/** * Open a session * * @access public * @param string $base_path Cookie path * @param string $save_path Custom session save path */ public function open($base_path = '/', $save_path = '') { if ($save_path !== '') { session_save_path($save_path); } // HttpOnly and secure flags for session cookie session_set_cookie_params(self::SESSION_LIFETIME, $base_path ?: '/', null, Tool::isHTTPS(), true); // Avoid session id in the URL ini_set('session.use_only_cookies', '1'); // Ensure session ID integrity ini_set('session.entropy_file', '/dev/urandom'); ini_set('session.entropy_length', '32'); ini_set('session.hash_bits_per_character', 6); // If session was autostarted with session.auto_start = 1 in php.ini destroy it, otherwise we cannot login if (isset($_SESSION)) { session_destroy(); } // Custom session name session_name('__S'); session_start(); // Regenerate the session id to avoid session fixation issue if (empty($_SESSION['__validated'])) { session_regenerate_id(true); $_SESSION['__validated'] = 1; } }
/** * Send the security header: Strict-Transport-Security (only if we use HTTPS) * * @access public */ public function hsts() { if (Tool::isHTTPS()) { header('Strict-Transport-Security: max-age=31536000'); } }