Better php.ini overrides for insecure setups

This change is to protect our users against a poorly setup server. PHP can allow pretty scary things security-wise, so it's best to make sure things that can only have one valid setting should be enforced. Thanks to @hyp3rlinx for this.
symphonycms · May 23, 2016 · b329a14 · b329a14 · nitriques · May 23, 2016
1 parent 6c73f63
commit b329a14
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/symphony/lib/core/class.session.php b/symphony/lib/core/class.session.php
@@ -58,6 +58,9 @@ public static function start($lifetime = 0, $path = '/', $domain = null, $httpOn
 
             if (session_id() == '') {
                 ini_set('session.save_handler', 'user');
+                ini_set('session.use_trans_sid', '0');
+                ini_set('session.use_strict_mode', '1');
+                ini_set('session.use_only_cookies', '1');
                 ini_set('session.gc_maxlifetime', $lifetime);
                 ini_set('session.gc_probability', '1');
                 ini_set('session.gc_divisor', Symphony::Configuration()->get('session_gc_divisor', 'symphony'));