1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* session handling
*
* @todo add failover or warn if sessions are not configured properly
* @todo add an option to use mm-module for session handler
*
* @package PhpMyAdmin
* @see http://www.php.net/session
*/
if (! defined('PHPMYADMIN')) {
exit;
}
// verify if PHP supports session, die if it does not
if (!@function_exists('session_name')) {
PMA_warnMissingExtension('session', true);
} elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
// Do not delete the existing session, it might be used by other
// applications; instead just close it.
session_write_close();
}
// disable starting of sessions before all settings are done
// does not work, besides how it is written in php manual
//ini_set('session.auto_start', '0');
// session cookie settings
session_set_cookie_params(
0, $GLOBALS['PMA_Config']->getCookiePath(),
'', $GLOBALS['PMA_Config']->isHttps(), true
);
// cookies are safer (use @ini_set() in case this function is disabled)
@ini_set('session.use_cookies', 'true');
// optionally set session_save_path
$path = $GLOBALS['PMA_Config']->get('SessionSavePath');
if (!empty($path)) {
session_save_path($path);
}
// but not all user allow cookies
@ini_set('session.use_only_cookies', 'false');
// do not force transparent session ids, see bug #3398788
//@ini_set('session.use_trans_sid', 'true');
@ini_set(
'url_rewriter.tags',
'a=href,frame=src,input=src,form=fakeentry,fieldset='
);
//ini_set('arg_separator.output', '&');
// delete session/cookies when browser is closed
@ini_set('session.cookie_lifetime', '0');
// warn but dont work with bug
@ini_set('session.bug_compat_42', 'false');
@ini_set('session.bug_compat_warn', 'true');
// use more secure session ids
@ini_set('session.hash_function', '1');
// some pages (e.g. stylesheet) may be cached on clients, but not in shared
// proxy servers
session_cache_limiter('private');
// start the session
// on some servers (for example, sourceforge.net), we get a permission error
// on the session data directory, so I add some "@"
// See bug #1538132. This would block normal behavior on a cluster
//ini_set('session.save_handler', 'files');
$session_name = 'phpMyAdmin';
@session_name($session_name);
if (! isset($_COOKIE[$session_name])) {
// on first start of session we check for errors
// f.e. session dir cannot be accessed - session file not created
$orig_error_count = $GLOBALS['error_handler']->countErrors();
$session_result = session_start();
if ($session_result !== true
|| $orig_error_count != $GLOBALS['error_handler']->countErrors()
) {
setcookie($session_name, '', 1);
/*
* Session initialization is done before selecting language, so we
* can not use translations here.
*/
PMA_fatalError(
'Error during session start; please check your PHP and/or '
. 'webserver log file and configure your PHP '
. 'installation properly. Also ensure that cookies are enabled '
. 'in your browser.'
);
}
unset($orig_error_count, $session_result);
} else {
session_start();
}
/**
* Token which is used for authenticating access queries.
* (we use "space PMA_token space" to prevent overwriting)
*/
if (! isset($_SESSION[' PMA_token '])) {
$_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
}
/**
* tries to secure session from hijacking and fixation
* should be called before login and after successful login
* (only required if sensitive information stored in session)
*
* @return void
*/
function PMA_secureSession()
{
// prevent session fixation and XSS
session_regenerate_id(true);
$_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
}
?>
|