diff --git a/vendor/PicoFarad/Session.php b/vendor/PicoFarad/Session.php index bac3e52..ee7b415 100644 --- a/vendor/PicoFarad/Session.php +++ b/vendor/PicoFarad/Session.php @@ -9,15 +9,33 @@ function open($base_path = '/', $save_path = '') { if ($save_path !== '') session_save_path($save_path); + // HttpOnly and secure flags for session cookie session_set_cookie_params( SESSION_LIFETIME, - $base_path, + $base_path ?: '/', null, isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on', true ); + // Avoid session id in the URL + ini_set('session.use_only_cookies', true); + + // Ensure session ID integrity + ini_set('session.entropy_file', '/dev/urandom'); + ini_set('session.entropy_length', '32'); + ini_set('session.hash_bits_per_character', 6); + + // Custom session name + session_name('__$'); + session_start(); + + // Regenerate the session id to avoid session fixation issue + if (empty($_SESSION['__validated'])) { + session_regenerate_id(true); + $_SESSION['__validated'] = 1; + } }