libraries/session.inc.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * session handling
   5  *
   6  * @version $Id$
   7  * @todo    add failover or warn if sessions are not configured properly
   8  * @todo    add an option to use mm-module for session handler
   9  * @see     http://www.php.net/session
  10  * @uses    session_name()
  11  * @uses    session_start()
  12  * @uses    ini_set()
  13  */
  14
  15 // verify if PHP supports session, die if it does not
  16
  17 if (!@function_exists('session_name')) {
  18     PMA_fatalError('strCantLoad', 'session');
  19 } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
  20     // Do not delete the existing session, it might be used by other
  21     // applications; instead just close it.
  22     session_write_close();
  23 }
  24
  25 // disable starting of sessions before all settings are done
  26 // does not work, besides how it is written in php manual
  27 //ini_set('session.auto_start', 0);
  28
  29 // session cookie settings
  30 session_set_cookie_params(0, PMA_Config::getCookiePath() . '; HttpOnly',
  31     '', PMA_Config::isHttps());
  32
  33 // cookies are safer
  34 ini_set('session.use_cookies', true);
  35
  36 // but not all user allow cookies
  37 ini_set('session.use_only_cookies', false);
  38 ini_set('session.use_trans_sid', true);
  39 ini_set('url_rewriter.tags',
  40     'a=href,frame=src,input=src,form=fakeentry,fieldset=');
  41 //ini_set('arg_separator.output', '&amp;');
  42
  43 // delete session/cookies when browser is closed
  44 ini_set('session.cookie_lifetime', 0);
  45
  46 // warn but dont work with bug
  47 ini_set('session.bug_compat_42', false);
  48 ini_set('session.bug_compat_warn', true);
  49
  50 // use more secure session ids (with PHP 5)
  51 if (substr(PHP_OS, 0, 3) != 'WIN') {
  52     ini_set('session.hash_function', 1);
  53     ini_set('session.hash_bits_per_character', 6);
  54 }
  55
  56 // some pages (e.g. stylesheet) may be cached on clients, but not in shared
  57 // proxy servers
  58 session_cache_limiter('private');
  59
  60 // start the session
  61 // on some servers (for example, sourceforge.net), we get a permission error
  62 // on the session data directory, so I add some "@"
  63
  64 // See bug #1538132. This would block normal behavior on a cluster
  65 //ini_set('session.save_handler', 'files');
  66
  67 $session_name = 'phpMyAdmin';
  68 @session_name($session_name);
  69
  70 if (! isset($_COOKIE[$session_name])) {
  71     // on first start of session we will check for errors
  72     // f.e. session dir cannot be accessed - session file not created
  73     ob_start();
  74     $old_display_errors = ini_get('display_errors');
  75     $old_error_reporting = error_reporting(E_ALL);
  76     ini_set('display_errors', 1);
  77     $r = session_start();
  78     ini_set('display_errors', $old_display_errors);
  79     error_reporting($old_error_reporting);
  80     unset($old_display_errors, $old_error_reporting);
  81     $session_error = ob_get_contents();
  82     ob_end_clean();
  83     if ($r !== true || ! empty($session_error)) {
  84         setcookie($session_name, '', 1);
  85         PMA_fatalError('strSessionStartupErrorGeneral');
  86     }
  87 } else {
  88     @session_start();
  89 }
  90
  91 /**
  92  * Token which is used for authenticating access queries.
  93  * (we use "space PMA_token space" to prevent overwriting)
  94  */
  95 if (!isset($_SESSION[' PMA_token '])) {
  96     $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
  97 }
  98
  99 /**
 100  * tries to secure session from hijacking and fixation
 101  * should be called before login and after successfull login
 102  * (only required if sensitive information stored in session)
 103  *
 104  * @uses    session_regenerate_id() to secure session from fixation
 105  */
 106 function PMA_secureSession()
 107 {
 108     // prevent session fixation and XSS
 109     session_regenerate_id(true);
 110 }
 111 ?>