[med-svn] [openemr] 03/04: Integration of Debian provided phpMyAdmin for use with OpenEMR. Uses an additional session OpenEMRphpMyAdmin to store the PMA credentials.
Ian Wallace
iankarlwallace-guest at moszumanska.debian.org
Tue Sep 9 04:40:38 UTC 2014
This is an automated email from the git hooks/post-receive script.
iankarlwallace-guest pushed a commit to branch master
in repository openemr.
commit 250611a4b0eae932eae97ec61a65c8f84725a358
Author: Ian Wallace <iankarlwallace at gmail.com>
Date: Mon Sep 8 21:38:04 2014 -0700
Integration of Debian provided phpMyAdmin for use with OpenEMR. Uses an additional session OpenEMRphpMyAdmin to store the PMA credentials.
---
debian/openemr.conf | 25 +---
debian/openemr.config.inc.php | 40 +----
debian/patches/phpmyadmin_integration_session_fix | 170 +++++++++++++++++++---
3 files changed, 160 insertions(+), 75 deletions(-)
diff --git a/debian/openemr.conf b/debian/openemr.conf
index 8d9a582..ae4d3e9 100644
--- a/debian/openemr.conf
+++ b/debian/openemr.conf
@@ -1,25 +1,14 @@
# OpenEMR default Apache configuration
+# PhpMyAdmin settings have defaults that are picked up by Apache
+# from the main phpMyAdmin configuration so we don't need to set
+# them here
Alias /openemr/phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
-
<IfModule mod_php5.c>
- <IfModule mod_mime.c>
- AddType application/x-httpd-php .php
- </IfModule>
- <FilesMatch ".+\.php$">
- SetHandler application/x-httpd-php
- </FilesMatch>
-
- php_flag magic_quotes_gpc Off
- php_flag track_vars On
- php_flag register_globals Off
- php_admin_flag allow_url_fopen Off
- php_value include_path .
- php_admin_value upload_tmp_dir /var/lib/openemr/tmp
- php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/
+ php_flag display_errors Off
</IfModule>
</Directory>
@@ -46,7 +35,7 @@ Alias /openemr /usr/share/openemr
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag short_open_tag On
- php_flag display_errors Off
+ php_flag display_errors On
php_flag register_globals Off
php_flag file_uploads On
php_value max_execution_time 60
@@ -54,10 +43,10 @@ Alias /openemr /usr/share/openemr
php_value post_max_size 30M
php_value memory_limit 128M
php_value post_max_size 32M
- php_value include_path ".:/usr/share/openemr:/usr/share/php5:/usr/share/php"
+ php_value include_path .:/usr/share/openemr:/usr/share/php5:/usr/share/php
php_admin_value upload_max_filesize 16M
php_admin_value upload_tmp_dir /var/lib/openemr/tmp
- php_admin_value open_basedir /usr/share/openemr/:/etc/openemr/:/var/lib/openemr/
+ php_admin_value open_basedir /usr/share/openemr/:/etc/openemr/:/var/lib/openemr/:/usr/share/php5/:/usr/share/php/
</IfModule>
</Directory>
diff --git a/debian/openemr.config.inc.php b/debian/openemr.config.inc.php
index 3a13543..c6e74ce 100644
--- a/debian/openemr.config.inc.php
+++ b/debian/openemr.config.inc.php
@@ -1,41 +1,16 @@
<?php
// OpenEMR Integartion
-// If request is coming from OpenEMR URI declare that it's signle signon
-$pattern="/^\/openemr\/phpmyadmin\/*/";
-if ( preg_match("$pattern",$_SERVER['REQUEST_URI']) === 1 ) {
- error_log("oer: URI [".$_SERVER['REQUEST_URI']."] matched.");
-
- $old_session = session_name();
- $old_id = session_id();
- session_write_close();
- error_log("oer: Closed session [".$old_session."-".$old_id."]");
-
- foreach($_COOKIE as $key => $value) {
- error_log("oer: Cookied detected [".$key."] as [".$value."]");
- if( preg_match("/^phpMyAdmin$/",$key) === 1 ) {
- error_log("oer: phpMyAdmin COOKIE detected.");
- session_name($key);
- session_id($value);
- session_start();
- error_log("oer:Switched to session [".$key."-".$value."]");
- error_log("oer:_SESSION is [".print_r($_SESSION,TRUE)."]");
- session_write_close();
- } else {
- error_log("oer: Cookie [".$key."] doesn't appear to be a phpMyAdmin session.");
- }
- }
-
- session_name($old_session);
- session_id($old_id);
- session_start();
- error_log("oer: Resumed old session [".$old_session."-".$old_id."]");
-
+// If OpenEMRphMyAdmin cookie we provide the basic configuration
+// All crednetials are handled by interface/main/left_nav.php
+if ( isset($_COOKIE['OpenEMRphpMyAdmin']) ) {
$i=$i++;
// Single signon server configuration for using phpMyAdmin inside of OpenEMR
+ // We use a bridge session defined in globals.php for path /openemr/phpmyadmin that has
+ // the required information in it for login
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'signon';
- $cfg['Servers'][$i]['SignonSession'] = 'OpenEMR';
+ $cfg['Servers'][$i]['SignonSession'] = 'OpenEMRphpMyAdmin';
$cfg['Servers'][$i]['SignonURL'] = '/openemr';
$cfg['Servers'][$i]['only_db'] = 'openemr';
$cfg['ServerDefault'] = $i;
@@ -44,9 +19,8 @@ if ( preg_match("$pattern",$_SERVER['REQUEST_URI']) === 1 ) {
$cfg['ShowPhpInfo'] = TRUE;
$cfg['Confirm'] = TRUE;
$cfg['Error_Handler']['display'] = TRUE;
- error_log("oer: Default settings for server [".$i."] provided.");
} else {
- error_log("oer: Skipping openemr integration as URI doesn't match.");
+ error_log("oer: ");
}
?>
diff --git a/debian/patches/phpmyadmin_integration_session_fix b/debian/patches/phpmyadmin_integration_session_fix
index 068c706..849c4e3 100644
--- a/debian/patches/phpmyadmin_integration_session_fix
+++ b/debian/patches/phpmyadmin_integration_session_fix
@@ -1,42 +1,164 @@
--- a/interface/main/left_nav.php
+++ b/interface/main/left_nav.php
-@@ -1113,7 +1113,18 @@ if ($GLOBALS['athletic_team']) {
+@@ -301,6 +301,22 @@ function genFindBlock() {
+ <?php
+ } // End function genFindBlock()
+
++// Set PMA_single_signon variables, default is to set all the null - turns off access to PMA
++function session_set_PMA_single_signon_credentials($user = null, $password = null, $host = null, $port = null) {
++ // The OER to PMA bridge session should be referenced in Session OpenEMR oer_pma_id, if it's not there skip
++ if ( isset($_SESSION['oer_pma_id']) ) {
++ $oer_pma_id = $_SESSION['oer_pma_id'];
++ session_reopen_no_headers("OpenEMRphpMyAdmin",$oer_pma_id);
++ $_SESSION['PMA_single_signon_user'] = $user;
++ $_SESSION['PMA_single_signon_password'] = $password;
++ $_SESSION['PMA_single_signon_host'] = $host;
++ $_SESSION['PMA_single_signon_port'] = $port;
++ } else {
++ error_log("oer+phpmyadmin: ERROR NO PMA session found SKIPPING set_PMA_signle_signon_credentials.");
++ }
++}
++
++
+ ?>
+ <html>
+ <head>
+@@ -1113,7 +1129,13 @@ if ($GLOBALS['athletic_team']) {
<?php if (acl_check('admin', 'forms' )) genMiscLink('RTop','adm','0',xl('Forms'),'forms_admin/forms_admin.php'); ?>
<?php if (acl_check('admin', 'calendar') && !$GLOBALS['disable_calendar']) genMiscLink('RTop','adm','0',xl('Calendar'),'main/calendar/index.php?module=PostCalendar&type=admin&func=modifyconfig'); ?>
<?php if (acl_check('admin', 'users' )) genMiscLink('RTop','adm','0',xl('Logs'),'logview/logview.php'); ?>
- <?php if ( (!$GLOBALS['disable_phpmyadmin_link']) && (acl_check('admin', 'database')) ) genMiscLink('RTop','adm','0',xl('Database'),'../phpmyadmin/index.php'); ?>
+ <?php if ( (!$GLOBALS['disable_phpmyadmin_link']) && (acl_check('admin', 'database')) ) {
-+ genMiscLink('RTop','adm','0',xl('Database'),'../phpmyadmin/index.php');
-+ $_SESSION['PMA_single_signon_user'] = $sqlconf['login'];
-+ $_SESSION['PMA_single_signon_password'] = $sqlconf['pass'];
-+ $_SESSION['PMA_single_signon_host'] = $sqlconf['host'];
-+ $_SESSION['PMA_single_signon_port'] = $sqlconf['port'];
-+ } else {
-+ $_SESSION['PMA_single_signon_user'] = 'FALSE';
-+ $_SESSION['PMA_single_signon_password'] = 'FALSE';
-+ $_SESSION['PMA_single_signon_host'] = 'FALSE';
-+ $_SESSION['PMA_single_signon_port'] = 'FALSE';
-+ } ?>
++ genMiscLink('RTop','adm','0',xl('Database'),'../phpmyadmin/index.php');
++ session_set_PMA_single_signon_credentials($sqlconf['login'], $sqlconf['pass'], $sqlconf['host'], $sqlconf['port']);
++ } else {
++ session_set_PMA_single_signon_credentials();
++ }
++ ?>
<?php if (acl_check('admin', 'super' )) genMiscLink('RTop','adm','0',xl('Files'),'super/manage_site_files.php'); ?>
<?php if (acl_check('admin', 'super' )) genMiscLink('RTop','adm','0',xl('Backup'),'main/backup.php'); ?>
<?php if (acl_check('admin', 'users' )) genMiscLink('RTop','adm','0',xl('Certificates'),'usergroup/ssl_certificates_admin.php'); ?>
-@@ -1284,7 +1295,18 @@ if (!empty($reg)) {
+@@ -1284,7 +1306,13 @@ if (!empty($reg)) {
if (acl_check('admin', 'users' )) genMiscLink('RTop','adm','0',xl('eRx Logs'),'logview/erx_logview.php');
}
?>
- <?php if ( (!$GLOBALS['disable_phpmyadmin_link']) && (acl_check('admin', 'database')) ) genMiscLink('RTop','adm','0',xl('Database'),'../phpmyadmin/index.php'); ?>
+ <?php if ( (!$GLOBALS['disable_phpmyadmin_link']) && (acl_check('admin', 'database')) ) {
-+ genMiscLink('RTop','adm','0',xl('Database'),'../phpmyadmin/index.php');
-+ $_SESSION['PMA_single_signon_user'] = $sqlconf['login'];
-+ $_SESSION['PMA_single_signon_password'] = $sqlconf['pass'];
-+ $_SESSION['PMA_single_signon_host'] = $sqlconf['host'];
-+ $_SESSION['PMA_single_signon_port'] = $sqlconf['port'];
-+ } else {
-+ $_SESSION['PMA_single_signon_user'] = 'FALSE';
-+ $_SESSION['PMA_single_signon_password'] = 'FALSE';
-+ $_SESSION['PMA_single_signon_host'] = 'FALSE';
-+ $_SESSION['PMA_single_signon_port'] = 'FALSE';
-+ } ?>
++ genMiscLink('RTop','adm','0',xl('Database'),'../phpmyadmin/index.php');
++ session_set_PMA_single_signon_credentials($sqlconf['login'], $sqlconf['pass'], $sqlconf['host'], $sqlconf['port']);
++ } else {
++ session_set_PMA_single_signon_credentials();
++ }
++ ?>
<?php if (acl_check('admin', 'users' )) genMiscLink('RTop','adm','0',xl('Certificates'),'usergroup/ssl_certificates_admin.php'); ?>
<?php if (acl_check('admin', 'super' )) genMiscLink('RTop','adm','0',xl('External Data Loads'),'../interface/code_systems/dataloads_ajax.php'); ?>
<?php if (acl_check('admin', 'super' )) genMiscLink('RTop','adm','0',xl('Merge Patients'),'patient_file/merge_patients.php'); ?>
+--- a/interface/globals.php
++++ b/interface/globals.php
+@@ -88,17 +88,97 @@ if (preg_match("/^[^\/]/",$web_root)) {
+ // only if you have some reason to.
+ $GLOBALS['OE_SITES_BASE'] = "$webserver_root/sites";
+
+-// The session name names a cookie stored in the browser.
+-// If you modify session_name, then need to place the identical name in
+-// the phpmyadmin file here: openemr/phpmyadmin/libraries/session.inc.php
+-// at line 71. This was required after embedded new phpmyadmin version on
+-// 05-12-2009 by Brady. Hopefully will figure out a more appropriate fix.
+-// Now that restore_session() is implemented in javaScript, session IDs are
+-// effectively saved in the top level browser window and there is no longer
+-// any need to change the session name for different OpenEMR instances.
+-session_name("OpenEMR");
++/**
++* Session mgmt helper functions
++*
++* These function(s) started from the need to manage
++* multiple sessions/cookies for integration with phpmyadmin.
++* PHP will generate a header each time session_write_close()
++* is called, which can cause problems if called from any
++* place *other* than the top level dir. The browser starts
++* to accumulate multiple cookies with the same name and
++* sometimes different id's.
++*
++* 09/06/2014 - Ian Wallace - iankarlwallace at gmail.com
++* Taken from information found on StackOverlow for questions:
++* http://stackoverflow.com/questions/12315225/reopening-a-session-in-php
++* http://stackoverflow.com/questions/10046570/php-save-session-when-using-session-write-close
++*/
+
++// Save the parameters that we might overwrite later.
++$GLOBALS['oer_pma.use_only_cookies'] = ini_get('session.use_only_cookies');
++$GLOBALS['oer_pma.use_cookies'] = ini_get('session.use_cookies');
++$GLOBALS['oer_pma.use_trans_sid'] = ini_get('session.use_trans_sid');
++$GLOBALS['oer_pma.cache_limiter'] = ini_get('session.cache_limiter');
++
++// Reopen session suppressing the headers that are normally sent
++function session_reopen_no_headers( $sess_name = "OpenEMR", $sess_id = null ) {
++ session_write_close();
++ ini_set('session.use_only_cookies', false);
++ ini_set('session.use_cookies', false);
++ ini_set('session.use_trans_sid', false);
++ ini_set('session.cache_limiter', null);
++ if (isset($sess_id) && $sess_id !== null) {
++ session_id($sess_id);
++ }
++ session_name($sess_name);
++ session_start();
++}
++
++// Reopen session with whatever ini values were set
++function session_reopen( $sess_name = "OpenEMR", $sess_id = null ){
++ session_write_close();
++ ini_set('session.use_only_cookies', $GLOBALS['oer_pma.use_only_cookies']);
++ ini_set('session.use_cookies', $GLOBALS['oer_pma.use_cookies']);
++ ini_set('session.use_trans_sid', $GLOBALS['oer_pma.use_trans_sid']);
++ ini_set('session.cache_limiter', $GLOBALS['oer_pma.cache_limiter']);
++ if (isset($sess_id) && $sess_id !== null) {
++ session_id($sess_id);
++ }
++ session_name($sess_name);
++ session_start();
++}
++
++// The session name names a cookie stored in the browser for the OpenEMR session.
++// With prior versions there needed to be synchrony between OpenEMR sessions and
++// phpMyAdmin sessions or they would not work together. That is no longer needed
++// with the use of signon authentication with phpMyAdmin. Unfortunately there
++// is a second bug where the named session that holds the PMA credentials will be
++// duplicated but at a different cookie path (the real OpenEMR session is always
++// path = / but with the way that phpMyAdmin looks for the credentials it creates
++// a second cookie at path = /openemr/phpmyadmin/. This essentially will HIDE
++// the true session the second time the user tries to access phpMyAdmin. The
++// first access works OK. To work around this a bridge session is being used
++// accessed via OpenEMRphpMyAdmin that only has the PMA credentials and is set to
++// path = /openemr/phpmyadmin/ so that it can not be erroneously hidden by the
++// PMA signon auth code. The true solution is to submit a patch upstream for
++// phpmyadmin.
++
++// Start the session and make sure the OER to PMA id is updated or created
++session_set_cookie_params(0,'/',ini_get('session.cookie_domain'),FALSE,FALSE);
++session_name('OpenEMR');
++session_start();
++$oer_id = session_id();
++$oer_pma_id = ( isset($_SESSION['oer_pma_id']) ? $_SESSION['oer_pma_id'] : sha1(mt_rand()) );
++$_SESSION['oer_pma_id'] = $oer_pma_id;
++session_write_close();
++
++// Make sure the OER to PMA bridge session is created correctly and contains a reference to the parent session
++// Correct it if it's incorrect, it will be incorrect the second time a user attempts to use phpMyAdmin
++session_set_cookie_params(0,"/openemr/phpmyadmin/",ini_get('session.cookie_domain'),FALSE,TRUE);
++session_name("OpenEMRphpMyAdmin");
++session_id($oer_pma_id);
++session_start();
++if ( !isset($_SESSION['oer_id']) || ($_SESSION['oer_id'] != $oer_id) ) {
++ $_SESSION['oer_id'] = $oer_id;
++}
++session_write_close();
++
++session_set_cookie_params(0,'/',ini_get('session.cookie_domain'),FALSE,FALSE);
++session_name('OpenEMR');
++session_id($oer_id);
+ session_start();
++error_log("oer+phpmyadmin: OER Session[".$oer_id."] phpMyAdmin Session[".$oer_pma_id."]");
+
+ // Set the site ID if required. This must be done before any database
+ // access is attempted.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-med/openemr.git
More information about the debian-med-commit
mailing list