opensmtpdadmin/session.inc.php

50 lines
1.1 KiB
PHP

<?php
/**
* OpenSMTPD Admin Session Hardening
* by Jeroen Janssen <jeroen at laylo dot io>
* Copyright (c) 2022 LAYLO
*/
/* Compress the output */
if (version_compare(PHP_VERSION, 8.0, '<')) {
ini_set('zlib.output_compression', 'On');
}
/* Limit the cookies to the session lifetime */
ini_set('session.cookie_lifetime', 0);
/* Use only cookies */
ini_set('session.use_cookie', 1);
ini_set('session.use_only_cookies', 1);
/* Use strict session mode */
ini_set('session.use_strict_mode', 1);
/* Limit session cookie to HTTP */
ini_set('session.cookie_httponly', 1);
if (version_compare(PHP_VERSION, 7.3, '>=')) {
ini_set('session.cookie_samesite', 'Strict');
}
/* Only set cookies on HTTPS */
ini_set('session.cookie_secure', 1);
/* GC max lifetime */
ini_set('session.gc_maxlifetime', 1440);
/* Disable trans sid */
ini_set('session.use_trans_sid', 0);
/* Do not allow session cache */
ini_set('session.cache_limiter', 'nocache');
/* Set the cookie hash to SHA256 */
ini_set('session.hash_function', 'sha256');
// Set the session name
ini_set('session.name', 'osmtpda_session');
// Disallow remote includes
ini_set('allow_url_include', 0);
?>