public function __bootstrap()
{
// Session name
$sessionName = config('app.id') . '_session';
session_name($sessionName);
// Session lifetime
$lifetime = config('session.lifetime');
// Security garbage collector
ini_set('session.gc_maxlifetime', $lifetime == 0 ? 180 * 60 : $lifetime * 60);
// PHP session garbage collection timeout in minutes
ini_set('session.gc_divisor', 100);
// Set divisor and probability for cronjob Ubuntu/Debian
// ini_set('session.gc_probability', 1); // @see http://www.php.net/manual/en/function.session-save-path.php#98106
// Set session save path
if (config('session.savepath')) {
ini_set('session.save_path', str_replace('~', LOCAL_ROOT, config('session.savepath')));
}
// Set sessions to use cookies
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
// @see http://www.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies
// Session cookie parameter
$path = config('app.path');
$domain = config('security.cookie.domain');
$secure = config('security.cookie.secure');
$httponly = config('security.cookie.httponly');
// Set cookie lifetime
session_set_cookie_params($lifetime * 60, $path, $domain, $secure, $httponly);
session_cache_limiter('private_no_expire');
// Start the session!
session_start();
// Strengthen session security with REMOTE_ADDR and HTTP_USER_AGENT
// @see http://shiflett.org/articles/session-hijacking
// Removed REMOTE_ADDR, use HTTP_X_FORWARDED_FOR if available
$remoteIp = Ajde_Http_Request::getClientIP();
// Ignore Google Chrome frame as it has a split personality
// @todo TODO: security issue!!
// @see http://www.chromium.org/developers/how-tos/chrome-frame-getting-started/understanding-chrome-frame-user-agent
if (isset($_SERVER['HTTP_USER_AGENT']) && substr_count($_SERVER['HTTP_USER_AGENT'], 'chromeframe/') === 0 && isset($_SESSION['client']) && $_SESSION['client'] !== md5($remoteIp . $_SERVER['HTTP_USER_AGENT'] . config('security.secret'))) {
// TODO: overhead to call session_regenerate_id? is it not required??
//session_regenerate_id();
// thoroughly destroy the current session
session_destroy();
unset($_SESSION);
setcookie(session_name(), session_id(), time() - 3600, $path, $domain, $secure, $httponly);
// TODO:
$exception = new Ajde_Core_Exception_Security('Possible session hijacking detected. Bailing out.');
if (config('app.debug') === true) {
throw $exception;
} else {
// don't redirect/log for resource items, as they should have no side effect
// this makes it possible for i.e. web crawlers/error pages to view resources
$request = Ajde_Http_Request::fromGlobal();
$route = $request->initRoute();
Ajde::app()->setRequest($request);
if (!in_array($route->getFormat(), ['css', 'js'])) {
Ajde_Exception_Log::logException($exception);
Ajde_Cache::getInstance()->disable();
// Just destroying the session should be enough
// Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN);
}
}
} else {
$_SESSION['client'] = md5($remoteIp . issetor($_SERVER['HTTP_USER_AGENT']) . config('security.secret'));
if ($lifetime > 0) {
// Force send new cookie with updated lifetime (forcing keep-alive)
// @see http://www.php.net/manual/en/function.session-set-cookie-params.php#100672
//session_regenerate_id();
// Set cookie manually if session_start didn't just sent a cookie
// @see http://www.php.net/manual/en/function.session-set-cookie-params.php#100657
if (isset($_COOKIE[$sessionName])) {
setcookie(session_name(), session_id(), time() + $lifetime * 60, $path, $domain, $secure, $httponly);
}
}
}
// remove cache headers invoked by session_start();
if (version_compare(PHP_VERSION, '5.3.0') >= 0) {
header_remove('X-Powered-By');
}
return true;
}
