/** * {@inheritdoc} */ public function start() { $path = System::getBaseUri(); if (empty($path)) { $path = '/'; } elseif (substr($path, -1, 1) != '/') { $path .= '/'; } $host = System::serverGetVar('HTTP_HOST'); if (($pos = strpos($host, ':')) !== false) { $host = substr($host, 0, $pos); } // PHP configuration variables ini_set('session.use_trans_sid', 0); // Stop adding SID to URLs @ini_set('url_rewriter.tags', ''); // some environments dont allow this value to be set causing an error that prevents installation ini_set('session.serialize_handler', 'php'); // How to store data ini_set('session.use_cookies', 1); // Use cookie to store the session ID ini_set('session.auto_start', 1); // Auto-start session ini_set('session.name', SessionUtil::getCookieName()); // Name of our cookie // Set lifetime of session cookie $seclevel = System::getVar('seclevel'); switch ($seclevel) { case 'High': // Session lasts duration of browser $lifetime = 0; // Referer check // ini_set('session.referer_check', $host.$path); ini_set('session.referer_check', $host); break; case 'Medium': // Session lasts set number of days $lifetime = System::getVar('secmeddays') * 86400; break; case 'Low': default: // Session lasts unlimited number of days (well, lots, anyway) // (Currently set to 25 years) $lifetime = 788940000; break; } ini_set('session.cookie_lifetime', $lifetime); // domain and path settings for session cookie // if (System::getVar('intranet') == false) { // Cookie path ini_set('session.cookie_path', $path); // Garbage collection ini_set('session.gc_probability', System::getVar('gc_probability')); ini_set('session.gc_divisor', 10000); ini_set('session.gc_maxlifetime', System::getVar('secinactivemins') * 60); // Inactivity timeout for user sessions ini_set('session.hash_function', 1); // Set custom session handlers ini_set('session.save_handler', 'user'); if (System::getVar('sessionstoretofile')) { ini_set('session.save_path', System::getVar('sessionsavepath')); } session_set_save_handler(array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc')); // create IP finger print $current_ipaddr = ''; $_REMOTE_ADDR = System::serverGetVar('REMOTE_ADDR'); $_HTTP_X_FORWARDED_FOR = System::serverGetVar('HTTP_X_FORWARDED_FOR'); if (System::getVar('sessionipcheck')) { // feature for future release } // create the ip fingerprint $current_ipaddr = md5($_REMOTE_ADDR . $_HTTP_X_FORWARDED_FOR); // start session check expiry and ip fingerprint if required if (session_start() && isset($GLOBALS['_ZSession']['obj']) && $GLOBALS['_ZSession']['obj']) { // check if session has expired or not $now = time(); $inactive = $now - (int) (System::getVar('secinactivemins') * 60); $daysold = $now - (int) (System::getVar('secmeddays') * 86400); $lastused = strtotime($GLOBALS['_ZSession']['obj']['lastused']); $rememberme = SessionUtil::getVar('rememberme'); $uid = $GLOBALS['_ZSession']['obj']['uid']; $ipaddr = $GLOBALS['_ZSession']['obj']['ipaddr']; // IP check if (System::getVar('sessionipcheck', false)) { if ($ipaddr !== $current_ipaddr) { session_destroy(); return false; } } switch (System::getVar('seclevel')) { case 'Low': // Low security - users stay logged in permanently // no special check necessary break; case 'Medium': // Medium security - delete session info if session cookie has // expired or user decided not to remember themself and inactivity timeout // OR max number of days have elapsed without logging back in if (!$rememberme && $lastused < $inactive || $lastused < $daysold || $uid == '0' && $lastused < $inactive) { $this->expire(); } break; case 'High': default: // High security - delete session info if user is inactive //if ($rememberme && ($lastused < $inactive)) { // see #427 if ($lastused < $inactive) { $this->expire(); } break; } } else { // *must* regenerate new session otherwise the default sessid will be // taken from any session cookie that was submitted (bad bad bad) $this->regenerate(true); SessionUtil::_createNew(session_id(), $current_ipaddr); } if (isset($_SESSION['_ZSession']['obj'])) { unset($_SESSION['_ZSession']['obj']); } return true; }