Clarify FAQ 5.18; put the vim modeline higher in the file so that it works
[phpmyadmin/crack.git] / libraries / session.inc.php
blobd2557c64b2e570bf571ec7653a83db4296049231
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * session handling
6 * @version $Id$
7 * @todo add failover or warn if sessions are not configured properly
8 * @todo add an option to use mm-module for session handler
9 * @see http://www.php.net/session
10 * @uses session_name()
11 * @uses session_start()
12 * @uses ini_set()
13 * @package phpMyAdmin
15 if (! defined('PHPMYADMIN')) {
16 exit;
19 // verify if PHP supports session, die if it does not
21 if (!@function_exists('session_name')) {
22 PMA_fatalError('strCantLoad', 'session');
23 } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
24 // Do not delete the existing session, it might be used by other
25 // applications; instead just close it.
26 session_write_close();
29 // disable starting of sessions before all settings are done
30 // does not work, besides how it is written in php manual
31 //ini_set('session.auto_start', 0);
33 // session cookie settings
34 session_set_cookie_params(0, PMA_Config::getCookiePath() . '; HttpOnly',
35 '', PMA_Config::isHttps());
37 // cookies are safer (use @ini_set() in case this function is disabled)
38 @ini_set('session.use_cookies', true);
40 // but not all user allow cookies
41 @ini_set('session.use_only_cookies', false);
42 @ini_set('session.use_trans_sid', true);
43 @ini_set('url_rewriter.tags',
44 'a=href,frame=src,input=src,form=fakeentry,fieldset=');
45 //ini_set('arg_separator.output', '&amp;');
47 // delete session/cookies when browser is closed
48 @ini_set('session.cookie_lifetime', 0);
50 // warn but dont work with bug
51 @ini_set('session.bug_compat_42', false);
52 @ini_set('session.bug_compat_warn', true);
54 // use more secure session ids
55 @ini_set('session.hash_function', 1);
57 // some pages (e.g. stylesheet) may be cached on clients, but not in shared
58 // proxy servers
59 session_cache_limiter('private');
61 // start the session
62 // on some servers (for example, sourceforge.net), we get a permission error
63 // on the session data directory, so I add some "@"
65 // See bug #1538132. This would block normal behavior on a cluster
66 //ini_set('session.save_handler', 'files');
68 $session_name = 'phpMyAdmin';
69 @session_name($session_name);
71 if (! isset($_COOKIE[$session_name])) {
72 // on first start of session we check for errors
73 // f.e. session dir cannot be accessed - session file not created
74 $orig_error_count = $GLOBALS['error_handler']->countErrors();
75 $r = session_start();
76 if ($r !== true || $orig_error_count != $GLOBALS['error_handler']->countErrors()) {
77 setcookie($session_name, '', 1);
78 PMA_fatalError('strSessionStartupErrorGeneral');
80 unset($orig_error_count);
81 } else {
82 @session_start();
85 /**
86 * Token which is used for authenticating access queries.
87 * (we use "space PMA_token space" to prevent overwriting)
89 if (!isset($_SESSION[' PMA_token '])) {
90 $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
93 /**
94 * tries to secure session from hijacking and fixation
95 * should be called before login and after successfull login
96 * (only required if sensitive information stored in session)
98 * @uses session_regenerate_id() to secure session from fixation
100 function PMA_secureSession()
102 // prevent session fixation and XSS
103 session_regenerate_id(true);