Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2

    Question $_Session vars not saved on header() redirect


    Hi all,

    I'm converting a log in process from $_COOKIES to $_SESSION.

    There is a signin.html page that has input for user id and password and action to a dosignin.html page. Both are on https.

    The dosignin.html page has this code, after successful authentication:

    PHP Code:
    session_start(); //<-- very first thing on page

    ... //other code to verify user

    //checking if there is a user id already present
    if (!isset($_SESSION['UserID'])) {
        
    $_SESSION['UserID'] = $userid;
    } else {
        unset(
    $_SESSION['UserID']);
        
    $_SESSION['UserID'] = $userid;
    }

    ...

    session_write_close();
    header("Location: http://somesite.com/somepage.html?" SID);
    //echo "<META http-equiv=\"refresh\" content=\"0;URL=http://somesite.com/somepage.html\">";
    exit; 
    However, with session_start at the top of somepage.html, and I try to echo out $_SESSION['UserID'], it's empty. Apparently not being set.

    How do I:

    1) Set the $_SESSION vars that I want
    and
    2) Have those $_SESSION vars available on the page that is "redirected" to?

    If I use the META refresh instead, same thing, the $_SESSION['UserID'] is empty.

    How to transfer/access those session vars i set on subsequent pages after the header() redirect?

    Thanks.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,868
    Rep Power
    368
    1. make sure that PHP can work with pages ending with .html (I am assuming they can hence you get empty variable result)

    2. on the second page (somepage.html) make sure you ALSO have session_start(); at the top

    3. on the first page echo out $userid variable to make sure it actually has a value.

    4. I have not normally used session_write_close(); in my pages, is this necessary? does it affect the sessions in anyway? maybe remove it and see.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,925
    Rep Power
    1045
    Hi,

    do not pass the session ID via the URL. This is a big security hole:
    • Sharing a link automatically exposes the session ID -- unless the user explicitly removes it. So there's a great risk of people unintentionally passing their session ID around.
    • An attacker can start a new session and then give the link to a victim. The victim might not realize that he/she is currently logged in as somebody else and might enter critical information that the attacker has then access to (since it's his/her own session). See "session fixation".
    • The session ID will show up in each and every server log, which is obviously a nightmare.


    So don't do it. Instead, have PHP store the session ID in a cookie:
    Code:
    session.use_cookies = 1
    session.use_only_cookies = 1
    session.use_trans_sid = 0
    This might also solve your session issue.

    As I already said in your previous thread: I strongly recommend reading up on security basics and best practices before you write the actual code. There's a lot of mistakes you can make, so it's problably better to know them before somebody else finds them on your website.



    Originally Posted by paulh1983
    4. I have not normally used session_write_close(); in my pages, is this necessary? does it affect the sessions in anyway? maybe remove it and see.
    It's not necessary, but it doesn't hurt either.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Originally Posted by Jacques1
    Hi,

    do not pass the session ID via the URL. This is a big security hole:
    • Sharing a link automatically exposes the session ID -- unless the user explicitly removes it. So there's a great risk of people unintentionally passing their session ID around.
    • An attacker can start a new session and then give the link to a victim. The victim might not realize that he/she is currently logged in as somebody else and might enter critical information that the attacker has then access to (since it's his/her own session). See "session fixation".
    • The session ID will show up in each and every server log, which is obviously a nightmare.


    So don't do it. Instead, have PHP store the session ID in a cookie:
    Code:
    session.use_cookies = 1
    session.use_only_cookies = 1
    session.use_trans_sid = 0
    This might also solve your session issue.
    Thanks for the reply. I agree, sending this type of information via the URL is a huge problem and why I'm doing this unit testing (development work) on an isolated dev box. Just trying to wrap my head around how I can get my $_SESSION vars to be available after a header() redirect.

    Looking at the php manual for header(), I'm quit surprised they mention nothing about a potential for a security issue with SID in the URL.


    Reading about the Runtime Configurations, the options set above are defaults already. So I'm not sure why I would need to set those anyway?
    If it's simply a matter of being redundant to be sure, I can understand that. So, I put those lines in my "custom" php.ini file.

    I now have in the dosignin.html page:
    PHP Code:
    session_start(); //first line

    //code to verify user, if verified...

    if (!isset($_SESSION['UserID'])) { 
        
    $_SESSION['UserID'] = $userid
    } else { 
        unset(
    $_SESSION['UserID']); 
        
    $_SESSION['UserID'] = $userid



    session_write_close(); 
    header("Location: http://somesite.com/somepage.html"); //without SID 
    //echo "<META http-equiv=\"refresh\" content=\"0;URL=http://somesite.com/somepage.html\">";
     
    exit; 
    When I echo out $_SESSION['UserID'] on the redirected to somepage.html...it's still not there. Note: session_start(); is also on the first line of somepage.html

    When I put this as the first lines in somepage.html:
    PHP Code:
    session_start();
    foreach (
    $_SESSION as $key=>$val) {
        echo 
    "key: ".$key." val: ".$val;
    }
    exit; 
    I get nothing. Not even the litteral "key" and "val."

    If I try this in somepage.html:
    PHP Code:
    session_start();
    print_r($_SESSION);
    exit; 
    I get this:
    Array ( )
    When I try this in somepage.html:
    PHP Code:
    session_start();
    var_dump($_SESSION);
    exit; 
    I get this:
    array(0) { }
    Any other ideas?

    [Edit: added last exist (after var_dump) in the post. it's there in the testing code though]
    Last edited by we5inelgr; April 19th, 2013 at 12:48 PM.
  8. #5
  9. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,692
    Rep Power
    6351
    Looking at the php manual for header(), I'm quit surprised they mention nothing about a potential for a security issue with SID in the URL.
    Why should they? That's not what headers are exclusively used for. You can use header() to manually set a cookie file containing the user's social security number. That's not safe either.

    PHP Code:
    if (!isset($_SESSION['UserID'])) {  
        
    $_SESSION['UserID'] = $userid;  
    } else {  
        unset(
    $_SESSION['UserID']);  
        
    $_SESSION['UserID'] = $userid;  

    This code gets $userid from nowhere, and the unset() is unnecessary.

    Sessions work by setting a cookie on the client (your browser) which points to a temporary file on the server. That file contains a proprietary-serialized version of the session. When a request comes in, the cookie is checked for a cookie called PHPSESSID (unless you've changed it). That cookie value is then used to look up the session filename. The file is loaded, unserialized, and $_SESSION is populated.

    So:

    1) Check the cookie. Look to see if you have it.

    2) If so, check the file. Find the session storage location from phpinfo(). Go there, look for the file.

    If both of those things exist and are correct, we can move on from there.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Originally Posted by ManiacDan
    This code gets $userid from nowhere, and the unset() is unnecessary.


    1) Check the cookie. Look to see if you have it.
    Thanks for the reply.

    $userid is coming from further up, where the user is authenticated. It's there, I can see it when I echo $userid; exit; prior to the $_SESSION code.

    By 'Check the cookie' do you mean like this?

    echo "UserID Cookie: ".$_COOKIE['UserID'];

    If so, there is nothing there aside from the litteral string.

    I tried this too:
    PHP Code:
    session_start();
    var_dump($_COOKIE); 
    And this is the output:
    array(1) { ["PHPSESSID"]=> string(32) "[32 var chars]" }
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Additionally,

    phpinfo() on the resulting somepage.html page:
    session
    Session Support enabled
    [snip]

    Directive Local Value Master Value
    [snip]
    session.use_cookies On On
    session.use_only_cookies Off Off
    session.use_trans_sid 0 0
    I can't find anywhere in the phpinfo where my $_SESSION['UserID'] = $userid; is. There is nothing there with "UserID" nor is there anything there that would be equal to what $userid is coming out of the authentication.
  14. #8
  15. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,692
    Rep Power
    6351
    Code:
    array(1) { ["PHPSESSID"]=> string(32) "[32 var chars]" }
    That means the cookie is being set properly for PHP sessions.


    I can't find anywhere in the phpinfo where my $_SESSION['UserID'] = $userid; is.
    Nor would you, there's nothing in phpinfo that says how your code individually uses session values. You need to look for session.save_path, which determines where the temporary session files are located. Go to that place, look at the files, and see if there's one that matches your cookie value (which you removed from your post for some reason)
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    from phpinfo()
    session.save_path /tmp /tmp

    There are no files in the /tmp directory. Only directories that deal with web site traffic analysis.
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Originally Posted by we5inelgr
    from phpinfo()
    session.save_path /tmp /tmp

    There are no files in the /tmp directory. Only directories that deal with web site traffic analysis.
    okay, I think there is some progress here.

    Turns out, the /tmp directory was a directory I didn't have access to (on a shared server).

    So I added a session.save_path in my copy of php.ini to a place I did have access to.

    Now, when I try this log in process, I'm still not seeing the session vars that I'm setting, but I do now see files being written to my new session.save_path location.

    For my one test so far, I see two files created:

    1. sess_[followed by 32 varchars] has data
    2. sess_[followed by a different 32 varchars] is empty

    In the first file, I can see all of my session vars that I created.

    In my example, I can see in this format.

    UserID|s:[the length of the user id]:"[the user id]";

    So from this, it looks like the session vars I'm setting in the dosignin.html page are in fact being set on the server.

    If I do a:
    PHP Code:
    session_start();
    var_dump($_SESSION); 
    I'm still getting:
    array(0) { }
    I wonder why I can't get access to them?
    Last edited by we5inelgr; April 19th, 2013 at 03:43 PM.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Perhaps it's a permissions issues with the /tmp directory that I now have access to?

    It was originally 700. I changed it to 744, thinking perhaps Group or World needed to have "read" capability on that folder. Still doesn't work. Can't get any of my session vars data from doing any of these:
    PHP Code:
    session_start();
    echo 
    "userid:".$_SESSION['UserID']."<br>";
    print_r($_SESSION);
    var_dump($_SESSION);
    exit; 
    Need some other permissions perhaps?
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    In case it makes a difference, wanted to say again that the signin page and the dosignin page are on https, and the somepage.html is not on https.

    Essentially:

    1. https://somesite.com/signin.html (443)
    has action to:
    2. https://somesite.com/dosignin.html (443)
    upon sucessful authentication, does header() redirect to:
    3. http://somesite.com/somepage.html (80)

    $_SESSION vars set while on https, can be accessed on http pages....right?
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,868
    Rep Power
    368
    can you post ALL of your code and I can run it here to see if it works as expected?
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2

    Question


    Thanks again for all the suggestions.

    At this point, what I'm wanting to do is stay away from keeping session vars in the URL.

    I know this is pretty convoluted, but due to the nature of setting the session vars while on HTTPS (after doing authentication) and then going back to HTTP and needing access to those set session vars, I'm doing this:

    https: //somesite.com/signin.html [user enters credentials. has action to dosigning.html]
    https: //somesite.com/dosignin.html [with successful authentication, set's session vars and does header() redirect to midpoint.html?a=$session_id]
    http: //somesite.com/midpoint.html (note: not on https anymore).

    midpoint.html code:
    PHP Code:
    if ($_GET['a']) {
        
    $temp_sid $_GET['a'];
        if (
    strlen($temp_sid) != 32 && preg_match('/^[a-z0-9]+$/'$temp_sid)) {
            
    //**** ERROR ****//

        
    } else {
            
    $temp_file="/path/to/session_vars/sess_".$temp_sid;
            
    $contents_temp_file file_get_contents($temp_file);
            
    $session_vars explode(";"$contents_temp_file); 
            
    $count = (count($session_vars) - 1); 
            for (
    $i=0;$i<$count;$i++) {
                
    $piece1 explode (":",$session_vars[$i],2);
                
    $piece2 explode (":",$piece1[1]);
                
    $piece3[] = explode ("\"",$piece2[1]);
                echo 
    "piece3: ".$piece3[1]."<br>";
            }
        }
    } else {
        
    //**** ERROR ****//
        
    }

    //session_start();
    //session_regenerate_id();
    //$_SESSION["Var1"] = $piece3[0];
    //$_SESSION["Var2"] = $piece3[1];
    //etc

    header (redirect to final page on http that it and all other http pages will now have access to newly set session vars); 
    Clearly, this is not ideal, but given this situation...how could the part about parsing the data out of the initial session file be done more efficiently?
    PHP Code:
    $temp_file="/path/to/session_vars/sess_".$temp_sid;
    $contents_temp_file file_get_contents($temp_file);
    $session_vars explode(";"$contents_temp_file); 
    $count = (count($session_vars) - 1); //**** Need to subtract one ****//
        
    for ($i=0;$i<$count;$i++) {
            
    $piece1 explode (":",$session_vars[$i],2);
            
    $piece2 explode (":",$piece1[1]);
            
    $piece3[] = explode ("\"",$piece2[1]); 
            
    //**** $piece3 is the final data in an array to be used for setting  the new session vars.\
        

  28. #15
  29. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,692
    Rep Power
    6351
    use [PHPNET="session_set_cookie_params"]session_set_cookie_params[/PHPNET] to set the cookie to a zero lifetime, the root path, your entire domain, NON secure, and not http only. Before session_start on each page in question, put:

    PHP Code:
    session_set_cookie_params(0'/''www.yourdomainhere.com'falsefalse); 
    See if that helps. You're saying you see TWO files with data, one filled, the other not. I bet your two pages are acting like two separate sites, either due to the "Secure" flag (which makes your one cookie only work on ssl-encrypted sites) or the "domain" directive (which could create one cookie for yoursite.com and another for www.yoursite.com).
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo