libraries/session.inc.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * session handling
   5  *
   6  * @version $Id$
   7  * @todo    add failover or warn if sessions are not configured properly
   8  * @todo    add an option to use mm-module for session handler
   9  * @see     http://www.php.net/session
  10  * @uses    session_name()
  11  * @uses    session_start()
  12  * @uses    ini_set()
  13  * @uses    version_compare()
  14  * @uses    PHP_VERSION
  15  */
  16
  17 // verify if PHP supports session, die if it does not
  18
  19 if (!@function_exists('session_name')) {
  20     PMA_fatalError('strCantLoad', 'session');
  21 } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
  22     $_SESSION = array();
  23     if (isset($_COOKIE[session_name()])) {
  24         PMA_removeCookie(session_name());
  25     }
  26     session_unset();
  27     @session_destroy();
  28 }
  29
  30 // disable starting of sessions before all settings are done
  31 // does not work, besides how it is written in php manual
  32 //ini_set('session.auto_start', 0);
  33
  34 // session cookie settings
  35 session_set_cookie_params(0, PMA_Config::getCookiePath() . '; HttpOnly',
  36     '', PMA_Config::isHttps());
  37
  38 // cookies are safer
  39 ini_set('session.use_cookies', true);
  40
  41 // but not all user allow cookies
  42 ini_set('session.use_only_cookies', false);
  43 ini_set('session.use_trans_sid', true);
  44 ini_set('url_rewriter.tags',
  45     'a=href,frame=src,input=src,form=fakeentry,fieldset=');
  46 //ini_set('arg_separator.output', '&amp;');
  47
  48 // delete session/cookies when browser is closed
  49 ini_set('session.cookie_lifetime', 0);
  50
  51 // warn but dont work with bug
  52 ini_set('session.bug_compat_42', false);
  53 ini_set('session.bug_compat_warn', true);
  54
  55 // use more secure session ids (with PHP 5)
  56 if (version_compare(PHP_VERSION, '5.0.0', 'ge')
  57   && substr(PHP_OS, 0, 3) != 'WIN') {
  58     ini_set('session.hash_function', 1);
  59     ini_set('session.hash_bits_per_character', 6);
  60 }
  61
  62 // some pages (e.g. stylesheet) may be cached on clients, but not in shared
  63 // proxy servers
  64 session_cache_limiter('private');
  65
  66 // start the session
  67 // on some servers (for example, sourceforge.net), we get a permission error
  68 // on the session data directory, so I add some "@"
  69
  70 // See bug #1538132. This would block normal behavior on a cluster
  71 //ini_set('session.save_handler', 'files');
  72
  73 $session_name = 'phpMyAdmin';
  74 @session_name($session_name);
  75 // strictly, PHP 4 since 4.4.2 would not need a verification
  76 if (version_compare(PHP_VERSION, '5.1.2', 'lt')
  77  && isset($_COOKIE[$session_name])
  78  && eregi("\r|\n", $_COOKIE[$session_name])) {
  79     die('attacked');
  80 }
  81
  82 if (! isset($_COOKIE[$session_name])) {
  83     // on first start of session we will check for errors
  84     // f.e. session dir cannot be accessed - session file not created
  85     ob_start();
  86     $old_display_errors = ini_get('display_errors');
  87     $old_error_reporting = error_reporting(E_ALL);
  88     ini_set('display_errors', 1);
  89     $r = session_start();
  90     ini_set('display_errors', $old_display_errors);
  91     error_reporting($old_error_reporting);
  92     unset($old_display_errors, $old_error_reporting);
  93     $session_error = ob_get_contents();
  94     ob_end_clean();
  95     if ($r !== true || ! empty($session_error)) {
  96         PMA_fatalError('strSessionStartupErrorGeneral');
  97     }
  98 } else {
  99     @session_start();
 100 }
 101
 102 /**
 103  * Token which is used for authenticating access queries.
 104  * (we use "space PMA_token space" to prevent overwriting)
 105  */
 106 if (!isset($_SESSION[' PMA_token '])) {
 107     $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
 108 }
 109
 110 /**
 111  * tries to secure session from hijacking and fixation
 112  * should be called before login and after successfull login
 113  * (only required if sensitive information stored in session)
 114  *
 115  * @uses    session_regenerate_id() to secure session from fixation
 116  * @uses    session_id()            to set new session id
 117  * @uses    strip_tags()            to prevent XSS attacks in SID
 118  * @uses    function_exists()       for session_regenerate_id()
 119  */
 120 function PMA_secureSession()
 121 {
 122     // prevent session fixation and XSS
 123     if (function_exists('session_regenerate_id')) {
 124         session_regenerate_id(true);
 125     } else {
 126         session_id(strip_tags(session_id()));
 127     }
 128 }
 129 ?>