116 lines
4.0 KiB
PHP
116 lines
4.0 KiB
PHP
<?php
|
|
/* $Id$ */
|
|
// vim: expandtab sw=4 ts=4 sts=4:
|
|
/**
|
|
* session handling
|
|
*
|
|
* @TODO add failover or warn if sessions are not configured properly
|
|
* @TODO add an option to use mm-module for session handler
|
|
* @see http://www.php.net/session
|
|
* @uses session_name()
|
|
* @uses session_start()
|
|
* @uses ini_set()
|
|
* @uses version_compare()
|
|
* @uses PHP_VERSION
|
|
*/
|
|
|
|
// verify if PHP supports session, die if it does not
|
|
|
|
if (!@function_exists('session_name')) {
|
|
$cfg = array('DefaultLang' => 'en-iso-8859-1',
|
|
'AllowAnywhereRecoding' => false);
|
|
// Loads the language file
|
|
require_once('./libraries/select_lang.lib.php');
|
|
// Displays the error message
|
|
// (do not use & for parameters sent by header)
|
|
header('Location: error.php'
|
|
. '?lang=' . urlencode($available_languages[$lang][2])
|
|
. '&char=' . urlencode($charset)
|
|
. '&dir=' . urlencode($text_dir)
|
|
. '&type=' . urlencode($strError)
|
|
. '&error=' . urlencode(sprintf($strCantLoad, 'session')));
|
|
exit();
|
|
} elseif (ini_get('session.auto_start') == true) {
|
|
$cfg = array('DefaultLang' => 'en-iso-8859-1',
|
|
'AllowAnywhereRecoding' => false);
|
|
// Loads the language file
|
|
require_once('./libraries/select_lang.lib.php');
|
|
// Displays the error message
|
|
// (do not use & for parameters sent by header)
|
|
// TODO FIXME replace with locale string
|
|
$strSessionAutostartError = 'phpMyAdmin cannot run with'
|
|
. ' [a@http://php.net/session#ini.session.auto-start@php]session.auto_start[/a]'
|
|
. ' enabled. Check your php configuration.';
|
|
header('Location: error.php'
|
|
. '?lang=' . urlencode('en') //($available_languages[$lang][2])
|
|
. '&char=' . urlencode($charset)
|
|
. '&dir=' . urlencode('ltr') //($text_dir)
|
|
. '&type=' . urlencode('Error') //($strError)
|
|
. '&error=' . urlencode($strSessionAutostartError));
|
|
exit();
|
|
}
|
|
|
|
// disable starting of sessions before all settings are done
|
|
// does not work, besides how it is written in php manual
|
|
//ini_set('session.auto_start', 0);
|
|
|
|
// session cookie settings
|
|
session_set_cookie_params(0, PMA_Config::getCookiePath(),
|
|
'', PMA_Config::isHttps());
|
|
|
|
// cookies are safer
|
|
ini_set('session.use_cookies', true);
|
|
|
|
// but not all user allow cookies
|
|
ini_set('session.use_only_cookies', false);
|
|
ini_set('session.use_trans_sid', true);
|
|
ini_set('url_rewriter.tags',
|
|
'a=href,frame=src,input=src,form=fakeentry,fieldset=');
|
|
//ini_set('arg_separator.output', '&');
|
|
|
|
// delete session/cookies when browser is closed
|
|
ini_set('session.cookie_lifetime', 0);
|
|
|
|
// warn but dont work with bug
|
|
ini_set('session.bug_compat_42', false);
|
|
ini_set('session.bug_compat_warn', true);
|
|
|
|
// use more secure session ids (with PHP 5)
|
|
if (version_compare(PHP_VERSION, '5.0.0', 'ge')
|
|
&& substr(PHP_OS, 0, 3) != 'WIN') {
|
|
ini_set('session.hash_function', 1);
|
|
ini_set('session.hash_bits_per_character', 6);
|
|
}
|
|
|
|
// start the session
|
|
// on some servers (for example, sourceforge.net), we get a permission error
|
|
// on the session data directory, so I add some "@"
|
|
|
|
// [2006-01-25] Nicola Asuni - www.tecnick.com: maybe the PHP directive
|
|
// session.save_handler is set to another value like "user"
|
|
ini_set('session.save_handler', 'files');
|
|
|
|
@session_name('phpMyAdmin');
|
|
@session_start();
|
|
|
|
/**
|
|
* trys to secure session from hijacking and fixation
|
|
* should be called before login and after successfull login
|
|
* (only required if sensitive information stored in session)
|
|
*
|
|
* @uses session_regenerate_id() to secure session from fixation
|
|
* @uses session_id() to set new session id
|
|
* @uses strip_tags() to prevent XSS attacks in SID
|
|
* @uses function_exists() for session_regenerate_id()
|
|
*/
|
|
function PMA_secureSession()
|
|
{
|
|
// prevent session fixation and XSS
|
|
if (function_exists('session_regenerate_id')) {
|
|
session_regenerate_id(true);
|
|
} else {
|
|
session_id(strip_tags(session_id()));
|
|
}
|
|
}
|
|
?>
|