libraries/session.inc.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * session handling
   5  *
   6  * @todo    add an option to use mm-module for session handler
   7  *
   8  * @package PhpMyAdmin
   9  * @see     https://secure.php.net/session
  10  */
  11 if (! defined('PHPMYADMIN')) {
  12     exit;
  13 }
  14
  15 require_once 'libraries/session.lib.php';
  16
  17 // verify if PHP supports session, die if it does not
  18
  19 if (!@function_exists('session_name')) {
  20     PMA_warnMissingExtension('session', true);
  21 } elseif (ini_get('session.auto_start') !== '' && session_name() != 'phpMyAdmin') {
  22     // Do not delete the existing session, it might be used by other
  23     // applications; instead just close it.
  24     session_write_close();
  25 }
  26
  27 // disable starting of sessions before all settings are done
  28 // does not work, besides how it is written in php manual
  29 //ini_set('session.auto_start', '0');
  30
  31 // session cookie settings
  32 session_set_cookie_params(
  33     0, $GLOBALS['PMA_Config']->getRootPath(),
  34     '', $GLOBALS['PMA_Config']->isHttps(), true
  35 );
  36
  37 // cookies are safer (use @ini_set() in case this function is disabled)
  38 @ini_set('session.use_cookies', 'true');
  39
  40 // optionally set session_save_path
  41 $path = $GLOBALS['PMA_Config']->get('SessionSavePath');
  42 if (!empty($path)) {
  43     session_save_path($path);
  44 }
  45
  46 // use cookies only
  47 @ini_set('session.use_only_cookies', '1');
  48 // strict session mode (do not accept random string as session ID)
  49 @ini_set('session.use_strict_mode', '1');
  50 // make the session cookie HttpOnly
  51 @ini_set('session.cookie_httponly', '1');
  52 // do not force transparent session ids
  53 @ini_set('session.use_trans_sid', '0');
  54
  55 // delete session/cookies when browser is closed
  56 @ini_set('session.cookie_lifetime', '0');
  57
  58 // warn but don't work with bug
  59 @ini_set('session.bug_compat_42', 'false');
  60 @ini_set('session.bug_compat_warn', 'true');
  61
  62 // use more secure session ids
  63 @ini_set('session.hash_function', '1');
  64
  65 // some pages (e.g. stylesheet) may be cached on clients, but not in shared
  66 // proxy servers
  67 session_cache_limiter('private');
  68
  69 // start the session
  70 // on some servers (for example, sourceforge.net), we get a permission error
  71 // on the session data directory, so I add some "@"
  72
  73
  74 function PMA_sessionFailed($errors)
  75 {
  76     $messages = array();
  77     foreach ($errors as $error) {
  78         /*
  79          * Remove path from open() in error message to avoid path disclossure
  80          *
  81          * This can happen with PHP 5 when nonexisting session ID is provided,
  82          * since PHP 7, session existence is checked first.
  83          *
  84          * This error can also happen in case of session backed error (eg.
  85          * read only filesystem) on any PHP version.
  86          *
  87          * The message string is currently hardcoded in PHP, so hopefully it
  88          * will not change in future.
  89          */
  90         $messages[] = preg_replace(
  91             '/open\(.*, O_RDWR\)/',
  92             'open(SESSION_FILE, O_RDWR)',
  93             htmlspecialchars($error->getMessage())
  94         );
  95     }
  96
  97     /*
  98      * Session initialization is done before selecting language, so we
  99      * can not use translations here.
 100      */
 101     PMA_fatalError(
 102         'Error during session start; please check your PHP and/or '
 103         . 'webserver log file and configure your PHP '
 104         . 'installation properly. Also ensure that cookies are enabled '
 105         . 'in your browser.'
 106         . '<br /><br />'
 107         . implode('<br /><br />', $messages)
 108     );
 109 }
 110
 111 // See bug #1538132. This would block normal behavior on a cluster
 112 //ini_set('session.save_handler', 'files');
 113
 114 $session_name = 'phpMyAdmin';
 115 @session_name($session_name);
 116
 117 // on first start of session we check for errors
 118 // f.e. session dir cannot be accessed - session file not created
 119 $orig_error_count = $GLOBALS['error_handler']->countErrors(false);
 120
 121 $session_result = session_start();
 122
 123 if ($session_result !== true
 124     || $orig_error_count != $GLOBALS['error_handler']->countErrors(false)
 125 ) {
 126     setcookie($session_name, '', 1);
 127     $errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count);
 128     PMA_sessionFailed($errors);
 129 }
 130 unset($orig_error_count, $session_result);
 131
 132 /**
 133  * Disable setting of session cookies for further session_start() calls.
 134  */
 135 @ini_set('session.use_cookies', 'true');
 136
 137 /**
 138  * Token which is used for authenticating access queries.
 139  * (we use "space PMA_token space" to prevent overwriting)
 140  */
 141 if (! isset($_SESSION[' PMA_token '])) {
 142     PMA_generateToken();
 143
 144     /**
 145      * Check for disk space on session storage by trying to write it.
 146      *
 147      * This seems to be most reliable approach to test if sessions are working,
 148      * otherwise the check would fail with custom session backends.
 149      */
 150     $orig_error_count = $GLOBALS['error_handler']->countErrors();
 151     session_write_close();
 152     if ($GLOBALS['error_handler']->countErrors() > $orig_error_count) {
 153         $errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count);
 154         PMA_sessionFailed($errors);
 155     }
 156     session_start();
 157 }