1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* session handling
*
* @todo add an option to use mm-module for session handler
*
* @package PhpMyAdmin
* @see https://www.php.net/session
*/
if (! defined('PHPMYADMIN')) {
exit;
}
// verify if PHP supports session, die if it does not
if (!@function_exists('session_name')) {
PMA_warnMissingExtension('session', true);
} elseif (ini_get('session.auto_start') !== '' && session_name() != 'phpMyAdmin') {
// Do not delete the existing session, it might be used by other
// applications; instead just close it.
session_write_close();
}
// disable starting of sessions before all settings are done
// does not work, besides how it is written in php manual
//ini_set('session.auto_start', '0');
// session cookie settings
session_set_cookie_params(
0, $GLOBALS['PMA_Config']->getRootPath(),
'', $GLOBALS['PMA_Config']->isHttps(), true
);
// cookies are safer (use @ini_set() in case this function is disabled)
@ini_set('session.use_cookies', 'true');
// optionally set session_save_path
$path = $GLOBALS['PMA_Config']->get('SessionSavePath');
if (!empty($path)) {
session_save_path($path);
}
// use cookies only
@ini_set('session.use_only_cookies', '1');
// strict session mode (do not accept random string as session ID)
@ini_set('session.use_strict_mode', '1');
// make the session cookie HttpOnly
@ini_set('session.cookie_httponly', '1');
// do not force transparent session ids
@ini_set('session.use_trans_sid', '0');
// delete session/cookies when browser is closed
@ini_set('session.cookie_lifetime', '0');
// warn but don't work with bug
@ini_set('session.bug_compat_42', 'false');
@ini_set('session.bug_compat_warn', 'true');
// use more secure session ids
@ini_set('session.hash_function', '1');
// some pages (e.g. stylesheet) may be cached on clients, but not in shared
// proxy servers
session_cache_limiter('private');
// start the session
// on some servers (for example, sourceforge.net), we get a permission error
// on the session data directory, so I add some "@"
function PMA_sessionFailed($errors)
{
$messages = array();
foreach ($errors as $error) {
/*
* Remove path from open() in error message to avoid path disclossure
*
* This can happen with PHP 5 when nonexisting session ID is provided,
* since PHP 7, session existence is checked first.
*
* This error can also happen in case of session backed error (eg.
* read only filesystem) on any PHP version.
*
* The message string is currently hardcoded in PHP, so hopefully it
* will not change in future.
*/
$messages[] = preg_replace(
'/open\(.*, O_RDWR\)/',
'open(SESSION_FILE, O_RDWR)',
htmlspecialchars($error->getMessage())
);
}
/*
* Session initialization is done before selecting language, so we
* can not use translations here.
*/
PMA_fatalError(
'Error during session start; please check your PHP and/or '
. 'webserver log file and configure your PHP '
. 'installation properly. Also ensure that cookies are enabled '
. 'in your browser.'
. '<br /><br />'
. implode('<br /><br />', $messages)
);
}
// See bug #1538132. This would block normal behavior on a cluster
//ini_set('session.save_handler', 'files');
$session_name = 'phpMyAdmin';
@session_name($session_name);
// on first start of session we check for errors
// f.e. session dir cannot be accessed - session file not created
$orig_error_count = $GLOBALS['error_handler']->countErrors(false);
$session_result = session_start();
if ($session_result !== true
|| $orig_error_count != $GLOBALS['error_handler']->countErrors(false)
) {
setcookie($session_name, '', 1);
$errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count);
PMA_sessionFailed($errors);
}
unset($orig_error_count, $session_result);
/**
* Disable setting of session cookies for further session_start() calls.
*/
@ini_set('session.use_cookies', 'true');
/**
* Token which is used for authenticating access queries.
* (we use "space PMA_token space" to prevent overwriting)
*/
if (! isset($_SESSION[' PMA_token '])) {
if (! function_exists('openssl_random_pseudo_bytes')) {
$_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
} else {
$_SESSION[' PMA_token '] = bin2hex(openssl_random_pseudo_bytes(16));
}
/**
* Check for disk space on session storage by trying to write it.
*
* This seems to be most reliable approach to test if sessions are working,
* otherwise the check would fail with custom session backends.
*/
$orig_error_count = $GLOBALS['error_handler']->countErrors();
session_write_close();
if ($GLOBALS['error_handler']->countErrors() > $orig_error_count) {
$errors = $GLOBALS['error_handler']->sliceErrors($orig_error_count);
PMA_sessionFailed($errors);
}
session_start();
}
/**
* Check if token is properly generated (both above functions can return false).
*/
if (empty($_SESSION[' PMA_token '])) {
PMA_fatalError(
'Failed to generate random CSRF token!'
);
}
require_once 'libraries/session.lib.php';
|
