1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
<?php
/* $Id: session.inc.php 9619 2006-10-26 15:25:28Z lem9 $ */
// vim: expandtab sw=4 ts=4 sts=4:
/**
* session handling
*
* @TODO add failover or warn if sessions are not configured properly
* @TODO add an option to use mm-module for session handler
* @see http://www.php.net/session
* @uses session_name()
* @uses session_start()
* @uses ini_set()
* @uses version_compare()
* @uses PHP_VERSION
*/
// verify if PHP supports session, die if it does not
if (!@function_exists('session_name')) {
$cfg = array('DefaultLang' => 'en-iso-8859-1',
'AllowAnywhereRecoding' => false);
// Loads the language file
require_once('./libraries/select_lang.lib.php');
// Displays the error message
// (do not use & for parameters sent by header)
header('Location: error.php'
. '?lang=' . urlencode($available_languages[$lang][2])
. '&dir=' . urlencode($text_dir)
. '&type=' . urlencode($strError)
. '&error=' . urlencode(sprintf($strCantLoad, 'session')));
exit();
} elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') {
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
session_unset();
@session_destroy();
}
// disable starting of sessions before all settings are done
// does not work, besides how it is written in php manual
//ini_set('session.auto_start', 0);
// session cookie settings
session_set_cookie_params(0, PMA_Config::getCookiePath(),
'', PMA_Config::isHttps());
// cookies are safer
ini_set('session.use_cookies', true);
// but not all user allow cookies
ini_set('session.use_only_cookies', false);
ini_set('session.use_trans_sid', true);
ini_set('url_rewriter.tags',
'a=href,frame=src,input=src,form=fakeentry,fieldset=');
//ini_set('arg_separator.output', '&');
// delete session/cookies when browser is closed
ini_set('session.cookie_lifetime', 0);
// warn but dont work with bug
ini_set('session.bug_compat_42', false);
ini_set('session.bug_compat_warn', true);
// use more secure session ids (with PHP 5)
if (version_compare(PHP_VERSION, '5.0.0', 'ge')
&& substr(PHP_OS, 0, 3) != 'WIN') {
ini_set('session.hash_function', 1);
ini_set('session.hash_bits_per_character', 6);
}
// start the session
// on some servers (for example, sourceforge.net), we get a permission error
// on the session data directory, so I add some "@"
// [2006-01-25] Nicola Asuni - www.tecnick.com: maybe the PHP directive
// session.save_handler is set to another value like "user"
ini_set('session.save_handler', 'files');
@session_name('phpMyAdmin');
@session_start();
/**
* Token which is used for authenticating access queries.
* (we use "space PMA_token space" to prevent overwriting)
*/
if (!isset($_SESSION[' PMA_token '])) {
$_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
}
/**
* trys to secure session from hijacking and fixation
* should be called before login and after successfull login
* (only required if sensitive information stored in session)
*
* @uses session_regenerate_id() to secure session from fixation
* @uses session_id() to set new session id
* @uses strip_tags() to prevent XSS attacks in SID
* @uses function_exists() for session_regenerate_id()
*/
function PMA_secureSession()
{
// prevent session fixation and XSS
if (function_exists('session_regenerate_id')) {
session_regenerate_id(true);
} else {
session_id(strip_tags(session_id()));
}
}
?>
|
