/**
* {@inheritdoc}
*/
public function start()
{
$path = System::getBaseUri();
if (empty($path)) {
$path = '/';
} elseif (substr($path, -1, 1) != '/') {
$path .= '/';
}
$host = System::serverGetVar('HTTP_HOST');
if (($pos = strpos($host, ':')) !== false) {
$host = substr($host, 0, $pos);
}
// PHP configuration variables
ini_set('session.use_trans_sid', 0);
// Stop adding SID to URLs
@ini_set('url_rewriter.tags', '');
// some environments dont allow this value to be set causing an error that prevents installation
ini_set('session.serialize_handler', 'php');
// How to store data
ini_set('session.use_cookies', 1);
// Use cookie to store the session ID
ini_set('session.auto_start', 1);
// Auto-start session
ini_set('session.name', SessionUtil::getCookieName());
// Name of our cookie
// Set lifetime of session cookie
$seclevel = System::getVar('seclevel');
switch ($seclevel) {
case 'High':
// Session lasts duration of browser
$lifetime = 0;
// Referer check
// ini_set('session.referer_check', $host.$path);
ini_set('session.referer_check', $host);
break;
case 'Medium':
// Session lasts set number of days
$lifetime = System::getVar('secmeddays') * 86400;
break;
case 'Low':
default:
// Session lasts unlimited number of days (well, lots, anyway)
// (Currently set to 25 years)
$lifetime = 788940000;
break;
}
ini_set('session.cookie_lifetime', $lifetime);
// domain and path settings for session cookie
// if (System::getVar('intranet') == false) {
// Cookie path
ini_set('session.cookie_path', $path);
// Garbage collection
ini_set('session.gc_probability', System::getVar('gc_probability'));
ini_set('session.gc_divisor', 10000);
ini_set('session.gc_maxlifetime', System::getVar('secinactivemins') * 60);
// Inactivity timeout for user sessions
ini_set('session.hash_function', 1);
// Set custom session handlers
ini_set('session.save_handler', 'user');
if (System::getVar('sessionstoretofile')) {
ini_set('session.save_path', System::getVar('sessionsavepath'));
}
session_set_save_handler(array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc'));
// create IP finger print
$current_ipaddr = '';
$_REMOTE_ADDR = System::serverGetVar('REMOTE_ADDR');
$_HTTP_X_FORWARDED_FOR = System::serverGetVar('HTTP_X_FORWARDED_FOR');
if (System::getVar('sessionipcheck')) {
// feature for future release
}
// create the ip fingerprint
$current_ipaddr = md5($_REMOTE_ADDR . $_HTTP_X_FORWARDED_FOR);
// start session check expiry and ip fingerprint if required
if (session_start() && isset($GLOBALS['_ZSession']['obj']) && $GLOBALS['_ZSession']['obj']) {
// check if session has expired or not
$now = time();
$inactive = $now - (int) (System::getVar('secinactivemins') * 60);
$daysold = $now - (int) (System::getVar('secmeddays') * 86400);
$lastused = strtotime($GLOBALS['_ZSession']['obj']['lastused']);
$rememberme = SessionUtil::getVar('rememberme');
$uid = $GLOBALS['_ZSession']['obj']['uid'];
$ipaddr = $GLOBALS['_ZSession']['obj']['ipaddr'];
// IP check
if (System::getVar('sessionipcheck', false)) {
if ($ipaddr !== $current_ipaddr) {
session_destroy();
return false;
}
}
switch (System::getVar('seclevel')) {
case 'Low':
// Low security - users stay logged in permanently
// no special check necessary
break;
case 'Medium':
// Medium security - delete session info if session cookie has
// expired or user decided not to remember themself and inactivity timeout
// OR max number of days have elapsed without logging back in
if (!$rememberme && $lastused < $inactive || $lastused < $daysold || $uid == '0' && $lastused < $inactive) {
$this->expire();
}
break;
case 'High':
default:
// High security - delete session info if user is inactive
//if ($rememberme && ($lastused < $inactive)) { // see #427
if ($lastused < $inactive) {
$this->expire();
}
break;
}
} else {
// *must* regenerate new session otherwise the default sessid will be
// taken from any session cookie that was submitted (bad bad bad)
$this->regenerate(true);
SessionUtil::_createNew(session_id(), $current_ipaddr);
}
if (isset($_SESSION['_ZSession']['obj'])) {
unset($_SESSION['_ZSession']['obj']);
}
return true;
}
