summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhilip Häusler <msquare@notrademark.de>2014-09-20 18:31:59 +0200
committerPhilip Häusler <msquare@notrademark.de>2014-09-20 18:31:59 +0200
commit50fea6d371492741f442067199d7c32c3432d6e0 (patch)
tree3374588e9a27b3819c608da29fbbb504ff3debe9
parentdd3de2d47d7632d12b11cc9b5beb1a373e78a2c8 (diff)
fix session security issue (same session on multiple instances)
-rw-r--r--includes/helper/session_helper.php30
-rw-r--r--public/index.php2
2 files changed, 32 insertions, 0 deletions
diff --git a/includes/helper/session_helper.php b/includes/helper/session_helper.php
new file mode 100644
index 00000000..4063ff69
--- /dev/null
+++ b/includes/helper/session_helper.php
@@ -0,0 +1,30 @@
+<?php
+/**
+ * Set lifetime of php session.
+ *
+ * @param int $lifetime
+ * Lifetime in minutes
+ * @param string $application_name
+ * Name of the application
+ */
+function session_lifetime($lifetime, $application_name) {
+ // Set session save path and name
+ $session_save_path = rtrim(session_save_path(), '/') . '/' . $application_name;
+ if (! file_exists($session_save_path))
+ mkdir($session_save_path);
+ if (file_exists($session_save_path))
+ session_save_path($session_save_path);
+ session_name($application_name);
+
+ // Set session lifetime
+ ini_set('session.gc_maxlifetime', $lifetime * 60);
+ ini_set('session.gc_probability', 1);
+ ini_set('session.gc_divisor', 100);
+
+ // Cookie settings (lifetime)
+ ini_set('session.cookie_secure', ! (preg_match("/^localhost/", $_SERVER["HTTP_HOST"]) || isset($_GET['debug'])));
+ ini_set('session.use_only_cookies', true);
+ ini_set('session.cookie_lifetime', $lifetime * 60);
+}
+
+?> \ No newline at end of file
diff --git a/public/index.php b/public/index.php
index 9c9cd53f..0d1184bc 100644
--- a/public/index.php
+++ b/public/index.php
@@ -35,6 +35,7 @@ require_once realpath(__DIR__ . '/../includes/helper/internationalization_helper
require_once realpath(__DIR__ . '/../includes/helper/message_helper.php');
require_once realpath(__DIR__ . '/../includes/helper/error_helper.php');
require_once realpath(__DIR__ . '/../includes/helper/email_helper.php');
+require_once realpath(__DIR__ . '/../includes/helper/session_helper.php');
require_once realpath(__DIR__ . '/../config/config.default.php');
if (file_exists(realpath(__DIR__ . '/../config/config.php')))
@@ -60,6 +61,7 @@ require_once realpath(__DIR__ . '/../includes/pages/user_shifts.php');
require_once realpath(__DIR__ . '/../vendor/parsedown/Parsedown.php');
+session_lifetime(24*60, preg_replace("/[^a-z0-9-]/", '', $_SERVER['REQUEST_URI']));
session_start();
gettext_init();