/**
* Open a session
*
* @access public
* @param string $base_path Cookie path
* @param string $save_path Custom session save path
*/
public function open($base_path = '/', $save_path = '')
{
if ($save_path !== '') {
session_save_path($save_path);
}
// HttpOnly and secure flags for session cookie
session_set_cookie_params(self::SESSION_LIFETIME, $base_path ?: '/', null, Tool::isHTTPS(), true);
// Avoid session id in the URL
ini_set('session.use_only_cookies', '1');
// Ensure session ID integrity
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.entropy_length', '32');
ini_set('session.hash_bits_per_character', 6);
// If session was autostarted with session.auto_start = 1 in php.ini destroy it, otherwise we cannot login
if (isset($_SESSION)) {
session_destroy();
}
// Custom session name
session_name('__S');
session_start();
// Regenerate the session id to avoid session fixation issue
if (empty($_SESSION['__validated'])) {
session_regenerate_id(true);
$_SESSION['__validated'] = 1;
}
}
/**
* Send the security header: Strict-Transport-Security (only if we use HTTPS)
*
* @access public
*/
public function hsts()
{
if (Tool::isHTTPS()) {
header('Strict-Transport-Security: max-age=31536000');
}
}
