Example #1
0
 /**
  * Open a session
  *
  * @access public
  * @param  string   $base_path    Cookie path
  */
 public function open($base_path = '/')
 {
     // HttpOnly and secure flags for session cookie
     session_set_cookie_params(SESSION_DURATION, $base_path ?: '/', null, Request::isHTTPS(), true);
     // Avoid session id in the URL
     ini_set('session.use_only_cookies', '1');
     // Enable strict mode
     if (version_compare(PHP_VERSION, '7.0.0') < 0) {
         ini_set('session.use_strict_mode', '1');
     }
     // Ensure session ID integrity
     ini_set('session.entropy_file', '/dev/urandom');
     ini_set('session.entropy_length', '32');
     ini_set('session.hash_bits_per_character', 6);
     // If the session was autostarted with session.auto_start = 1 in php.ini destroy it
     if (isset($_SESSION)) {
         session_destroy();
     }
     // Custom session name
     session_name('__S');
     // Start the session
     session_start();
     // Regenerate the session id to avoid session fixation issue
     if (empty($_SESSION['__validated'])) {
         session_regenerate_id(true);
         $_SESSION['__validated'] = 1;
     }
 }
Example #2
0
 /**
  * Define session settings
  *
  * @access private
  */
 private function configure()
 {
     // Session cookie: HttpOnly and secure flags
     session_set_cookie_params(SESSION_DURATION, $this->helper->url->dir() ?: '/', null, Request::isHTTPS(), true);
     // Avoid session id in the URL
     ini_set('session.use_only_cookies', '1');
     ini_set('session.use_trans_sid', '0');
     // Enable strict mode
     ini_set('session.use_strict_mode', '1');
     // Better session hash
     ini_set('session.hash_function', 'sha512');
     ini_set('session.hash_bits_per_character', 6);
     // Set an additional entropy
     ini_set('session.entropy_file', '/dev/urandom');
     ini_set('session.entropy_length', '256');
 }
Example #3
0
 /**
  * Remove the cookie
  *
  * @access public
  */
 public function deleteCookie()
 {
     setcookie(self::COOKIE_NAME, '', time() - 3600, $this->helper->url->dir(), null, Request::isHTTPS(), true);
 }
Example #4
0
 /**
  * Send the security header: Strict-Transport-Security (only if we use HTTPS)
  *
  * @access public
  */
 public function hsts()
 {
     if (Request::isHTTPS()) {
         header('Strict-Transport-Security: max-age=31536000');
     }
 }
Example #5
0
 public function onSuccess(AuthEvent $event)
 {
     $this->lastLogin->create($event->getAuthType(), $event->getUserId(), Request::getIpAddress(), Request::getUserAgent());
 }
 public function testGetIpAddress()
 {
     $request = new Request($this->container, array(), array(), array(), array(), array());
     $this->assertEquals('Unknown', $request->getIpAddress());
     $request = new Request($this->container, array('HTTP_X_FORWARDED_FOR' => '192.168.0.1,127.0.0.1'), array(), array(), array(), array());
     $this->assertEquals('192.168.0.1', $request->getIpAddress());
     $request = new Request($this->container, array('REMOTE_ADDR' => '192.168.0.1'), array(), array(), array(), array());
     $this->assertEquals('192.168.0.1', $request->getIpAddress());
     $request = new Request($this->container, array('REMOTE_ADDR' => ''), array(), array(), array(), array());
     $this->assertEquals('Unknown', $request->getIpAddress());
 }
Example #7
0
 /**
  * Create remember me session if necessary
  *
  * @access private
  * @param  array   $values           Form values
  */
 private function createRememberMeSession(array $values)
 {
     if (REMEMBER_ME_AUTH && !empty($values['remember_me'])) {
         $credentials = $this->backend('rememberMe')->create($this->userSession->getId(), Request::getIpAddress(), Request::getUserAgent());
         $this->backend('rememberMe')->writeCookie($credentials['token'], $credentials['sequence'], $credentials['expiration']);
     }
 }
Example #8
0
 /**
  * Get current server base url
  *
  * @access public
  * @return string
  */
 public function server()
 {
     if (empty($_SERVER['SERVER_NAME'])) {
         return 'http://localhost/';
     }
     $url = Request::isHTTPS() ? 'https://' : 'http://';
     $url .= $_SERVER['SERVER_NAME'];
     $url .= $_SERVER['SERVER_PORT'] == 80 || $_SERVER['SERVER_PORT'] == 443 ? '' : ':' . $_SERVER['SERVER_PORT'];
     $url .= $this->dir() ?: '/';
     return $url;
 }