1<?php 2 3/** 4 * Tweak ini settings 5 * @package framework 6 * @subpackage setup 7 */ 8 9/* compress output if possible */ 10ini_set('zlib.output_compression', 'On'); 11 12/* limit cookie life to the session */ 13ini_set('session.cookie_lifetime', 0); 14 15/* force cookies only */ 16ini_set('session.use_cookie', 1); 17ini_set('session.use_only_cookies', 1); 18 19/* strict session mode */ 20ini_set('session.use_strict_mode', 1); 21 22/* limit session cookie to HTTP only */ 23ini_set('session.cookie_httponly', 1); 24if ((float) substr(phpversion(), 0, 3) >= 7.3) { 25 ini_set('session.cookie_samesite', 'Strict'); 26} 27 28/* HTTPS required for session cookie */ 29if (!$config->get('disable_tls', false)) { 30 ini_set('session.cookie_secure', 1); 31} 32 33/* gc max lifetime */ 34ini_set('session.gc_maxlifetime', 1440); 35 36/* disable trans sid */ 37ini_set('session.use_trans_sid', 0); 38 39/* don't allow dynamic page caching */ 40ini_set('session.cache_limiter', 'nocache'); 41 42/* session hash mechanism */ 43if ((float) substr(phpversion(), 0, 3) === 5.6) { 44 ini_set('session.hash_function', 1); 45} 46else { 47 ini_set('session.hash_function', 'sha256'); 48} 49 50/* session name */ 51ini_set('session.name', 'hm_session'); 52 53/* disable remote includes */ 54ini_set('allow_url_include', 0); 55 56/* when display_errors is on PHP returns a 200 when it should be a 500 */ 57ini_set('display_errors', 0); 58ini_set('display_start_up_errors', 0); 59 60$tmp_dir = ini_get('upload_tmp_dir') ? ini_get('upload_tmp_dir') : sys_get_temp_dir(); 61$base = dirname(dirname(__FILE__)).PATH_SEPARATOR.$tmp_dir.PATH_SEPARATOR.'/dev/urandom'; 62$disabled = $config->get('disable_open_basedir', false); 63foreach (array('app_data_dir', 'user_settings_dir', 'attachment_dir') as $dir) { 64 if ($config->get($dir, false) && is_readable($config->get($dir, false))) { 65 $base .= PATH_SEPARATOR.$config->get($dir, false); 66 } 67} 68if (!$disabled) { 69 ini_set('open_basedir', $base); 70} 71