session variable changing when it shouldn't - php

When i receive a request from site:
public function getSiteToken() {
session_start();
if (strpos($_SERVER['REQUEST_URI'], '/api/v3/') !== 0) {
$_SESSION['siteToken'] = md5(CURRENT_URL.time());
}
return $_SESSION['siteToken'];
}
And when i receive from site to the API:
if ($_SERVER['REQUEST_METHOD'] == 'GET' && isset($_SERVER['HTTP_X_SITE_TOKEN']) && isset($_SESSION['siteToken'])) {
if($_SERVER['HTTP_X_SITE_TOKEN'] == $_SESSION['siteToken']) return true;
}
This works perfectly when i test in POSTMAN. But in the chrome, the second code returns FALSE. Why???

Related

Detect if the php script is called from schell_execute or is being run manually

We have a case where our handler is being called from an shell_execute. Our Debugger then thinks he is being called from the user from the cmd directly and outputs true. we need to handle on it. any idea how?
public static function canDebug($enviroment = 'any')
{
if ($enviroment == "sql" && self::$disableSqlDebug) {
return false;
}
if (php_sapi_name() == 'cli') {
if (isset($_SERVER['TERM'])) {
//The script was run from a manual invocation on a shell
return (($enviroment == 'any' || $enviroment == 'console') && !self::$disableCliDebug);
} else {
//The script was run from the crontab entry
return (($enviroment == 'any' || $enviroment == 'cron') && !self::$disableCliDebug);
}
} else {
if (!isset(self::$mergedConfig['debug']['allowedIPRanges']))
return false;
return (self::isIPAllowedToDebug(self::getClientIPAddress()) && ($enviroment == 'any' || $enviroment == 'webOnly'));
}
}
The promlem si that the server TERM var is set in shell_exec runs. and it returns true on that part. we need to recognise if it is manual.

Redirect user after return false

I have some validation fields like this :
if (empty($_POST['finalidade_imob']) || $finalidade_imob == "Escolha 1" ||
!in_array($_POST['finalidade_imob'], $fi_options)) {
$finalidade_imob = "Escolha 1";
$error++;
} else {
$finalidade_imob = $_POST['finalidade_imob'];
}
//on the end
if ($error !== 0) {
return false;
}
But the location of my form is on bottom of my page, so when return false is called the page is reloaded on the top.
If i put this:
if ($error !== 0) {
header('location:perfil.php#content_cadastro_completo');
return false;
}
This page is reloaded for exactly to the place i need, but return false dont work... I know why return dont work, i put that for explain what i need...
So what i need do to goal this target?
Sorry my bad english...
Edit Without js... Only PHP.

My question no clear for this solution, but in my all context this work.
The solution that I found is put placeholder in my action.
action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>#content_cadastro_c‌​ompleto"
and
if($error !== 0)
{ return false;//no need header() to go to the placeholder...
}

PHP isset $_session equal to string

So guys I'm new to PHP OOP
I make Login with Roles, and make function(checkrole) for knowing what role it is.
This is how my function looks like
public static function hasadmin()
{
if(session_id() == '') {
session_start();
}
if(isset($_SESSION['role']) == 'A') {
return true;
}
}
and call it into navbar partial :
<?php if (helper::login() == true && helper::hasadmin() == true) { ?>
<li style="float:\right">Logout</li>
<li>Petugas</li>
<li>Laporan</li>
Function helper::login works perfectly.
Every time I login with another role the partial (petugas, laporan)
still comes out.

isset returns a boolean. Run the isset and check the actual value.
if(isset($_SESSION['role']) && $_SESSION['role'] == 'A') {

jquery & php + if session is dead an error is returned

I've noticed if the session is dead (on an Jquery AJAX PHP Request) the data returned is preceeded with an error message if the session is needed in the request.
How do other sites deal with this?
Similar code is shown below - eg: its using a SESSION variable in the code which doesn't exist as the session is dead.
public function internal($variable) {
if($_SESSION['data'] == $variable) {
echo TRUE;
}else{
echo FALSE;
}
}
Should I use isset to check if the variable exists?
Should I be coding for dead sessions?
thx

You need to add the isset also:
public function internal($variable) {
if(isset($_SESSION['data']) && $_SESSION['data'] == $variable) { //add here
echo TRUE;
}else{
echo FALSE;
}
}

Try this
public function internal($variable) {
if($_SESSION['data']!="" && $_SESSION['data'] == $variable) { //add here
echo TRUE;
}else{
echo FALSE;
}
}

You can also do like this,
public function internal($variable) {
if(!empty($_SESSION['data']) && $_SESSION['data'] == $variable) { // modify here
echo TRUE;
}else{
echo FALSE;
}
}

Check if another function is declared, otherwise change location

I've got a "make-do" page authenticator which defines what usergroups are allowed to access that page, however, some of my scripts allow the user to pass if that page is, say, his user edit page but not touch any other users edit page. For that, I disabled access to the usergroups except if you're an admin or the user edit page you are currently on is your own.
I tried to create a function to do this, but the allowOnly usergroups function deals out the punishment without checking to see if the other function is defined elsewhere on the page.
Here's the "make-do" functions and an example of how I'd like them to work:
public function allowOnly($officer, $administrator, $superuser)
{
$authority = 0;
if ($officer == true && $this->session->isOfficer()) {
$authority++;
}
elseif ($administrator == true & $this->session->isAdmin()) {
$authority++;
}
elseif ($superuser == true & $this->session->isSuperuser()) {
$authority++;
}
if ($authority != 0) {
return true;
}
else {
header("Location: ../incorrectRights.php");
exit;
}
}
function allowCurrentUser()
{
global $authority;
$authority++;
}
This changes the users location if they're not any of the allowed usergroups, but since that code is executed before "allowCurrentUser", it changes the location before the function gets the chance to allow the user through.
I'd like it to work like this:
<?php
include("functions.php");
$functions->allowOnly(false, false, true);
if($session->username == $allowedUserName) {
$functions->allowCurrentUser();
}
I'm sorry if I'm not descriptive enough, or my code lacks efficiency, heck, even if I've missed a built-in php function which does this for me!

you should check out PHP's function_exists(), this will tell you wether or not the function already exist.
you have some error in your code too.
$administrator == true & $this->session->isAdmin()
should be
$administrator == true && $this->session->isAdmin()
as you have used only single & whereas it should be &&
and also change
$superuser == true & $this->session->isSuperuser()
to
$superuser == true && $this->session->isSuperuser()
after reading your code, i realized you are using $authority variable to hold the value and to check wether to authorize user or not. and plus you are using global. i would never have done that way, instead i would declare $authority as class property below is the example of how you could do it.
class functions
{
//declare class propert and set default value to 0
protected $_authority = 0;
public function allowOnly($officer, $administrator, $superuser)
{
if ($officer == true && $this->session->isOfficer()) {
$this->_authority++;
}
elseif ($administrator == true && $this->session->isAdmin()) {
$this->_authority++;
}
elseif ($superuser == true && $this->session->isSuperuser()) {
$this->_authority++;
}
if ($this->_authority != 0) {
return true;
}
else {
header("Location: ../incorrectRights.php");
exit;
}
}
public function allowCurrentUser()
{
$this->_authority++;
return $this->_authority;
}
}
UPDATE:
instead of redirecting the page why not return false and redirect during function call, you can do it this way.
class functions
{
//declare class propert and set default value to 0
protected $_authority = 0;
public function allowOnly($officer, $administrator, $superuser)
{
if ($officer == true && $this->session->isOfficer()) {
$this->_authority++;
}
elseif ($administrator == true && $this->session->isAdmin()) {
$this->_authority++;
}
elseif ($superuser == true && $this->session->isSuperuser()) {
$this->_authority++;
}
return ($this->_authority != 0) ? true : false;
}
public function allowCurrentUser()
{
$this->_authority++;
return $this->_authority;
}
}
and while in function call.
include("functions.php");
if($functions->allowOnly(false, false, true)) {
//person is allowed access
}
//else allow current user
elseif($session->username == $allowedUserName) {
$functions->allowCurrentUser();
}
else {
//redirect here
header("Location: ../incorrectRights.php");
exit;
}

I'm not completely certain if this is the answer you are looking for based on the title but this is what I get the impression you are asking for.
Assuming what happens is that your check against allowOnly() takes the user to the "../incorrectRights.php"-page before you've checked if the user logged in is the same as the page looked at, what you need to do is put the check inside the allowOnly function or at least before you do the check for $authority != 0.
Here's a quick example of how you could solve this:
public function allowOnly($officer, $administrator, $superuser)
{
$authority = 0;
if ($officer == true && $this->session->isOfficer()) {
$authority++;
}
elseif ($administrator == true && $this->session->isAdmin()) {
$authority++;
}
elseif ($superuser == true && $this->session->isSuperuser()) {
$authority++;
}
if(function_exists('allowCurrentUser')){
if (allowCurrentUser()) {
return true;
}
}
if ($authority != 0) {
return true;
}
else {
header("Location: ../incorrectRights.php");
exit;
}
}
function allowCurrentUser()
{
if($session->username == $allowedUserName){
return true;
}
else {
return false;
}
}
Then your useage would result in something more like
<?php
include("functions.php");
$functions->allowOnly(false, false, true);
?>
As you can see I also threw in the function_exists('functionnamehere') call that seems to be requested in the question title, since we actually declare the function and therefore know it exists you could also just do this:
if ($authority != 0 || allowCurrentUser()) {
return true;
}

Categories