add session cleanup

Author: simonLeary42

defaults/config.ini.default

@@ -18,6 +18,7 @@ enable_verbose_error_log = true ; internal use only
 enable_redirect_message = true ; internal use only
 enable_exception_handler = true ; internal use only
 enable_error_handler = true ; internal use only
+session_cleanup_age_seconds = 1800 ; how old a session must be before messages and CSRF tokens are cleared
 
 [ldap]
 uri = "ldap://identity"  ; URI of remote LDAP server

resources/init.php

@@ -42,6 +42,13 @@
     $_SESSION["csrf_tokens"] = [];
 }
 
+// https://stackoverflow.com/a/1270960/18696276
+if (time() - ($_SESSION["LAST_ACTIVITY"] ?? 0) > CONFIG["site"]["session_cleanup_age_seconds"]) {
+    $_SESSION["csrf_tokens"] = [];
+    $_SESSION["messages"] = [];
+}
+$_SESSION["LAST_ACTIVITY"] = time();
+
 if (isset($_SERVER["REMOTE_USER"])) {
     // Check if SSO is enabled on this page
     $SSO = UnitySSO::getSSO();