Add MISP recommendations about PHP sessions settings

[egypcio]

Description

Add MISP recommendations about PHP sessions settings

Motivation and Context

Once we wave a new deployment of MISP and check the /servers/serverSettings/diagnostics route, there are quite a few tweaks one can plan to change in the system to improve a better experience while using (and maintaining) a MISP instance.

Here we are motivated to address the following:

• Apply values recommended to setup (and harden) PHP sessions;
• Ensure we have use_strict_mode set to true;
• Ensure sid-length has at least 32 chars/bits (recommended by the PHP Project itself too).

How Has This Been Tested?

• Applied this role, against fresh deployed machines using the particular versions affected by this change request;
• Logged as admin user and executed the MISP server's diagnostic checks;
• Verified if the template itself added the changes to /etc/php/7.4/apache2/conf.d/99-misp.ini;
  • that is a symlink to /etc/php/7.4/mods-available/misp-php.ini;
  • it was tested on Debian/Ubuntu servers, that explains this path here.

Types of changes

• [ ] Bug fix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• [x] My code follows the code style of this project.
• [ ] My change requires a change to the documentation.
• [ ] I have updated the documentation accordingly.
• [x] I have read the CONTRIBUTING document.
• [ ] I have added tests to cover my changes.
• [ ] All new and existing tests passed including pre-commit and github actions.
• [x] Used in production.

[juju4]

Like gpg, this is more something that I would leave to an apache role, aka harden-apache added the sid length a while ago - https://github.com/juju4/ansible-harden-apache/commit/23bc9a1055e601f72160e0c9c6fba9b03c6ae38b strict already included before

I need to review how this file is used as likely old work and duplicated.

[egypcio]

IMHO it wouldn't hurt to add/leave those into this role's php.ini (misp-php.ini.j2), but I understand your point.

all fine for you to close this one. much appreciated for the time of writing back!

[juju4]

Closing as leaving those to external role.