libraries/session.inc.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * session handling
   5  *
   6  * @version $Id$
   7  * @todo    add failover or warn if sessions are not configured properly
   8  * @todo    add an option to use mm-module for session handler
   9  * @see     http://www.php.net/session
  10  * @uses    session_name()
  11  * @uses    session_start()
  12  * @uses    ini_set()
  13  * @package phpMyAdmin
  14  */
  15 if (! defined('PHPMYADMIN')) {
  16     exit;
  17 }
  18
  19 // verify if PHP supports session, die if it does not
  20
  21 if (!@function_exists('session_name')) {
  22     PMA_warnMissingExtension('session', true);
  23 } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
  24     // Do not delete the existing session, it might be used by other
  25     // applications; instead just close it.
  26     session_write_close();
  27 }
  28
  29 // disable starting of sessions before all settings are done
  30 // does not work, besides how it is written in php manual
  31 //ini_set('session.auto_start', 0);
  32
  33 // session cookie settings
  34 session_set_cookie_params(0, $GLOBALS['PMA_Config']->getCookiePath(),
  35     '', $GLOBALS['PMA_Config']->isHttps(), true);
  36
  37 // cookies are safer (use @ini_set() in case this function is disabled)
  38 @ini_set('session.use_cookies', true);
  39
  40 // optionally set session_save_path
  41 $path = $GLOBALS['PMA_Config']->get('SessionSavePath');
  42 if (!empty($path)) {
  43     session_save_path($path);
  44 }
  45
  46 // but not all user allow cookies
  47 @ini_set('session.use_only_cookies', false);
  48 @ini_set('session.use_trans_sid', true);
  49 @ini_set('url_rewriter.tags',
  50     'a=href,frame=src,input=src,form=fakeentry,fieldset=');
  51 //ini_set('arg_separator.output', '&amp;');
  52
  53 // delete session/cookies when browser is closed
  54 @ini_set('session.cookie_lifetime', 0);
  55
  56 // warn but dont work with bug
  57 @ini_set('session.bug_compat_42', false);
  58 @ini_set('session.bug_compat_warn', true);
  59
  60 // use more secure session ids
  61 @ini_set('session.hash_function', 1);
  62
  63 // some pages (e.g. stylesheet) may be cached on clients, but not in shared
  64 // proxy servers
  65 session_cache_limiter('private');
  66
  67 // start the session
  68 // on some servers (for example, sourceforge.net), we get a permission error
  69 // on the session data directory, so I add some "@"
  70
  71 // See bug #1538132. This would block normal behavior on a cluster
  72 //ini_set('session.save_handler', 'files');
  73
  74 $session_name = 'phpMyAdmin';
  75 @session_name($session_name);
  76
  77 if (! isset($_COOKIE[$session_name])) {
  78     // on first start of session we check for errors
  79     // f.e. session dir cannot be accessed - session file not created
  80     $orig_error_count = $GLOBALS['error_handler']->countErrors();
  81     $r = session_start();
  82     if ($r !== true || $orig_error_count != $GLOBALS['error_handler']->countErrors()) {
  83         setcookie($session_name, '', 1);
  84         PMA_fatalError('strSessionStartupErrorGeneral');
  85     }
  86     unset($orig_error_count);
  87 } else {
  88     session_start();
  89 }
  90
  91 /**
  92  * Token which is used for authenticating access queries.
  93  * (we use "space PMA_token space" to prevent overwriting)
  94  */
  95 if (!isset($_SESSION[' PMA_token '])) {
  96     $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
  97 }
  98
  99 /**
 100  * tries to secure session from hijacking and fixation
 101  * should be called before login and after successfull login
 102  * (only required if sensitive information stored in session)
 103  *
 104  * @uses    session_regenerate_id() to secure session from fixation
 105  */
 106 function PMA_secureSession()
 107 {
 108     // prevent session fixation and XSS
 109     session_regenerate_id(true);
 110 }
 111 ?>