DIR__ . '/../includes/pages/user_shifts.php'); require_once realpath(__DIR__ . '/../vendor/parsedown/Parsedown.php'); +session_lifetime(24*60, preg_replace("/[^a-z0-9-]/", '', $_SERVER['REQUEST_URI'])); session_start(); gettext_init(); |