nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

introduced PMA_secureSession()

Browse Source
This commit is contained in:
Sebastian Mendel
2005-09-28 11:57:04 +00:00
parent 171613c0d0
commit 6dbd2398c6
2 changed files with 22 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@@ -9,9 +9,10 @@ $Source$
* tbl_alter.php, libraries/common.lib.php, /relation.lib.php: * tbl_alter.php, libraries/common.lib.php, /relation.lib.php:
bug #1262250, cannot change ENUM default value to empty bug #1262250, cannot change ENUM default value to empty
2005-09-27 Sebastian Mendel <cybot_tm@users.sourceforge.net> 2005-09-28 Sebastian Mendel <cybot_tm@users.sourceforge.net>
* libraries/sql_query_form.lib.php: removed unneeded variable, * libraries/sql_query_form.lib.php: removed unneeded variable,
dont display bookmark selection fieldset if no bookmark exists dont display bookmark selection fieldset if no bookmark exists
* libraries/session.inc.php: introduced PMA_secureSession()
2005-09-27 Sebastian Mendel <cybot_tm@users.sourceforge.net> 2005-09-27 Sebastian Mendel <cybot_tm@users.sourceforge.net>
* libraries/sql_query_form.lib.php, db_details.php, server_sql.php * libraries/sql_query_form.lib.php, db_details.php, server_sql.php

29
libraries/session.inc.php
View File

@@ -4,18 +4,17 @@
/** /**
* session handling * session handling
* *
* @TODO add failover or warn if sessions are not configured properly
* @TODO add an option to use mm-module for session handler
* @see http://www.php.net/session * @see http://www.php.net/session
* @uses session_name() * @uses session_name()
* @uses session_start() * @uses session_start()
* @uses session_regenerate_id()
* @uses session_id()
* @uses strip_tags()
* @uses ini_set() * @uses ini_set()
* @uses version_compare() * @uses version_compare()
* @uses PHP_VERSION * @uses PHP_VERSION
*/ */
// disable starting of sessions before all setings are done // disable starting of sessions before all settings are done
ini_set( 'session.auto_start', false ); ini_set( 'session.auto_start', false );
// cookies are safer // cookies are safer
@@ -45,10 +44,22 @@ if ( version_compare( PHP_VERSION, '5.0.0', 'ge' ) ) {
session_name( 'phpMyAdmin' ); session_name( 'phpMyAdmin' );
session_start(); session_start();
// prevent session fixation and XSS /**
if ( function_exists( 'session_regenerate_id' ) ) { * trys to secure session from hijacking and fixation
session_regenerate_id( true ); * should be called before login and after successfull login
} else { * (only required if sensitive information stored in session)
session_id( strip_tags( session_id() ) ); *
* @uses session_regenerate_id() to secure session from fixation
* @uses session_id() to set new session id
* @uses strip_tags() to prevent XSS attacks in SID
* @uses function_exists() for session_regenerate_id()
*/
function PMA_secureSession() {
// prevent session fixation and XSS
if ( function_exists( 'session_regenerate_id' ) ) {
session_regenerate_id( true );
} else {
session_id( strip_tags( session_id() ) );
}
} }
?> ?>