libraries/session.inc.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * session handling
   5  *
   6  * @version $Id$
   7  * @todo    add failover or warn if sessions are not configured properly
   8  * @todo    add an option to use mm-module for session handler
   9  * @see     http://www.php.net/session
  10  * @uses    session_name()
  11  * @uses    session_start()
  12  * @uses    ini_set()
  13  * @uses    version_compare()
  14  * @uses    PHP_VERSION
  15  */
  16
  17 // verify if PHP supports session, die if it does not
  18
  19 if (!@function_exists('session_name')) {
  20     PMA_fatalError('strCantLoad', 'session');
  21 } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
  22     // Do not delete the existing session, it might be used by other
  23     // applications; instead just close it.
  24     session_write_close();
  25 }
  26
  27 // disable starting of sessions before all settings are done
  28 // does not work, besides how it is written in php manual
  29 //ini_set('session.auto_start', 0);
  30
  31 // session cookie settings
  32 session_set_cookie_params(0, PMA_Config::getCookiePath() . '; HttpOnly',
  33     '', PMA_Config::isHttps());
  34
  35 // cookies are safer
  36 ini_set('session.use_cookies', true);
  37
  38 // but not all user allow cookies
  39 ini_set('session.use_only_cookies', false);
  40 ini_set('session.use_trans_sid', true);
  41 ini_set('url_rewriter.tags',
  42     'a=href,frame=src,input=src,form=fakeentry,fieldset=');
  43 //ini_set('arg_separator.output', '&amp;');
  44
  45 // delete session/cookies when browser is closed
  46 ini_set('session.cookie_lifetime', 0);
  47
  48 // warn but dont work with bug
  49 ini_set('session.bug_compat_42', false);
  50 ini_set('session.bug_compat_warn', true);
  51
  52 // use more secure session ids (with PHP 5)
  53 if (version_compare(PHP_VERSION, '5.0.0', 'ge')) {
  54     ini_set('session.hash_function', 1);
  55 }
  56
  57 // some pages (e.g. stylesheet) may be cached on clients, but not in shared
  58 // proxy servers
  59 session_cache_limiter('private');
  60
  61 // start the session
  62 // on some servers (for example, sourceforge.net), we get a permission error
  63 // on the session data directory, so I add some "@"
  64
  65 // See bug #1538132. This would block normal behavior on a cluster
  66 //ini_set('session.save_handler', 'files');
  67
  68 $session_name = 'phpMyAdmin';
  69 @session_name($session_name);
  70 // strictly, PHP 4 since 4.4.2 would not need a verification
  71 if (version_compare(PHP_VERSION, '5.1.2', 'lt')
  72  && isset($_COOKIE[$session_name])
  73  && eregi("\r|\n", $_COOKIE[$session_name])) {
  74     die('attacked');
  75 }
  76
  77 if (! isset($_COOKIE[$session_name])) {
  78     // on first start of session we will check for errors
  79     // f.e. session dir cannot be accessed - session file not created
  80     ob_start();
  81     $old_display_errors = ini_get('display_errors');
  82     $old_error_reporting = error_reporting(E_ALL);
  83     ini_set('display_errors', 1);
  84     $r = session_start();
  85     ini_set('display_errors', $old_display_errors);
  86     error_reporting($old_error_reporting);
  87     unset($old_display_errors, $old_error_reporting);
  88     $session_error = ob_get_contents();
  89     ob_end_clean();
  90     if ($r !== true || ! empty($session_error)) {
  91         setcookie($session_name, '', 1);
  92         PMA_fatalError('strSessionStartupErrorGeneral');
  93     }
  94 } else {
  95     @session_start();
  96 }
  97
  98 /**
  99  * Token which is used for authenticating access queries.
 100  * (we use "space PMA_token space" to prevent overwriting)
 101  */
 102 if (!isset($_SESSION[' PMA_token '])) {
 103     $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
 104 }
 105
 106 /**
 107  * tries to secure session from hijacking and fixation
 108  * should be called before login and after successfull login
 109  * (only required if sensitive information stored in session)
 110  *
 111  * @uses    session_regenerate_id() to secure session from fixation
 112  * @uses    session_id()            to set new session id
 113  * @uses    strip_tags()            to prevent XSS attacks in SID
 114  * @uses    function_exists()       for session_regenerate_id()
 115  */
 116 function PMA_secureSession()
 117 {
 118     // prevent session fixation and XSS
 119     if (function_exists('session_regenerate_id')) {
 120         session_regenerate_id(true);
 121     } else {
 122         session_id(strip_tags(session_id()));
 123     }
 124 }
 125 ?>