Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /**
- * Our custom way of starting a secure session
- *
- * Preventing session ID passing as a GET parameter, only send (session)cookie over HTTPS,
- * protection against XSS attacks (HTTP Only), session fixation and session hijacking.
- */
- function sec_session_start() {
- // Forces sessions to only use cookies (disallow session ID passing as a GET parameter).
- if (ini_set('session.use_only_cookies', 1) === FALSE) {
- echo "Could not initiate a safe session (ini_set)";
- exit();
- }
- $session_name = "xIhFr7bkA5d1y6"; // Set your custom session name.
- $domain = ".mydomain.com"; // The dot makes the (session)cookie available for subdomains too. Change to your domain.
- $secure = TRUE; // If TRUE, (session)cookie will only be sent over secure (HTTPS) connections.
- $http_only = TRUE; // If TRUE, prevents JavaScript being able to access the session id.
- // Gets current cookies params.
- $cookieParams = session_get_cookie_params();
- session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $domain, $secure, $http_only);
- // Sets the session name to the one set in config
- session_name($session_name);
- // Start the PHP session
- session_start();
- // Protection against session fixation and hijacking attacks.
- if (!isset($_SESSION['canary'])) {
- session_regenerate_id(true);
- $_SESSION['canary'] = [
- 'birth' => time(),
- 'browser' => hash('md5', $_SERVER['HTTP_USER_AGENT'])
- ];
- }
- if ($_SESSION['canary']['browser'] !== hash('md5', $_SERVER['HTTP_USER_AGENT'])) {
- session_regenerate_id(true);
- // Delete everything:
- foreach (array_keys($_SESSION) as $key) {
- unset($_SESSION[$key]);
- }
- $_SESSION['canary'] = [
- 'birth' => time(),
- 'browser' => hash('md5', $_SERVER['HTTP_USER_AGENT'])
- ];
- }
- // Regenerate session ID every five minutes:
- if ($_SESSION['canary']['birth'] < time() - 300) {
- session_regenerate_id(true);
- $_SESSION['canary']['birth'] = time();
- }
- }
Add Comment
Please, Sign In to add comment
