public function start() { //start session //In some cases it doesn't make sense to use the session because the client is //not capable. (WebDAV for example). if (!defined("GO_NO_SESSION")) { if (!isset($_SESSION)) { //without cookie_httponly the cookie can be accessed by malicious scripts //injected to the site and its value can be stolen. Any information stored in //session tokens may be stolen and used later for identity theft or //user impersonation. ini_set("session.cookie_httponly", 1); //Avoid session id in url's to prevent session hijacking. ini_set('session.use_only_cookies', 1); if (Util\Http::isHttps()) { ini_set('session.cookie_secure', 1); } if (isset($_REQUEST['GOSID'])) { session_id($_REQUEST['GOSID']); } session_name('groupoffice'); session_start(); if (isset($_REQUEST['GOSID'])) { if (!isset($_REQUEST['security_token']) || $_SESSION['GO_SESSION']['security_token'] != $_REQUEST['security_token']) { throw new \Exception\SecurityTokenMismatch(); } } } //\GO::debug causes endless loop //\GO::debug("Started session"); } $this->values =& $_SESSION['GO_SESSION']; if (!isset($this->values['security_token'])) { //this log here causes endless loop and segfaults //$this->_log("security_token"); $this->values['security_token'] = Util\String::randomPassword(20, 'a-z,A-Z,1-9'); } }