| 250 |
kaklik |
1 |
<?php |
|
|
2 |
/* $Id: session.inc.php,v 2.8.2.4 2006/05/12 15:26:16 nijel Exp $ */ |
|
|
3 |
// vim: expandtab sw=4 ts=4 sts=4: |
|
|
4 |
/** |
|
|
5 |
* session handling |
|
|
6 |
* |
|
|
7 |
* @TODO add failover or warn if sessions are not configured properly |
|
|
8 |
* @TODO add an option to use mm-module for session handler |
|
|
9 |
* @see http://www.php.net/session |
|
|
10 |
* @uses session_name() |
|
|
11 |
* @uses session_start() |
|
|
12 |
* @uses ini_set() |
|
|
13 |
* @uses version_compare() |
|
|
14 |
* @uses PHP_VERSION |
|
|
15 |
*/ |
|
|
16 |
|
|
|
17 |
// verify if PHP supports session, die if it does not |
|
|
18 |
|
|
|
19 |
if (!@function_exists('session_name')) { |
|
|
20 |
$cfg = array('DefaultLang' => 'en-iso-8859-1', |
|
|
21 |
'AllowAnywhereRecoding' => false); |
|
|
22 |
// Loads the language file |
|
|
23 |
require_once('./libraries/select_lang.lib.php'); |
|
|
24 |
// Displays the error message |
|
|
25 |
// (do not use & for parameters sent by header) |
|
|
26 |
header('Location: error.php' |
|
|
27 |
. '?lang=' . urlencode($available_languages[$lang][2]) |
|
|
28 |
. '&char=' . urlencode($charset) |
|
|
29 |
. '&dir=' . urlencode($text_dir) |
|
|
30 |
. '&type=' . urlencode($strError) |
|
|
31 |
. '&error=' . urlencode(sprintf($strCantLoad, 'session'))); |
|
|
32 |
exit(); |
|
|
33 |
} elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') { |
|
|
34 |
/* $cfg = array('DefaultLang' => 'en-iso-8859-1', |
|
|
35 |
'AllowAnywhereRecoding' => false); |
|
|
36 |
// Loads the language file |
|
|
37 |
require_once('./libraries/select_lang.lib.php'); |
|
|
38 |
// Displays the error message |
|
|
39 |
// (do not use & for parameters sent by header) |
|
|
40 |
// TODO FIXME replace with locale string |
|
|
41 |
$strSessionAutostartError = 'phpMyAdmin cannot run with' |
|
|
42 |
. ' [a@http://php.net/session#ini.session.auto-start@php]session.auto_start[/a]' |
|
|
43 |
. ' enabled. Check your php configuration.'; |
|
|
44 |
header('Location: error.php' |
|
|
45 |
. '?lang=' . urlencode('en') //($available_languages[$lang][2]) |
|
|
46 |
. '&char=' . urlencode($charset) |
|
|
47 |
. '&dir=' . urlencode('ltr') //($text_dir) |
|
|
48 |
. '&type=' . urlencode('Error') //($strError) |
|
|
49 |
. '&error=' . urlencode($strSessionAutostartError)); |
|
|
50 |
exit(); |
|
|
51 |
*/ |
|
|
52 |
$_SESSION = array(); |
|
|
53 |
if (isset($_COOKIE[session_name()])) { |
|
|
54 |
setcookie(session_name(), '', time()-42000, '/'); |
|
|
55 |
} |
|
|
56 |
session_unset(); |
|
|
57 |
@session_destroy(); |
|
|
58 |
} |
|
|
59 |
|
|
|
60 |
// disable starting of sessions before all settings are done |
|
|
61 |
// does not work, besides how it is written in php manual |
|
|
62 |
//ini_set('session.auto_start', 0); |
|
|
63 |
|
|
|
64 |
// session cookie settings |
|
|
65 |
session_set_cookie_params(0, PMA_Config::getCookiePath(), |
|
|
66 |
'', PMA_Config::isHttps()); |
|
|
67 |
|
|
|
68 |
// cookies are safer |
|
|
69 |
ini_set('session.use_cookies', true); |
|
|
70 |
|
|
|
71 |
// but not all user allow cookies |
|
|
72 |
ini_set('session.use_only_cookies', false); |
|
|
73 |
ini_set('session.use_trans_sid', true); |
|
|
74 |
ini_set('url_rewriter.tags', |
|
|
75 |
'a=href,frame=src,input=src,form=fakeentry,fieldset='); |
|
|
76 |
//ini_set('arg_separator.output', '&'); |
|
|
77 |
|
|
|
78 |
// delete session/cookies when browser is closed |
|
|
79 |
ini_set('session.cookie_lifetime', 0); |
|
|
80 |
|
|
|
81 |
// warn but dont work with bug |
|
|
82 |
ini_set('session.bug_compat_42', false); |
|
|
83 |
ini_set('session.bug_compat_warn', true); |
|
|
84 |
|
|
|
85 |
// use more secure session ids (with PHP 5) |
|
|
86 |
if (version_compare(PHP_VERSION, '5.0.0', 'ge') |
|
|
87 |
&& substr(PHP_OS, 0, 3) != 'WIN') { |
|
|
88 |
ini_set('session.hash_function', 1); |
|
|
89 |
ini_set('session.hash_bits_per_character', 6); |
|
|
90 |
} |
|
|
91 |
|
|
|
92 |
// start the session |
|
|
93 |
// on some servers (for example, sourceforge.net), we get a permission error |
|
|
94 |
// on the session data directory, so I add some "@" |
|
|
95 |
|
|
|
96 |
// [2006-01-25] Nicola Asuni - www.tecnick.com: maybe the PHP directive |
|
|
97 |
// session.save_handler is set to another value like "user" |
|
|
98 |
ini_set('session.save_handler', 'files'); |
|
|
99 |
|
|
|
100 |
@session_name('phpMyAdmin'); |
|
|
101 |
@session_start(); |
|
|
102 |
|
|
|
103 |
/** |
|
|
104 |
* Token which is used for authenticating access queries. |
|
|
105 |
*/ |
|
|
106 |
if (!isset($_SESSION['PMA_token'])) { |
|
|
107 |
$_SESSION['PMA_token'] = md5(uniqid(rand(), true)); |
|
|
108 |
} |
|
|
109 |
|
|
|
110 |
/** |
|
|
111 |
* trys to secure session from hijacking and fixation |
|
|
112 |
* should be called before login and after successfull login |
|
|
113 |
* (only required if sensitive information stored in session) |
|
|
114 |
* |
|
|
115 |
* @uses session_regenerate_id() to secure session from fixation |
|
|
116 |
* @uses session_id() to set new session id |
|
|
117 |
* @uses strip_tags() to prevent XSS attacks in SID |
|
|
118 |
* @uses function_exists() for session_regenerate_id() |
|
|
119 |
*/ |
|
|
120 |
function PMA_secureSession() |
|
|
121 |
{ |
|
|
122 |
// prevent session fixation and XSS |
|
|
123 |
if (function_exists('session_regenerate_id')) { |
|
|
124 |
session_regenerate_id(true); |
|
|
125 |
} else { |
|
|
126 |
session_id(strip_tags(session_id())); |
|
|
127 |
} |
|
|
128 |
} |
|
|
129 |
?> |