libraries/session.inc.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * session handling
   5  *
   6  * @version $Id$
   7  * @todo    add failover or warn if sessions are not configured properly
   8  * @todo    add an option to use mm-module for session handler
   9  * @see     http://www.php.net/session
  10  * @uses    session_name()
  11  * @uses    session_start()
  12  * @uses    ini_set()
  13  */
  14 if (! defined('PHPMYADMIN')) {
  15     exit;
  16 }
  17
  18 // verify if PHP supports session, die if it does not
  19
  20 if (!@function_exists('session_name')) {
  21     PMA_fatalError('strCantLoad', 'session');
  22 } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
  23     // Do not delete the existing session, it might be used by other
  24     // applications; instead just close it.
  25     session_write_close();
  26 }
  27
  28 // disable starting of sessions before all settings are done
  29 // does not work, besides how it is written in php manual
  30 //ini_set('session.auto_start', 0);
  31
  32 // session cookie settings
  33 session_set_cookie_params(0, PMA_Config::getCookiePath() . '; HttpOnly',
  34     '', PMA_Config::isHttps());
  35
  36 // cookies are safer (use @ini_set() in case this function is disabled)
  37 @ini_set('session.use_cookies', true);
  38
  39 // but not all user allow cookies
  40 @ini_set('session.use_only_cookies', false);
  41 @ini_set('session.use_trans_sid', true);
  42 @ini_set('url_rewriter.tags',
  43     'a=href,frame=src,input=src,form=fakeentry,fieldset=');
  44 //ini_set('arg_separator.output', '&amp;');
  45
  46 // delete session/cookies when browser is closed
  47 @ini_set('session.cookie_lifetime', 0);
  48
  49 // warn but dont work with bug
  50 @ini_set('session.bug_compat_42', false);
  51 @ini_set('session.bug_compat_warn', true);
  52
  53 // use more secure session ids
  54 @ini_set('session.hash_function', 1);
  55
  56 // some pages (e.g. stylesheet) may be cached on clients, but not in shared
  57 // proxy servers
  58 session_cache_limiter('private');
  59
  60 // start the session
  61 // on some servers (for example, sourceforge.net), we get a permission error
  62 // on the session data directory, so I add some "@"
  63
  64 // See bug #1538132. This would block normal behavior on a cluster
  65 //ini_set('session.save_handler', 'files');
  66
  67 $session_name = 'phpMyAdmin';
  68 @session_name($session_name);
  69
  70 if (! isset($_COOKIE[$session_name])) {
  71     // on first start of session we will check for errors
  72     // f.e. session dir cannot be accessed - session file not created
  73     ob_start();
  74     $old_display_errors = ini_get('display_errors');
  75     $old_error_reporting = error_reporting(E_ALL);
  76     @ini_set('display_errors', 1);
  77     $r = session_start();
  78     @ini_set('display_errors', $old_display_errors);
  79     error_reporting($old_error_reporting);
  80     unset($old_display_errors, $old_error_reporting);
  81     $session_error = ob_get_contents();
  82     ob_end_clean();
  83     if ($r !== true || ! empty($session_error)) {
  84         setcookie($session_name, '', 1);
  85         PMA_fatalError('strSessionStartupErrorGeneral');
  86     }
  87 } else {
  88     @session_start();
  89 }
  90
  91 /**
  92  * Token which is used for authenticating access queries.
  93  * (we use "space PMA_token space" to prevent overwriting)
  94  */
  95 if (!isset($_SESSION[' PMA_token '])) {
  96     $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
  97 }
  98
  99 /**
 100  * tries to secure session from hijacking and fixation
 101  * should be called before login and after successfull login
 102  * (only required if sensitive information stored in session)
 103  *
 104  * @uses    session_regenerate_id() to secure session from fixation
 105  */
 106 function PMA_secureSession()
 107 {
 108     // prevent session fixation and XSS
 109     session_regenerate_id(true);
 110 }
 111 ?>