From 6dbd2398c689e78d508ab856cfc44c942de4f09b Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <cybot_tm@users.sourceforge.net>
Date: Wed, 28 Sep 2005 11:57:04 +0000
Subject: [PATCH] introduced PMA_secureSession()

---
 ChangeLog                 |  3 ++-
 libraries/session.inc.php | 29 ++++++++++++++++++++---------
 2 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 168d03a09..936c4c078 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,9 +9,10 @@ $Source$
     * tbl_alter.php, libraries/common.lib.php, /relation.lib.php:
       bug #1262250, cannot change ENUM default value to empty
 
-2005-09-27 Sebastian Mendel <cybot_tm@users.sourceforge.net>
+2005-09-28 Sebastian Mendel <cybot_tm@users.sourceforge.net>
     * libraries/sql_query_form.lib.php: removed unneeded variable,
       dont display bookmark selection fieldset if no bookmark exists
+    * libraries/session.inc.php: introduced PMA_secureSession()
 
 2005-09-27 Sebastian Mendel <cybot_tm@users.sourceforge.net>
     * libraries/sql_query_form.lib.php, db_details.php, server_sql.php
diff --git a/libraries/session.inc.php b/libraries/session.inc.php
index 2ad8cbeb7..7f52a0897 100644
--- a/libraries/session.inc.php
+++ b/libraries/session.inc.php
@@ -4,18 +4,17 @@
 /**
  * session handling 
  * 
+ * @TODO    add failover or warn if sessions are not configured properly
+ * @TODO    add an option to use mm-module for session handler
  * @see     http://www.php.net/session
  * @uses    session_name()
  * @uses    session_start()
- * @uses    session_regenerate_id()
- * @uses    session_id()
- * @uses    strip_tags()
  * @uses    ini_set()
  * @uses    version_compare()
  * @uses    PHP_VERSION
  */
 
-// disable starting of sessions before all setings are done
+// disable starting of sessions before all settings are done
 ini_set( 'session.auto_start', false );
 
 // cookies are safer
@@ -45,10 +44,22 @@ if ( version_compare( PHP_VERSION, '5.0.0', 'ge' ) ) {
 session_name( 'phpMyAdmin' );
 session_start();
 
-// prevent session fixation and XSS
-if ( function_exists( 'session_regenerate_id' ) ) {
-    session_regenerate_id( true );
-} else {
-    session_id( strip_tags( session_id() ) );
+/**
+ * trys to secure session from hijacking and fixation
+ * should be called before login and after successfull login
+ * (only required if sensitive information stored in session)
+ * 
+ * @uses    session_regenerate_id() to secure session from fixation
+ * @uses    session_id()            to set new session id
+ * @uses    strip_tags()            to prevent XSS attacks in SID
+ * @uses    function_exists()       for session_regenerate_id()
+ */
+function PMA_secureSession() {
+    // prevent session fixation and XSS
+    if ( function_exists( 'session_regenerate_id' ) ) {
+        session_regenerate_id( true );
+    } else {
+        session_id( strip_tags( session_id() ) );
+    }
 }
 ?>
\ No newline at end of file