PageRenderTime 36ms CodeModel.GetById 20ms app.highlight 3ms RepoModel.GetById 8ms app.codeStats 1ms

/phpmyadmin/libraries/session.inc.php

https://bitbucket.org/adarshj/convenient_website
PHP | 112 lines | 46 code | 17 blank | 49 comment | 12 complexity | 5b5af7d62312b2510e94d86b75117606 MD5 | raw file
  1<?php
  2/* vim: set expandtab sw=4 ts=4 sts=4: */
  3/**
  4 * session handling
  5 *
  6 * @todo    add failover or warn if sessions are not configured properly
  7 * @todo    add an option to use mm-module for session handler
  8 * @see     http://www.php.net/session
  9 * @package PhpMyAdmin
 10 */
 11if (! defined('PHPMYADMIN')) {
 12    exit;
 13}
 14
 15// verify if PHP supports session, die if it does not
 16
 17if (!@function_exists('session_name')) {
 18    PMA_warnMissingExtension('session', true);
 19} elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
 20    // Do not delete the existing session, it might be used by other
 21    // applications; instead just close it.
 22    session_write_close();
 23}
 24
 25// disable starting of sessions before all settings are done
 26// does not work, besides how it is written in php manual
 27//ini_set('session.auto_start', 0);
 28
 29// session cookie settings
 30session_set_cookie_params(0, $GLOBALS['PMA_Config']->getCookiePath(),
 31    '', $GLOBALS['PMA_Config']->isHttps(), true);
 32
 33// cookies are safer (use @ini_set() in case this function is disabled)
 34@ini_set('session.use_cookies', true);
 35
 36// optionally set session_save_path
 37$path = $GLOBALS['PMA_Config']->get('SessionSavePath');
 38if (!empty($path)) {
 39    session_save_path($path);
 40}
 41
 42// but not all user allow cookies
 43@ini_set('session.use_only_cookies', false);
 44// do not force transparent session ids, see bug #3398788
 45//@ini_set('session.use_trans_sid', true);
 46@ini_set('url_rewriter.tags',
 47    'a=href,frame=src,input=src,form=fakeentry,fieldset=');
 48//ini_set('arg_separator.output', '&amp;');
 49
 50// delete session/cookies when browser is closed
 51@ini_set('session.cookie_lifetime', 0);
 52
 53// warn but dont work with bug
 54@ini_set('session.bug_compat_42', false);
 55@ini_set('session.bug_compat_warn', true);
 56
 57// use more secure session ids
 58@ini_set('session.hash_function', 1);
 59
 60// some pages (e.g. stylesheet) may be cached on clients, but not in shared
 61// proxy servers
 62session_cache_limiter('private');
 63
 64// start the session
 65// on some servers (for example, sourceforge.net), we get a permission error
 66// on the session data directory, so I add some "@"
 67
 68// See bug #1538132. This would block normal behavior on a cluster
 69//ini_set('session.save_handler', 'files');
 70
 71$session_name = 'phpMyAdmin';
 72@session_name($session_name);
 73
 74if (! isset($_COOKIE[$session_name])) {
 75    // on first start of session we check for errors
 76    // f.e. session dir cannot be accessed - session file not created
 77    $orig_error_count = $GLOBALS['error_handler']->countErrors();
 78    $r = session_start();
 79    if ($r !== true || $orig_error_count != $GLOBALS['error_handler']->countErrors()) {
 80        setcookie($session_name, '', 1);
 81        /*
 82         * Session initialization is done before selecting language, so we
 83         * can not use translations here.
 84         */
 85        PMA_fatalError('Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly.');
 86    }
 87    unset($orig_error_count);
 88} else {
 89    session_start();
 90}
 91
 92/**
 93 * Token which is used for authenticating access queries.
 94 * (we use "space PMA_token space" to prevent overwriting)
 95 */
 96if (! isset($_SESSION[' PMA_token '])) {
 97    $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
 98}
 99
100/**
101 * tries to secure session from hijacking and fixation
102 * should be called before login and after successfull login
103 * (only required if sensitive information stored in session)
104 *
105 */
106function PMA_secureSession()
107{
108    // prevent session fixation and XSS
109    session_regenerate_id(true);
110    $_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
111}
112?>