From 50fea6d371492741f442067199d7c32c3432d6e0 Mon Sep 17 00:00:00 2001
From: Philip Häusler <msquare@notrademark.de>
Date: Sat, 20 Sep 2014 18:31:59 +0200
Subject: fix session security issue (same session on multiple instances)

---
 includes/helper/session_helper.php | 30 ++++++++++++++++++++++++++++++
 public/index.php                   |  2 ++
 2 files changed, 32 insertions(+)
 create mode 100644 includes/helper/session_helper.php

diff --git a/includes/helper/session_helper.php b/includes/helper/session_helper.php
new file mode 100644
index 00000000..4063ff69
--- /dev/null
+++ b/includes/helper/session_helper.php
@@ -0,0 +1,30 @@
+<?php
+/**
+ * Set lifetime of php session.
+ *
+ * @param int $lifetime
+ *          Lifetime in minutes
+ * @param string $application_name
+ *          Name of the application
+ */
+function session_lifetime($lifetime, $application_name) {
+  // Set session save path and name
+  $session_save_path = rtrim(session_save_path(), '/') . '/' . $application_name;
+  if (! file_exists($session_save_path))
+    mkdir($session_save_path);
+  if (file_exists($session_save_path))
+    session_save_path($session_save_path);
+  session_name($application_name);
+  
+  // Set session lifetime
+  ini_set('session.gc_maxlifetime', $lifetime * 60);
+  ini_set('session.gc_probability', 1);
+  ini_set('session.gc_divisor', 100);
+  
+  // Cookie settings (lifetime)
+  ini_set('session.cookie_secure', ! (preg_match("/^localhost/", $_SERVER["HTTP_HOST"]) || isset($_GET['debug'])));
+  ini_set('session.use_only_cookies', true);
+  ini_set('session.cookie_lifetime', $lifetime * 60);
+}
+
+?>
\ No newline at end of file
diff --git a/public/index.php b/public/index.php
index 9c9cd53f..0d1184bc 100644
--- a/public/index.php
+++ b/public/index.php
@@ -35,6 +35,7 @@ require_once realpath(__DIR__ . '/../includes/helper/internationalization_helper
 require_once realpath(__DIR__ . '/../includes/helper/message_helper.php');
 require_once realpath(__DIR__ . '/../includes/helper/error_helper.php');
 require_once realpath(__DIR__ . '/../includes/helper/email_helper.php');
+require_once realpath(__DIR__ . '/../includes/helper/session_helper.php');
 
 require_once realpath(__DIR__ . '/../config/config.default.php');
 if (file_exists(realpath(__DIR__ . '/../config/config.php')))
@@ -60,6 +61,7 @@ require_once realpath(__DIR__ . '/../includes/pages/user_shifts.php');
 
 require_once realpath(__DIR__ . '/../vendor/parsedown/Parsedown.php');
 
+session_lifetime(24*60, preg_replace("/[^a-z0-9-]/", '', $_SERVER['REQUEST_URI']));
 session_start();
 
 gettext_init();
-- 
cgit v1.2.3-54-g00ecf