Enforce defaults to improve security baseline (#216)

* feature: type safe getters closes #81 * loosen type (can be array access) * feature: enforce defaults for new sessions closes #200 * feature: remove unused hash function * feature: enhance default id length * tweak: suppress ini errors
PhpGt · Jan 18, 2023 · d720a13 · d720a13
1 parent bfe0776
commit d720a13
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/Session.php b/src/Session.php
@@ -4,7 +4,6 @@
 use Gt\TypeSafeGetter\NullableTypeSafeGetter;
 use Gt\TypeSafeGetter\TypeSafeGetter;
 use SessionHandlerInterface;
-
 class Session implements SessionContainer, TypeSafeGetter {
 	use NullableTypeSafeGetter;
 
@@ -15,6 +14,10 @@ class Session implements SessionContainer, TypeSafeGetter {
 	const DEFAULT_SESSION_SECURE = true;
 	const DEFAULT_SESSION_HTTPONLY = true;
 	const DEFAULT_COOKIE_PATH = "/";
+	const DEFAULT_COOKIE_SAMESITE = "Strict";
+	const DEFAULT_STRICT_MODE = true;
+	const DEFAULT_SESSION_ID_LENGTH = 64;
+	const DEFAULT_SESSION_ID_BITS_PER_CHARACTER = 5;
 
 	protected string $id;
 	protected SessionHandlerInterface $sessionHandler;
@@ -28,6 +31,9 @@ public function __construct(
 	) {
 		$this->sessionHandler = $sessionHandler;
 
+		@ini_set("session.sid_length", $config["sid_length"] ?? self::DEFAULT_SESSION_ID_LENGTH);
+		@ini_set("session.sid_bits_per_character", $config["sid_bits_per_character"] ?? (string)self::DEFAULT_SESSION_ID_BITS_PER_CHARACTER);
+
 		if(is_null($id)) {
 			$id = $this->getId();
 		}
@@ -49,6 +55,8 @@ public function __construct(
 				"cookie_domain" => $config["cookie_domain"] ?? self::DEFAULT_SESSION_DOMAIN,
 				"cookie_secure" => $config["cookie_secure"] ?? self::DEFAULT_SESSION_SECURE,
 				"cookie_httponly" => $config["cookie_httponly"] ?? self::DEFAULT_SESSION_HTTPONLY,
+				"cookie_samesite" => $config["cookie_samesite"] ?? self::DEFAULT_COOKIE_SAMESITE,
+				"use_strict_mode" => $config["use_strict_mode"] ?? self::DEFAULT_STRICT_MODE,
 			]);
 
 			if(!$success) {