libraries/session.inc.php

   1 <?php
   2 /* $Id$ */
   3 // vim: expandtab sw=4 ts=4 sts=4:
   4 /**
   5  * session handling
   6  *
   7  * @TODO    add failover or warn if sessions are not configured properly
   8  * @TODO    add an option to use mm-module for session handler
   9  * @see     http://www.php.net/session
  10  * @uses    session_name()
  11  * @uses    session_start()
  12  * @uses    ini_set()
  13  * @uses    version_compare()
  14  * @uses    PHP_VERSION
  15  */
  16
  17 // verify if PHP supports session, die if it does not
  18
  19 if (!@function_exists('session_name')) {
  20
  21     $cfg = array('DefaultLang'           => 'en-iso-8859-1',
  22                     'AllowAnywhereRecoding' => FALSE);
  23     // Loads the language file
  24     require_once('./libraries/select_lang.lib.php');
  25     // Displays the error message
  26     // (do not use &amp; for parameters sent by header)
  27     header( 'Location: error.php'
  28             . '?lang='  . urlencode( $available_languages[$lang][2] )
  29             . '&char='  . urlencode( $charset )
  30             . '&dir='   . urlencode( $text_dir )
  31             . '&type='  . urlencode( $strError )
  32             . '&error=' . urlencode(
  33                 sprintf($strCantLoad, 'session'))
  34              );
  35     exit();
  36 }
  37
  38 // disable starting of sessions before all settings are done
  39 ini_set( 'session.auto_start', false );
  40
  41 // cookies are safer
  42 ini_set( 'session.use_cookies', true );
  43
  44 // but not all user allow cookies
  45 ini_set( 'session.use_only_cookies', false );
  46 ini_set( 'session.use_trans_sid', true );
  47 ini_set( 'url_rewriter.tags',
  48     'a=href,frame=src,input=src,form=fakeentry,fieldset=' );
  49 ini_set( 'arg_separator.output' , '&amp;' );
  50
  51 // delete session/cookies when browser is closed
  52 ini_set( 'session.cookie_lifetime', 0 );
  53
  54 // warn but dont work with bug
  55 ini_set( 'session.bug_compat_42', false );
  56 ini_set( 'session.bug_compat_warn', true );
  57
  58 // use more secure session ids (with PHP 5)
  59 if ( version_compare( PHP_VERSION, '5.0.0', 'ge' )
  60   && substr( PHP_OS, 0 ,3 ) != 'WIN' ) {
  61     ini_set( 'session.hash_function', 1 );
  62     ini_set( 'session.hash_bits_per_character', 6 );
  63 }
  64
  65 // start the session
  66 // on some servers (for example, sourceforge.net), we get a permission error
  67 // on the session data directory, so I add some "@"
  68 @session_name( 'phpMyAdmin' );
  69 @session_start();
  70
  71 /**
  72  * trys to secure session from hijacking and fixation
  73  * should be called before login and after successfull login
  74  * (only required if sensitive information stored in session)
  75  *
  76  * @uses    session_regenerate_id() to secure session from fixation
  77  * @uses    session_id()            to set new session id
  78  * @uses    strip_tags()            to prevent XSS attacks in SID
  79  * @uses    function_exists()       for session_regenerate_id()
  80  */
  81 function PMA_secureSession() {
  82     // prevent session fixation and XSS
  83     if ( function_exists( 'session_regenerate_id' ) ) {
  84         session_regenerate_id( true );
  85     } else {
  86         session_id( strip_tags( session_id() ) );
  87     }
  88 }
  89 ?>