Skip to content

Commit b329a14

Browse files
committed
Better php.ini overrides for insecure setups
This change is to protect our users against a poorly setup server. PHP can allow pretty scary things security-wise, so it's best to make sure things that can only have one valid setting should be enforced. Thanks to @hyp3rlinx for this.
1 parent 6c73f63 commit b329a14

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

Diff for: symphony/lib/core/class.session.php

+3
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,9 @@ public static function start($lifetime = 0, $path = '/', $domain = null, $httpOn
5858

5959
if (session_id() == '') {
6060
ini_set('session.save_handler', 'user');
61+
ini_set('session.use_trans_sid', '0');
62+
ini_set('session.use_strict_mode', '1');
63+
ini_set('session.use_only_cookies', '1');
6164
ini_set('session.gc_maxlifetime', $lifetime);
6265
ini_set('session.gc_probability', '1');
6366
ini_set('session.gc_divisor', Symphony::Configuration()->get('session_gc_divisor', 'symphony'));

0 commit comments

Comments
 (0)