From 0a41b069fcabd8ffcd1d31e509e3327add88dbc5 Mon Sep 17 00:00:00 2001
From: markjcrane <markjcrane@gmail.com>
Date: Fri, 21 Aug 2015 11:21:08 -0600
Subject: [PATCH] Add a new default settings -> security -> session_rotate.

---
 core/default_settings/app_defaults.php |  7 +++++++
 resources/php.php                      | 22 +++++++++-------------
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/core/default_settings/app_defaults.php b/core/default_settings/app_defaults.php
index ad4c065803..84b87b077a 100644
--- a/core/default_settings/app_defaults.php
+++ b/core/default_settings/app_defaults.php
@@ -50,6 +50,13 @@ if ($domains_processed == 1) {
 		$array[$x]['default_setting_enabled'] = 'true';
 		$array[$x]['default_setting_description'] = 'Set the default strength for system generated passwords.  Valid Options: 1 - Numeric Only, 2 - Include Lower Apha, 3 - Include Upper Alpha, 4 - Include Special Characters.';
 		$x++;
+		$array[$x]['default_setting_category'] = 'security';
+		$array[$x]['default_setting_subcategory'] = 'session_rotate';
+		$array[$x]['default_setting_name'] = 'text';
+		$array[$x]['default_setting_value'] = '4';
+		$array[$x]['default_setting_enabled'] = 'true';
+		$array[$x]['default_setting_description'] = 'Whether to regenerate the session ID.';
+		$x++;
 		$array[$x]['default_setting_category'] = 'email';
 		$array[$x]['default_setting_subcategory'] = 'smtp_auth';
 		$array[$x]['default_setting_name'] = 'var';
diff --git a/resources/php.php b/resources/php.php
index a994c652a6..7ab3bf6a96 100644
--- a/resources/php.php
+++ b/resources/php.php
@@ -30,20 +30,16 @@
 	//session handling
 		//start the session
 			session_start();
-		//set the last activity time stamp
-			$_SESSION['session']['last_activity'] = time();
-		//check whether to timout the session
-			//if (isset($_SESSION['session']['last_activity']) && (time() - $_SESSION['session']['last_activity'] > 14400)) {
-			//	session_destroy();	// destroy session data in storage
-			//	session_unset();	// unset $_SESSION variable for the runtime
-			//}
 		//regenerate sessions to avoid session id attacks such as session fixation
-			if (!isset($_SESSION['session']['created'])) {
-				$_SESSION['session']['created'] = time();
-			} else if (time() - $_SESSION['session']['created'] > 28800) {
-				// session started more than 8 hours ago
-				session_regenerate_id(true);    // rotate the session id
-				$_SESSION['session']['created'] = time();  // update creation time
+			if ($_SESSION['security']['session_rotate']['boolean'] == "true") {
+				$_SESSION['session']['last_activity'] = time();
+				if (!isset($_SESSION['session']['created'])) {
+					$_SESSION['session']['created'] = time();
+				} else if (time() - $_SESSION['session']['created'] > 28800) {
+					// session started more than 8 hours ago
+					session_regenerate_id(true);    // rotate the session id
+					$_SESSION['session']['created'] = time();  // update creation time
+				}
 			}
 
 	//get the document_root parent directory