diff options
| author | Michael Göhler <somebody.here@gmx.de> | 2012-10-14 22:47:31 +0400 |
|---|---|---|
| committer | Michael Göhler <somebody.here@gmx.de> | 2012-10-15 00:36:26 +0400 |
| commit | ae1f33db5453052a1b267b00b0c6fd7b6b70ff82 (patch) | |
| tree | da80fae767d146af1b32ebc8b9caebcc81d41ea1 /lib | |
| parent | b92fd984aa7f9281144b410ff703ca1796c10d41 (diff) | |
implement fixed php session timeout and session id regeneration
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/base.php | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/lib/base.php b/lib/base.php index ebeec22088a..0ba028a68d2 100644 --- a/lib/base.php +++ b/lib/base.php @@ -264,8 +264,30 @@ class OC{ } public static function initSession() { + // prevents javascript from accessing php session cookies ini_set('session.cookie_httponly', '1;'); + + // (re)-initialize session session_start(); + + // regenerate session id periodically to avoid session fixation + if (!isset($_SESSION['SID_CREATED'])) { + $_SESSION['SID_CREATED'] = time(); + } else if (time() - $_SESSION['SID_CREATED'] > 900) { + session_regenerate_id(true); + $_SESSION['SID_CREATED'] = time(); + } + + // session timeout + if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 3600)) { + if (isset($_COOKIE[session_name()])) { + setcookie(session_name(), '', time() - 42000, '/'); + } + session_unset(); + session_destroy(); + session_start(); + } + $_SESSION['LAST_ACTIVITY'] = time(); } public static function init() { |