libraries/session.inc.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * session handling
   5  *
   6  * @version $Id$
   7  * @todo    add failover or warn if sessions are not configured properly
   8  * @todo    add an option to use mm-module for session handler
   9  * @see     http://www.php.net/session
  10  * @uses    session_name()
  11  * @uses    session_start()
  12  * @uses    ini_set()
  13  * @package phpMyAdmin
  14  */
  15 if (! defined('PHPMYADMIN')) {
  16     exit;
  17 }
  18
  19 // verify if PHP supports session, die if it does not
  20
  21 if (!@function_exists('session_name')) {
  22     PMA_fatalError('strCantLoad', 'session');
  23 } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
  24     // Do not delete the existing session, it might be used by other
  25     // applications; instead just close it.
  26     session_write_close();
  27 }
  28
  29 // disable starting of sessions before all settings are done
  30 // does not work, besides how it is written in php manual
  31 //ini_set('session.auto_start', 0);
  32
  33 // session cookie settings
  34 session_set_cookie_params(0, PMA_Config::getCookiePath() . '; HttpOnly',
  35     '', PMA_Config::isHttps());
  36
  37 // cookies are safer (use @ini_set() in case this function is disabled)
  38 @ini_set('session.use_cookies', true);
  39
  40 // but not all user allow cookies
  41 @ini_set('session.use_only_cookies', false);
  42 @ini_set('session.use_trans_sid', true);
  43 @ini_set('url_rewriter.tags',
  44     'a=href,frame=src,input=src,form=fakeentry,fieldset=');
  45 //ini_set('arg_separator.output', '&amp;');
  46
  47 // delete session/cookies when browser is closed
  48 @ini_set('session.cookie_lifetime', 0);
  49
  50 // warn but dont work with bug
  51 @ini_set('session.bug_compat_42', false);
  52 @ini_set('session.bug_compat_warn', true);
  53
  54 // use more secure session ids
  55 @ini_set('session.hash_function', 1);
  56
  57 // some pages (e.g. stylesheet) may be cached on clients, but not in shared
  58 // proxy servers
  59 session_cache_limiter('private');
  60
  61 // start the session
  62 // on some servers (for example, sourceforge.net), we get a permission error
  63 // on the session data directory, so I add some "@"
  64
  65 // See bug #1538132. This would block normal behavior on a cluster
  66 //ini_set('session.save_handler', 'files');
  67
  68 $session_name = 'phpMyAdmin';
  69 @session_name($session_name);
  70
  71 if (! isset($_COOKIE[$session_name])) {
  72     // on first start of session we check for errors
  73     // f.e. session dir cannot be accessed - session file not created
  74     $orig_error_count = $GLOBALS['error_handler']->countErrors();
  75     $r = session_start();
  76     if ($r !== true || $orig_error_count != $GLOBALS['error_handler']->countErrors()) {
  77         setcookie($session_name, '', 1);
  78         PMA_fatalError('strSessionStartupErrorGeneral');
  79     }
  80     unset($orig_error_count);
  81 } else {
  82     @session_start();
  83 }
  84
  85 /**
  86  * Token which is used for authenticating access queries.
  87  * (we use "space PMA_token space" to prevent overwriting)
  88  */
  89 if (!isset($_SESSION[' PMA_token '])) {
  90     $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
  91 }
  92
  93 /**
  94  * tries to secure session from hijacking and fixation
  95  * should be called before login and after successfull login
  96  * (only required if sensitive information stored in session)
  97  *
  98  * @uses    session_regenerate_id() to secure session from fixation
  99  */
 100 function PMA_secureSession()
 101 {
 102     // prevent session fixation and XSS
 103     session_regenerate_id(true);
 104 }
 105 ?>