Fixing #5107 - session.auto_start and minor QA

* Block Cacti install is session.auto_start is enabled * Move the session.php include to it's original location * Place the session_start() before the first header output
Cacti · Dec 18, 2022 · 8636f38 · 8636f38
1 parent cdc5db3
commit 8636f38
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -63,6 +63,7 @@ Cacti CHANGELOG
 -issue#5101: Remote Data Collector Recovery Fails
 -issue#5102: When in Recovery Mode plugins that are designed to work remotely stop working
 -issue#5103: When Remote Data Collector changes status a full page refresh or logout should occur
+-issue#5107: Block Cacti install is session.auto_start is enabled
 -feature#1100: Structured path not created when using remote poller and Update On-Demand
 -feature#1392: AJAX handled errors do not notify Admins that page errors exist
 -feature#2239: Allow Import and Export to be more controlled

diff --git a/include/global.php b/include/global.php
@@ -272,6 +272,11 @@
 	$config['is_web'] = false;
 }
 
+if ($config['is_web'] && ini_get('session.auto_start') == 1) {
+	print 'FATAL: PHP settings session.auto_start NOT supported.  Disable in your php.ini file and then restart your Web Service' . PHP_EOL;
+	exit;
+}
+
 /* set poller mode */
 global $local_db_cnn_id, $remote_db_cnn_id, $conn_mode;
 
@@ -380,6 +385,12 @@
 	}
 }
 
+if (isset($cacti_db_session) && $cacti_db_session && db_table_exists('sessions') && $config['connection'] == 'online') {
+	include(dirname(__FILE__) . '/session.php');
+} else {
+	$cacti_db_session = false;
+}
+
 if (!defined('IN_CACTI_INSTALL')) {
 	set_error_handler('CactiErrorHandler');
 	register_shutdown_function('CactiShutdownHandler');
@@ -429,6 +440,9 @@
 	$config['cookie_options']     = $options;
 	$config['cacti_session_name'] = $cacti_session_name;
 
+	/* start the session before sending headers */
+	cacti_session_start();
+
 	/* we don't want these pages cached */
 	header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
 	header('X-Frame-Options: SAMEORIGIN');
@@ -449,14 +463,6 @@
 	header('Cache-Control: no-store, no-cache, must-revalidate');
 	header('Cache-Control: max-age=31536000');
 
-	if (isset($cacti_db_session) && $cacti_db_session && db_table_exists('sessions') && $config['connection'] == 'online') {
-		include(dirname(__FILE__) . '/session.php');
-	} else {
-		$cacti_db_session = false;
-	}
-
-	cacti_session_start();
-
 	/* we never run with magic quotes on */
 	if (version_compare(PHP_VERSION, '5.4', '<=')) {
 		if (get_magic_quotes_gpc()) {