From ae1f33db5453052a1b267b00b0c6fd7b6b70ff82 Mon Sep 17 00:00:00 2001
From: Michael Göhler <somebody.here@gmx.de>
Date: Sun, 14 Oct 2012 20:47:31 +0200
Subject: implement fixed php session timeout and session id regeneration

---
 lib/base.php | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/lib/base.php b/lib/base.php
index ebeec22088a..0ba028a68d2 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -264,8 +264,30 @@ class OC{
 	}
 
 	public static function initSession() {
+		// prevents javascript from accessing php session cookies
 		ini_set('session.cookie_httponly', '1;');
+
+		// (re)-initialize session
 		session_start();
+		
+		// regenerate session id periodically to avoid session fixation
+		if (!isset($_SESSION['SID_CREATED'])) {
+			$_SESSION['SID_CREATED'] = time();
+		} else if (time() - $_SESSION['SID_CREATED'] > 900) {
+			session_regenerate_id(true);
+			$_SESSION['SID_CREATED'] = time();
+		}
+
+		// session timeout
+		if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 3600)) {
+			if (isset($_COOKIE[session_name()])) {
+				setcookie(session_name(), '', time() - 42000, '/');
+			}
+			session_unset();
+			session_destroy();
+			session_start();
+		}
+		$_SESSION['LAST_ACTIVITY'] = time();
 	}
 
 	public static function init() {
-- 
cgit v1.2.3