Viewing file: session.inc.php (4.43 KB) -rw-r--r-- Select action/file-type: (+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
<?php /* $Id: session.inc.php,v 2.8.2.4 2006/05/12 15:26:16 nijel Exp $ */ // vim: expandtab sw=4 ts=4 sts=4: /** * session handling * * @TODO add failover or warn if sessions are not configured properly * @TODO add an option to use mm-module for session handler * @see http://www.php.net/session * @uses session_name() * @uses session_start() * @uses ini_set() * @uses version_compare() * @uses PHP_VERSION */
// verify if PHP supports session, die if it does not
if (!@function_exists('session_name')) { $cfg = array('DefaultLang' => 'en-iso-8859-1', 'AllowAnywhereRecoding' => false); // Loads the language file require_once('./libraries/select_lang.lib.php'); // Displays the error message // (do not use & for parameters sent by header) header('Location: error.php' . '?lang=' . urlencode($available_languages[$lang][2]) . '&char=' . urlencode($charset) . '&dir=' . urlencode($text_dir) . '&type=' . urlencode($strError) . '&error=' . urlencode(sprintf($strCantLoad, 'session'))); exit(); } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') { /* $cfg = array('DefaultLang' => 'en-iso-8859-1', 'AllowAnywhereRecoding' => false); // Loads the language file require_once('./libraries/select_lang.lib.php'); // Displays the error message // (do not use & for parameters sent by header) // TODO FIXME replace with locale string $strSessionAutostartError = 'phpMyAdmin cannot run with' . ' [a@http://php.net/session#ini.session.auto-start@php]session.auto_start[/a]' . ' enabled. Check your php configuration.'; header('Location: error.php' . '?lang=' . urlencode('en') //($available_languages[$lang][2]) . '&char=' . urlencode($charset) . '&dir=' . urlencode('ltr') //($text_dir) . '&type=' . urlencode('Error') //($strError) . '&error=' . urlencode($strSessionAutostartError)); exit(); */ $_SESSION = array(); if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000, '/'); } session_unset(); @session_destroy(); }
// disable starting of sessions before all settings are done // does not work, besides how it is written in php manual //ini_set('session.auto_start', 0);
// session cookie settings session_set_cookie_params(0, PMA_Config::getCookiePath(), '', PMA_Config::isHttps());
// cookies are safer ini_set('session.use_cookies', true);
// but not all user allow cookies ini_set('session.use_only_cookies', false); ini_set('session.use_trans_sid', true); ini_set('url_rewriter.tags', 'a=href,frame=src,input=src,form=fakeentry,fieldset='); //ini_set('arg_separator.output', '&');
// delete session/cookies when browser is closed ini_set('session.cookie_lifetime', 0);
// warn but dont work with bug ini_set('session.bug_compat_42', false); ini_set('session.bug_compat_warn', true);
// use more secure session ids (with PHP 5) if (version_compare(PHP_VERSION, '5.0.0', 'ge') && substr(PHP_OS, 0, 3) != 'WIN') { ini_set('session.hash_function', 1); ini_set('session.hash_bits_per_character', 6); }
// start the session // on some servers (for example, sourceforge.net), we get a permission error // on the session data directory, so I add some "@"
// [2006-01-25] Nicola Asuni - www.tecnick.com: maybe the PHP directive // session.save_handler is set to another value like "user" ini_set('session.save_handler', 'files');
@session_name('phpMyAdmin'); @session_start();
/** * Token which is used for authenticating access queries. */ if (!isset($_SESSION['PMA_token'])) { $_SESSION['PMA_token'] = md5(uniqid(rand(), true)); }
/** * trys to secure session from hijacking and fixation * should be called before login and after successfull login * (only required if sensitive information stored in session) * * @uses session_regenerate_id() to secure session from fixation * @uses session_id() to set new session id * @uses strip_tags() to prevent XSS attacks in SID * @uses function_exists() for session_regenerate_id() */ function PMA_secureSession() { // prevent session fixation and XSS if (function_exists('session_regenerate_id')) { session_regenerate_id(true); } else { session_id(strip_tags(session_id())); } } ?>
|