Exemplo n.º 1
0
 /**
  * Open a session
  *
  * @access public
  * @param  string   $base_path    Cookie path
  */
 public function open($base_path = '/')
 {
     // HttpOnly and secure flags for session cookie
     session_set_cookie_params(SESSION_DURATION, $base_path ?: '/', null, Request::isHTTPS(), true);
     // Avoid session id in the URL
     ini_set('session.use_only_cookies', '1');
     // Enable strict mode
     if (version_compare(PHP_VERSION, '7.0.0') < 0) {
         ini_set('session.use_strict_mode', '1');
     }
     // Ensure session ID integrity
     ini_set('session.entropy_file', '/dev/urandom');
     ini_set('session.entropy_length', '32');
     ini_set('session.hash_bits_per_character', 6);
     // If the session was autostarted with session.auto_start = 1 in php.ini destroy it
     if (isset($_SESSION)) {
         session_destroy();
     }
     // Custom session name
     session_name('__S');
     // Start the session
     session_start();
     // Regenerate the session id to avoid session fixation issue
     if (empty($_SESSION['__validated'])) {
         session_regenerate_id(true);
         $_SESSION['__validated'] = 1;
     }
 }
 public function testIsHTTPS()
 {
     $request = new Request($this->container, array(), array(), array(), array());
     $this->assertFalse($request->isHTTPS());
     $request = new Request($this->container, array('HTTPS' => ''), array(), array(), array(), array());
     $this->assertFalse($request->isHTTPS());
     $request = new Request($this->container, array('HTTPS' => 'off'), array(), array(), array(), array());
     $this->assertFalse($request->isHTTPS());
     $request = new Request($this->container, array('HTTPS' => 'on'), array(), array(), array(), array());
     $this->assertTrue($request->isHTTPS());
     $request = new Request($this->container, array('HTTPS' => '1'), array(), array(), array(), array());
     $this->assertTrue($request->isHTTPS());
 }
Exemplo n.º 3
0
 /**
  * Define session settings
  *
  * @access private
  */
 private function configure()
 {
     // Session cookie: HttpOnly and secure flags
     session_set_cookie_params(SESSION_DURATION, $this->helper->url->dir() ?: '/', null, Request::isHTTPS(), true);
     // Avoid session id in the URL
     ini_set('session.use_only_cookies', '1');
     ini_set('session.use_trans_sid', '0');
     // Enable strict mode
     ini_set('session.use_strict_mode', '1');
     // Better session hash
     ini_set('session.hash_function', 'sha512');
     ini_set('session.hash_bits_per_character', 6);
     // Set an additional entropy
     ini_set('session.entropy_file', '/dev/urandom');
     ini_set('session.entropy_length', '256');
 }
Exemplo n.º 4
0
 /**
  * Remove the cookie
  *
  * @access public
  */
 public function deleteCookie()
 {
     setcookie(self::COOKIE_NAME, '', time() - 3600, $this->helper->url->dir(), null, Request::isHTTPS(), true);
 }
Exemplo n.º 5
0
 /**
  * Send the security header: Strict-Transport-Security (only if we use HTTPS)
  *
  * @access public
  */
 public function hsts()
 {
     if (Request::isHTTPS()) {
         header('Strict-Transport-Security: max-age=31536000');
     }
 }
Exemplo n.º 6
0
 /**
  * Get current server base url
  *
  * @access public
  * @return string
  */
 public function server()
 {
     if (empty($_SERVER['SERVER_NAME'])) {
         return 'http://localhost/';
     }
     $url = Request::isHTTPS() ? 'https://' : 'http://';
     $url .= $_SERVER['SERVER_NAME'];
     $url .= $_SERVER['SERVER_PORT'] == 80 || $_SERVER['SERVER_PORT'] == 443 ? '' : ':' . $_SERVER['SERVER_PORT'];
     $url .= $this->dir() ?: '/';
     return $url;
 }