search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Advisor: don't run 'MyISAM concurrent inserts' on Drizzle
[phpmyadmin.git] / libraries / session.inc.php
bloba829172c919ade9d3dcf00b2cb39d156ebe09729
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * session handling
5 *
6 * @todo add failover or warn if sessions are not configured properly
7 * @todo add an option to use mm-module for session handler
8 * @see http://www.php.net/session
9 * @package phpMyAdmin
10 */
11 if (! defined('PHPMYADMIN')) {
12 exit;
13 }
14
15 // verify if PHP supports session, die if it does not
16
17 if (!@function_exists('session_name')) {
18 PMA_warnMissingExtension('session', true);
19 } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
20 // Do not delete the existing session, it might be used by other
21 // applications; instead just close it.
22 session_write_close();
23 }
24
25 // disable starting of sessions before all settings are done
26 // does not work, besides how it is written in php manual
27 //ini_set('session.auto_start', 0);
28
29 // session cookie settings
30 session_set_cookie_params(0, $GLOBALS['PMA_Config']->getCookiePath(),
31 '', $GLOBALS['PMA_Config']->isHttps(), true);
32
33 // cookies are safer (use @ini_set() in case this function is disabled)
34 @ini_set('session.use_cookies', true);
35
36 // optionally set session_save_path
37 $path = $GLOBALS['PMA_Config']->get('SessionSavePath');
38 if (!empty($path)) {
39 session_save_path($path);
40 }
41
42 // but not all user allow cookies
43 @ini_set('session.use_only_cookies', false);
44 @ini_set('session.use_trans_sid', true);
45 @ini_set('url_rewriter.tags',
46 'a=href,frame=src,input=src,form=fakeentry,fieldset=');
47 //ini_set('arg_separator.output', '&amp;');
48
49 // delete session/cookies when browser is closed
50 @ini_set('session.cookie_lifetime', 0);
51
52 // warn but dont work with bug
53 @ini_set('session.bug_compat_42', false);
54 @ini_set('session.bug_compat_warn', true);
55
56 // use more secure session ids
57 @ini_set('session.hash_function', 1);
58
59 // some pages (e.g. stylesheet) may be cached on clients, but not in shared
60 // proxy servers
61 session_cache_limiter('private');
62
63 // start the session
64 // on some servers (for example, sourceforge.net), we get a permission error
65 // on the session data directory, so I add some "@"
66
67 // See bug #1538132. This would block normal behavior on a cluster
68 //ini_set('session.save_handler', 'files');
69
70 $session_name = 'phpMyAdmin';
71 @session_name($session_name);
72
73 if (! isset($_COOKIE[$session_name])) {
74 // on first start of session we check for errors
75 // f.e. session dir cannot be accessed - session file not created
76 $orig_error_count = $GLOBALS['error_handler']->countErrors();
77 $r = session_start();
78 if ($r !== true || $orig_error_count != $GLOBALS['error_handler']->countErrors()) {
79 setcookie($session_name, '', 1);
80 /*
81 * Session initialization is done before selecting language, so we
82 * can not use translations here.
83 */
84 PMA_fatalError('Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly.');
85 }
86 unset($orig_error_count);
87 } else {
88 session_start();
89 }
90
91 /**
92 * Token which is used for authenticating access queries.
93 * (we use "space PMA_token space" to prevent overwriting)
94 */
95 if (! isset($_SESSION[' PMA_token '])) {
96 $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
97 }
98
99 /**
100 * tries to secure session from hijacking and fixation
101 * should be called before login and after successfull login
102 * (only required if sensitive information stored in session)
103 *
104 */
105 function PMA_secureSession()
106 {
107 // prevent session fixation and XSS
108 session_regenerate_id(true);
109 $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
110 }
111 ?>
phpMyAdmin