libraries/session.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * session library
   5  *
   6  * @package PhpMyAdmin
   7  */
   8
   9 /**
  10  * tries to secure session from hijacking and fixation
  11  * should be called before login and after successful login
  12  * (only required if sensitive information stored in session)
  13  *
  14  * @return void
  15  */
  16 function PMA_secureSession()
  17 {
  18     // prevent session fixation and XSS
  19     if (session_status() === PHP_SESSION_ACTIVE && ! defined('TESTSUITE')) {
  20         session_regenerate_id(true);
  21     }
  22     PMA_generateToken();
  23 }
  24
  25
  26 /**
  27  * Generates PMA_token session variable.
  28  *
  29  * @return void
  30  */
  31 function PMA_generateToken()
  32 {
  33     if (class_exists('phpseclib\Crypt\Random')) {
  34         $_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
  35     } else {
  36         $_SESSION[' PMA_token '] = bin2hex(openssl_random_pseudo_bytes(16));
  37     }
  38
  39     /**
  40      * Check if token is properly generated (the genration can fail, for example
  41      * due to missing /dev/random for openssl).
  42      */
  43     if (empty($_SESSION[' PMA_token '])) {
  44         PMA_fatalError(
  45             'Failed to generate random CSRF token!'
  46         );
  47     }
  48 }