<?php/* $Id: session.inc.php,v 2.8.2.4 2006/05/12 15:26:16 nijel Exp $ */// vim: expandtab sw=4 ts=4 sts=4:/*** session handling** @TODO add failover or warn if sessions are not configured properly* @TODO add an option to use mm-module for session handler* @see http://www.php.net/session* @uses session_name()* @uses session_start()* @uses ini_set()* @uses version_compare()* @uses PHP_VERSION*/// verify if PHP supports session, die if it does notif (!@function_exists('session_name')) {$cfg = array('DefaultLang' => 'en-iso-8859-1','AllowAnywhereRecoding' => false);// Loads the language filerequire_once('./libraries/select_lang.lib.php');// Displays the error message// (do not use & for parameters sent by header)header('Location: error.php'. '?lang=' . urlencode($available_languages[$lang][2]). '&char=' . urlencode($charset). '&dir=' . urlencode($text_dir). '&type=' . urlencode($strError). '&error=' . urlencode(sprintf($strCantLoad, 'session')));exit();} elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {/* $cfg = array('DefaultLang' => 'en-iso-8859-1','AllowAnywhereRecoding' => false);// Loads the language filerequire_once('./libraries/select_lang.lib.php');// Displays the error message// (do not use & for parameters sent by header)// TODO FIXME replace with locale string$strSessionAutostartError = 'phpMyAdmin cannot run with'. ' [a@http://php.net/session#ini.session.auto-start@php]session.auto_start[/a]'. ' enabled. Check your php configuration.';header('Location: error.php'. '?lang=' . urlencode('en') //($available_languages[$lang][2]). '&char=' . urlencode($charset). '&dir=' . urlencode('ltr') //($text_dir). '&type=' . urlencode('Error') //($strError). '&error=' . urlencode($strSessionAutostartError));exit();*/$_SESSION = array();if (isset($_COOKIE[session_name()])) {setcookie(session_name(), '', time()-42000, '/');}session_unset();@session_destroy();}// disable starting of sessions before all settings are done// does not work, besides how it is written in php manual//ini_set('session.auto_start', 0);// session cookie settingssession_set_cookie_params(0, PMA_Config::getCookiePath(),'', PMA_Config::isHttps());// cookies are saferini_set('session.use_cookies', true);// but not all user allow cookiesini_set('session.use_only_cookies', false);ini_set('session.use_trans_sid', true);ini_set('url_rewriter.tags','a=href,frame=src,input=src,form=fakeentry,fieldset=');//ini_set('arg_separator.output', '&');// delete session/cookies when browser is closedini_set('session.cookie_lifetime', 0);// warn but dont work with bugini_set('session.bug_compat_42', false);ini_set('session.bug_compat_warn', true);// use more secure session ids (with PHP 5)if (version_compare(PHP_VERSION, '5.0.0', 'ge')&& substr(PHP_OS, 0, 3) != 'WIN') {ini_set('session.hash_function', 1);ini_set('session.hash_bits_per_character', 6);}// start the session// on some servers (for example, sourceforge.net), we get a permission error// on the session data directory, so I add some "@"// [2006-01-25] Nicola Asuni - www.tecnick.com: maybe the PHP directive// session.save_handler is set to another value like "user"ini_set('session.save_handler', 'files');@session_name('phpMyAdmin');@session_start();/*** Token which is used for authenticating access queries.*/if (!isset($_SESSION['PMA_token'])) {$_SESSION['PMA_token'] = md5(uniqid(rand(), true));}/*** trys to secure session from hijacking and fixation* should be called before login and after successfull login* (only required if sensitive information stored in session)** @uses session_regenerate_id() to secure session from fixation* @uses session_id() to set new session id* @uses strip_tags() to prevent XSS attacks in SID* @uses function_exists() for session_regenerate_id()*/function PMA_secureSession(){// prevent session fixation and XSSif (function_exists('session_regenerate_id')) {session_regenerate_id(true);} else {session_id(strip_tags(session_id()));}}?>