/**
* Open a session
*
* @access public
* @param string $base_path Cookie path
*/
public function open($base_path = '/')
{
// HttpOnly and secure flags for session cookie
session_set_cookie_params(SESSION_DURATION, $base_path ?: '/', null, Request::isHTTPS(), true);
// Avoid session id in the URL
ini_set('session.use_only_cookies', '1');
// Enable strict mode
if (version_compare(PHP_VERSION, '7.0.0') < 0) {
ini_set('session.use_strict_mode', '1');
}
// Ensure session ID integrity
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.entropy_length', '32');
ini_set('session.hash_bits_per_character', 6);
// If the session was autostarted with session.auto_start = 1 in php.ini destroy it
if (isset($_SESSION)) {
session_destroy();
}
// Custom session name
session_name('__S');
// Start the session
session_start();
// Regenerate the session id to avoid session fixation issue
if (empty($_SESSION['__validated'])) {
session_regenerate_id(true);
$_SESSION['__validated'] = 1;
}
}
public function testIsHTTPS()
{
$request = new Request($this->container, array(), array(), array(), array());
$this->assertFalse($request->isHTTPS());
$request = new Request($this->container, array('HTTPS' => ''), array(), array(), array(), array());
$this->assertFalse($request->isHTTPS());
$request = new Request($this->container, array('HTTPS' => 'off'), array(), array(), array(), array());
$this->assertFalse($request->isHTTPS());
$request = new Request($this->container, array('HTTPS' => 'on'), array(), array(), array(), array());
$this->assertTrue($request->isHTTPS());
$request = new Request($this->container, array('HTTPS' => '1'), array(), array(), array(), array());
$this->assertTrue($request->isHTTPS());
}
/**
* Define session settings
*
* @access private
*/
private function configure()
{
// Session cookie: HttpOnly and secure flags
session_set_cookie_params(SESSION_DURATION, $this->helper->url->dir() ?: '/', null, Request::isHTTPS(), true);
// Avoid session id in the URL
ini_set('session.use_only_cookies', '1');
ini_set('session.use_trans_sid', '0');
// Enable strict mode
ini_set('session.use_strict_mode', '1');
// Better session hash
ini_set('session.hash_function', 'sha512');
ini_set('session.hash_bits_per_character', 6);
// Set an additional entropy
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.entropy_length', '256');
}
/**
* Remove the cookie
*
* @access public
*/
public function deleteCookie()
{
setcookie(self::COOKIE_NAME, '', time() - 3600, $this->helper->url->dir(), null, Request::isHTTPS(), true);
}
/**
* Send the security header: Strict-Transport-Security (only if we use HTTPS)
*
* @access public
*/
public function hsts()
{
if (Request::isHTTPS()) {
header('Strict-Transport-Security: max-age=31536000');
}
}
/**
* Get current server base url
*
* @access public
* @return string
*/
public function server()
{
if (empty($_SERVER['SERVER_NAME'])) {
return 'http://localhost/';
}
$url = Request::isHTTPS() ? 'https://' : 'http://';
$url .= $_SERVER['SERVER_NAME'];
$url .= $_SERVER['SERVER_PORT'] == 80 || $_SERVER['SERVER_PORT'] == 443 ? '' : ':' . $_SERVER['SERVER_PORT'];
$url .= $this->dir() ?: '/';
return $url;
}