From 9b80a375f57e8caec25bb8327ae85cee5b779084 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <contact@fredericguillot.com>
Date: Thu, 27 Feb 2014 21:02:35 -0500
Subject: [PATCH] Update PicoFarad (session creation improvements)

---
 vendor/PicoFarad/Session.php | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/vendor/PicoFarad/Session.php b/vendor/PicoFarad/Session.php
index bac3e52..ee7b415 100644
--- a/vendor/PicoFarad/Session.php
+++ b/vendor/PicoFarad/Session.php
@@ -9,15 +9,33 @@ function open($base_path = '/', $save_path = '')
 {
     if ($save_path !== '') session_save_path($save_path);
 
+    // HttpOnly and secure flags for session cookie
     session_set_cookie_params(
         SESSION_LIFETIME,
-        $base_path,
+        $base_path ?: '/',
         null,
         isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on',
         true
     );
 
+    // Avoid session id in the URL
+    ini_set('session.use_only_cookies', true);
+
+    // Ensure session ID integrity
+    ini_set('session.entropy_file', '/dev/urandom');
+    ini_set('session.entropy_length', '32');
+    ini_set('session.hash_bits_per_character', 6);
+
+    // Custom session name
+    session_name('__$');
+
     session_start();
+
+    // Regenerate the session id to avoid session fixation issue
+    if (empty($_SESSION['__validated'])) {
+        session_regenerate_id(true);
+        $_SESSION['__validated'] = 1;
+    }
 }