public function store($key, $value)
{
if (\Idno\Core\Idno::site()->config()->debug) {
Idno\Core\Idno::site()->logging->debug("Caching {$key}");
}
$this->cache[$key] = $value;
return true;
}
function init()
{
ini_set('session.cookie_lifetime', 60 * 60 * 24 * 7);
// Persistent cookies
ini_set('session.gc_maxlifetime', 60 * 60 * 24 * 7);
// Garbage collection to match
if (Idno::site()->config()->session_cookies) {
header('P3P: CP="CAO PSA OUR"');
ini_set('session.cookie_httponly', true);
// Restrict cookies to HTTP only (help reduce XSS attack profile)
ini_set('session.use_strict_mode', true);
// Help mitigate session fixation
if (Idno::site()->isSecure()) {
ini_set('session.cookie_secure', true);
// Set secure cookies when site is secure
}
} else {
ini_set('session.use_only_cookies', 0);
ini_set("session.use_cookies", 0);
ini_set("sessi:on.use_trans_sid", 1);
}
// Using a more secure hashing algorithm for session IDs, if available
if (($hash = Idno::site()->config()->session_hash_function) && in_array($hash, hash_algos())) {
ini_set('session.hash_function', $hash);
}
if (Idno::site()->config()->sessions_database) {
Idno::site()->db()->handleSession();
} else {
session_save_path(Idno::site()->config()->session_path);
}
session_name(Idno::site()->config->sessionname);
session_start();
session_cache_limiter('public');
// Flag insecure sessions (so we can check state changes etc)
if (!isset($_SESSION['secure'])) {
$_SESSION['secure'] = Idno::site()->isSecure();
}
// Validate session
try {
$this->validate();
} catch (\Exception $ex) {
// Session didn't validate, log & destroy
Idno\Core\Idno::site()->logging->log($ex->getMessage(), LOGLEVEL_ERROR);
session_destroy();
}
// Session login / logout
Idno::site()->addPageHandler('/session/login', '\\Idno\\Pages\\Session\\Login', true);
Idno::site()->addPageHandler('/session/logout', '\\Idno\\Pages\\Session\\Logout');
Idno::site()->addPageHandler('/currentUser/?', '\\Idno\\Pages\\Session\\CurrentUser');
// Update the session on save, this is a shim until #46 is fixed properly with #49
\Idno\Core\Idno::site()->addEventHook('save', function (\Idno\Core\Event $event) {
$eventdata = $event->data();
$object = $eventdata['object'];
if (!empty($this->user) && $this->user instanceof User) {
$user_uuid = $object->getUUID() == $this->user->getUUID();
} else {
$user_uuid = false;
}
if ($object instanceof Entity) {
$object_uuid = $object->getUUID();
} else {
$object_uuid = false;
}
if (!empty($object) && $object instanceof \Idno\Entities\User && (!empty($_SESSION['user_uuid']) && ($object_uuid != $user_uuid && $object_uuid !== false))) {
$this->user = $this->refreshSessionUser($object);
}
});
// If this is an API request, we need to destroy the session afterwards. See #1028
register_shutdown_function(function () {
$session = Idno::site()->session();
if ($session && $session->isAPIRequest()) {
$session->logUserOff();
}
});
}
