From 4441d6e66614ddf9fb6644338ee09549b42b6fd2 Mon Sep 17 00:00:00 2001
From: Nick Liu <deltik@gmx.com>
Date: Sat, 18 Apr 2020 14:05:16 -0500
Subject: [PATCH 1/2] Guard e_session::setDefaultSystemConfig() to dedent
 function

---
 e107_handlers/session_handler.php | 87 +++++++++++++++----------------
 1 file changed, 43 insertions(+), 44 deletions(-)

diff --git a/e107_handlers/session_handler.php b/e107_handlers/session_handler.php
index 16f8e3143..6b03a45a7 100644
--- a/e107_handlers/session_handler.php
+++ b/e107_handlers/session_handler.php
@@ -194,59 +194,58 @@ class e_session
 	 */
 	public function setDefaultSystemConfig()
 	{
-		if(!$this->getSessionId())
-		{
-			$config = array(
-				'ValidateRemoteAddr' 		=> (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_BALANCED),
-				'ValidateHttpVia' 			=> (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_HIGH),
-				'ValidateHttpXForwardedFor' => (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_BALANCED),
-				'ValidateHttpUserAgent' 	=> (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_HIGH),
-			);
-			
-			$options = array(
-		//		'httponly' => (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_PARANOID),
-				'httponly' => true,
-			);
-			
-			if(!defined('E107_INSTALL'))
-			{
-				$systemSaveMethod = ini_get('session.save_handler');
+        if ($this->getSessionId()) return $this;
 
-			//	e107::getDebug()->log("Save Method:".$systemSaveMethod);
+        $config = array(
+            'ValidateRemoteAddr' => (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_BALANCED),
+            'ValidateHttpVia' => (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_HIGH),
+            'ValidateHttpXForwardedFor' => (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_BALANCED),
+            'ValidateHttpUserAgent' => (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_HIGH),
+        );
 
-				$saveMethod = (!empty($systemSaveMethod)) ? $systemSaveMethod : 'files';
+        $options = array(
+            //		'httponly' => (e_SECURITY_LEVEL >= self::SECURITY_LEVEL_PARANOID),
+            'httponly' => true,
+        );
 
-				$config['SavePath'] = e107::getPref('session_save_path', false); // FIXME - new pref
-				$config['SaveMethod'] = e107::getPref('session_save_method', $saveMethod); // FIXME - new pref
-				$options['lifetime'] = (integer) e107::getPref('session_lifetime', 86400); //
-				$options['path'] = e107::getPref('session_cookie_path', ''); // FIXME - new pref
-				$options['secure'] = e107::getPref('ssl_enabled', false); //
+        if (!defined('E107_INSTALL'))
+        {
+            $systemSaveMethod = ini_get('session.save_handler');
 
-				if(!empty($options['secure']))
-				{
-					ini_set('session.cookie_secure', 1);
-				}
-			}
+            //	e107::getDebug()->log("Save Method:".$systemSaveMethod);
 
-			if(defined('SESSION_SAVE_PATH')) // safer than a pref.
-			{
-				$config['SavePath'] = e_BASE. SESSION_SAVE_PATH;
-			}
+            $saveMethod = (!empty($systemSaveMethod)) ? $systemSaveMethod : 'files';
 
-			$hashes = hash_algos();
+            $config['SavePath'] = e107::getPref('session_save_path', false); // FIXME - new pref
+            $config['SaveMethod'] = e107::getPref('session_save_method', $saveMethod); // FIXME - new pref
+            $options['lifetime'] = (integer)e107::getPref('session_lifetime', 86400); //
+            $options['path'] = e107::getPref('session_cookie_path', ''); // FIXME - new pref
+            $options['secure'] = e107::getPref('ssl_enabled', false); //
 
-			if((e_SECURITY_LEVEL >= self::SECURITY_LEVEL_BALANCED) && in_array('sha512',$hashes))
-			{
-				ini_set('session.hash_function', 'sha512');
-				ini_set('session.hash_bits_per_character', 5);
-			}
+            if (!empty($options['secure']))
+            {
+                ini_set('session.cookie_secure', 1);
+            }
+        }
 
-			
-			$this->setConfig($config)
-				->setOptions($options);
-		}
+        if (defined('SESSION_SAVE_PATH')) // safer than a pref.
+        {
+            $config['SavePath'] = e_BASE . SESSION_SAVE_PATH;
+        }
 
-		return $this;
+        $hashes = hash_algos();
+
+        if ((e_SECURITY_LEVEL >= self::SECURITY_LEVEL_BALANCED) && in_array('sha512', $hashes))
+        {
+            ini_set('session.hash_function', 'sha512');
+            ini_set('session.hash_bits_per_character', 5);
+        }
+
+
+        $this->setConfig($config)
+            ->setOptions($options);
+
+        return $this;
 	}
 	
 	/**

From 5d982561c3bb49e38fff5aa7f793ccceecdc6ed0 Mon Sep 17 00:00:00 2001
From: Nick Liu <deltik@gmx.com>
Date: Sat, 18 Apr 2020 14:10:02 -0500
Subject: [PATCH 2/2] Fixes #4113 - Enable session file garbage collection

---
 e107_handlers/session_handler.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/e107_handlers/session_handler.php b/e107_handlers/session_handler.php
index 6b03a45a7..3cbc3b732 100644
--- a/e107_handlers/session_handler.php
+++ b/e107_handlers/session_handler.php
@@ -241,12 +241,30 @@ class e_session
             ini_set('session.hash_bits_per_character', 5);
         }
 
+        $this->fixSessionFileGarbageCollection();
 
         $this->setConfig($config)
             ->setOptions($options);
 
         return $this;
 	}
+
+    /**
+     * Modify PHP ini at runtime to enable session file garbage collection
+     *
+     * Takes no action if the garbage collector is already enabled.
+     *
+     * @see https://github.com/e107inc/e107/issues/4113
+     * @return void
+     */
+	private function fixSessionFileGarbageCollection()
+    {
+        $gc_probability = ini_get('session.gc_probability');
+        if ($gc_probability > 0) return;
+
+        ini_set('session.gc_probability', 1);
+        ini_set('session.gc_divisor', 100);
+    }
 	
 	/**
 	 * Retrieve value from current session namespace