/phpMyAdmin/libraries/session.inc.php
PHP | 112 lines | 46 code | 17 blank | 49 comment | 12 complexity | 5b5af7d62312b2510e94d86b75117606 MD5 | raw file
Possible License(s): LGPL-3.0, LGPL-2.0, JSON, GPL-2.0, BSD-3-Clause, LGPL-2.1, MIT
- <?php
- /* vim: set expandtab sw=4 ts=4 sts=4: */
- /**
- * session handling
- *
- * @todo add failover or warn if sessions are not configured properly
- * @todo add an option to use mm-module for session handler
- * @see http://www.php.net/session
- * @package PhpMyAdmin
- */
- if (! defined('PHPMYADMIN')) {
- exit;
- }
- // verify if PHP supports session, die if it does not
- if (!@function_exists('session_name')) {
- PMA_warnMissingExtension('session', true);
- } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
- // Do not delete the existing session, it might be used by other
- // applications; instead just close it.
- session_write_close();
- }
- // disable starting of sessions before all settings are done
- // does not work, besides how it is written in php manual
- //ini_set('session.auto_start', 0);
- // session cookie settings
- session_set_cookie_params(0, $GLOBALS['PMA_Config']->getCookiePath(),
- '', $GLOBALS['PMA_Config']->isHttps(), true);
- // cookies are safer (use @ini_set() in case this function is disabled)
- @ini_set('session.use_cookies', true);
- // optionally set session_save_path
- $path = $GLOBALS['PMA_Config']->get('SessionSavePath');
- if (!empty($path)) {
- session_save_path($path);
- }
- // but not all user allow cookies
- @ini_set('session.use_only_cookies', false);
- // do not force transparent session ids, see bug #3398788
- //@ini_set('session.use_trans_sid', true);
- @ini_set('url_rewriter.tags',
- 'a=href,frame=src,input=src,form=fakeentry,fieldset=');
- //ini_set('arg_separator.output', '&');
- // delete session/cookies when browser is closed
- @ini_set('session.cookie_lifetime', 0);
- // warn but dont work with bug
- @ini_set('session.bug_compat_42', false);
- @ini_set('session.bug_compat_warn', true);
- // use more secure session ids
- @ini_set('session.hash_function', 1);
- // some pages (e.g. stylesheet) may be cached on clients, but not in shared
- // proxy servers
- session_cache_limiter('private');
- // start the session
- // on some servers (for example, sourceforge.net), we get a permission error
- // on the session data directory, so I add some "@"
- // See bug #1538132. This would block normal behavior on a cluster
- //ini_set('session.save_handler', 'files');
- $session_name = 'phpMyAdmin';
- @session_name($session_name);
- if (! isset($_COOKIE[$session_name])) {
- // on first start of session we check for errors
- // f.e. session dir cannot be accessed - session file not created
- $orig_error_count = $GLOBALS['error_handler']->countErrors();
- $r = session_start();
- if ($r !== true || $orig_error_count != $GLOBALS['error_handler']->countErrors()) {
- setcookie($session_name, '', 1);
- /*
- * Session initialization is done before selecting language, so we
- * can not use translations here.
- */
- PMA_fatalError('Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly.');
- }
- unset($orig_error_count);
- } else {
- session_start();
- }
- /**
- * Token which is used for authenticating access queries.
- * (we use "space PMA_token space" to prevent overwriting)
- */
- if (! isset($_SESSION[' PMA_token '])) {
- $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
- }
- /**
- * tries to secure session from hijacking and fixation
- * should be called before login and after successfull login
- * (only required if sensitive information stored in session)
- *
- */
- function PMA_secureSession()
- {
- // prevent session fixation and XSS
- session_regenerate_id(true);
- $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
- }
- ?>