| [ Index ] |
|
Code source de phpMyAdmin 2.10.3 |
1 <?php 2 /* $Id: session.inc.php 10422 2007-06-05 16:32:49Z lem9 $ */ 3 // vim: expandtab sw=4 ts=4 sts=4: 4 /** 5 * session handling 6 * 7 * @todo add failover or warn if sessions are not configured properly 8 * @todo add an option to use mm-module for session handler 9 * @see http://www.php.net/session 10 * @uses session_name() 11 * @uses session_start() 12 * @uses ini_set() 13 * @uses version_compare() 14 * @uses PHP_VERSION 15 */ 16 17 // verify if PHP supports session, die if it does not 18 19 if (!@function_exists('session_name')) { 20 $cfg = array('DefaultLang' => 'en-iso-8859-1', 21 'AllowAnywhereRecoding' => false); 22 // Loads the language file 23 require_once ('./libraries/select_lang.lib.php'); 24 // Displays the error message 25 // (do not use & for parameters sent by header) 26 header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php' 27 . '?lang=' . urlencode($available_languages[$lang][2]) 28 . '&dir=' . urlencode($text_dir) 29 . '&type=' . urlencode($strError) 30 . '&error=' . urlencode(sprintf($strCantLoad, 'session'))); 31 exit(); 32 } elseif (ini_get('session.auto_start') == true && session_name() != 'phpMyAdmin') { 33 $_SESSION = array(); 34 if (isset($_COOKIE[session_name()])) { 35 PMA_removeCookie(session_name()); 36 } 37 session_unset(); 38 @session_destroy(); 39 } 40 41 // disable starting of sessions before all settings are done 42 // does not work, besides how it is written in php manual 43 //ini_set('session.auto_start', 0); 44 45 // session cookie settings 46 session_set_cookie_params(0, PMA_Config::getCookiePath() . '; HttpOnly', 47 '', PMA_Config::isHttps()); 48 49 // cookies are safer 50 ini_set('session.use_cookies', true); 51 52 // but not all user allow cookies 53 ini_set('session.use_only_cookies', false); 54 ini_set('session.use_trans_sid', true); 55 ini_set('url_rewriter.tags', 56 'a=href,frame=src,input=src,form=fakeentry,fieldset='); 57 //ini_set('arg_separator.output', '&'); 58 59 // delete session/cookies when browser is closed 60 ini_set('session.cookie_lifetime', 0); 61 62 // warn but dont work with bug 63 ini_set('session.bug_compat_42', false); 64 ini_set('session.bug_compat_warn', true); 65 66 // use more secure session ids (with PHP 5) 67 if (version_compare(PHP_VERSION, '5.0.0', 'ge') 68 && substr(PHP_OS, 0, 3) != 'WIN') { 69 ini_set('session.hash_function', 1); 70 ini_set('session.hash_bits_per_character', 6); 71 } 72 73 // some pages (e.g. stylesheet) may be cached on clients, but not in shared 74 // proxy servers 75 session_cache_limiter('private'); 76 77 // start the session 78 // on some servers (for example, sourceforge.net), we get a permission error 79 // on the session data directory, so I add some "@" 80 81 // See bug #1538132. This would block normal behavior on a cluster 82 //ini_set('session.save_handler', 'files'); 83 84 $session_name = 'phpMyAdmin'; 85 @session_name($session_name); 86 // strictly, PHP 4 since 4.4.2 would not need a verification 87 if (version_compare(PHP_VERSION, '5.1.2', 'lt') 88 && isset($_COOKIE[$session_name]) 89 && eregi("\r|\n", $_COOKIE[$session_name])) { 90 die('attacked'); 91 } 92 93 if (! isset($_COOKIE[$session_name])) { 94 // on first start of session we will check for errors 95 // f.e. session dir cannot be accessed - session file not created 96 ob_start(); 97 $old_display_errors = ini_get('display_errors'); 98 $old_error_reporting = error_reporting(E_ALL); 99 ini_set('display_errors', 1); 100 $r = session_start(); 101 ini_set('display_errors', $old_display_errors); 102 error_reporting($old_error_reporting); 103 unset($old_display_errors, $old_error_reporting); 104 $session_error = ob_get_contents(); 105 ob_end_clean(); 106 if ($r !== true || ! empty($session_error)) { 107 setcookie($session_name, '', 1); 108 $cfg = array('DefaultLang' => 'en-iso-8859-1', 109 'AllowAnywhereRecoding' => false); 110 // Loads the language file 111 require_once './libraries/select_lang.lib.php'; 112 // Displays the error message 113 // (do not use & for parameters sent by header) 114 header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php' 115 . '?lang=' . urlencode($available_languages[$lang][2]) 116 . '&dir=' . urlencode($text_dir) 117 . '&type=' . urlencode($strError) 118 . '&error=' . urlencode($strSessionStartupErrorGeneral)); 119 exit(); 120 } 121 } else { 122 @session_start(); 123 } 124 125 /** 126 * Token which is used for authenticating access queries. 127 * (we use "space PMA_token space" to prevent overwriting) 128 */ 129 if (!isset($_SESSION[' PMA_token '])) { 130 $_SESSION[' PMA_token '] = md5(uniqid(rand(), true)); 131 } 132 133 /** 134 * tries to secure session from hijacking and fixation 135 * should be called before login and after successfull login 136 * (only required if sensitive information stored in session) 137 * 138 * @uses session_regenerate_id() to secure session from fixation 139 * @uses session_id() to set new session id 140 * @uses strip_tags() to prevent XSS attacks in SID 141 * @uses function_exists() for session_regenerate_id() 142 */ 143 function PMA_secureSession() 144 { 145 // prevent session fixation and XSS 146 if (function_exists('session_regenerate_id')) { 147 session_regenerate_id(true); 148 } else { 149 session_id(strip_tags(session_id())); 150 } 151 } 152 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Mon Nov 26 15:18:20 2007 | par Balluche grâce à PHPXref 0.7 |
|
|