I have tried passing sensitive information from 1 page to the next using Cookies and PHP Sessions but still no luck. This works fine in all browsers I have tested except Opera Mini. I also found this: http://caniuse.com/#search=cookie
This is how I have it currently setup.
page1.php:
<?php
session_start();
$time = time();
$key = '';
$hash = md5($key . $time);
$_SESSION['inno'] = '';
header("Location: page2.php". $hash);
exit;
?>
page2.php:
<?php
session_start();
if (isset( $_SESSION['inno'])) {
include("../global/header.php");
include("../global/content.php");
}
session_destroy();
?>
The content of the page is the sensitive information, So that is why it goes from page1.php to page2.php.
Is there some kind of workaround for this if passing information this way isn't supported in Opera Mini?
Use classes for reusable resources, they are less messy.
Looks like you forgot to assign data, so
Here is the promising structure:
index.php
<?php
include_once 'session.php';
$my_session = new session_helper;
//SET YOUR SESSION VARIABLES
if($my_session->get_session_data('username') == null){
$sessionData = array(
'username'=>'me',
'logged'=>true,
'password'=>md5('password')
);
$my_session->set_session_data($sessionData);
}
?>
View my session
view_session.php
<?php
include_once 'session.php';
$my_session = new session_helper;
?>
<!--GET YOUR SESSION VARIABLES-->
<p>Username: <?php echo $my_session->get_session_data('username'); ?></p>
<p>Logged: <?php echo $my_session->get_session_data('logged'); ?></p>
<p>Password: <?php echo $my_session->get_session_data('password'); ?></p>
<p> </p>
<?php $my_session->debug_session(); ?>
session.php to get rid of headaches
<?php
//MANAGE YOUR SESSION
class session_helper
{
//Start session when class instance created
function __construct()
{
session_start();
}
//Session data set using an array to easily add multiple values e.g. on login page
function set_session_data($sessionData)
{
forEach($sessionData as $key => $value){//Go through each key
$_SESSION[$key] = $value;//And assign it to session
}
}
function get_session_data($session_data_key)
{
return $_SESSION[$session_data_key];//Call this to get your values
}
function debug_session()
{
print_r($_SESSION); //Check what session contains if something is wrong
}
function close_session()
{
session_destroy(); //Good to use for fresh start/logout.
}
}
?>
session.php manages sessions. Accessing directly will output an empty page.
index.php uses a condition to set the variables. You don't need to rework data everytime when you have it.
view_session.php has all the info regarding the session.
Best practice of retrieving info is storing secure/encrypted primary keys of the database, then use them to retrieve everything else from the database, e.g. by user ID get the e-mail, profile creation time, name, surname etc.
Related
I have been developing the following php script (+ sqlite database) to create a login for my web.
Up to now I had used just one PHP file, but now I want to use different files for login and protected contents, I mean, I used to have all my web in one file php (contents and password script were together) but now I want to detach it in different php files (one for the login, login.php, and other phps protected: index.php, calendar.php...)
I used this code to password-protect php content:
<?php require_once "Login.php"; ?>
but it doesn't seem to work: it displays the form to login next to the content I wanted to protect.
This is the php script I'm using as login.php:
<?php
$db = new PDO('sqlite:data.db');
session_start();
if (isset($_GET['logout'])) {
unset($_SESSION['pass']);
header('location: index.php');
exit();
}
if (isset($_SESSION['timeout'])) {
if ($_SESSION['timeout'] + 4 < time()) {
session_destroy();
}
}
if (!empty($_POST['pass'])) {
$result = $db->query("SELECT user,password FROM users");
foreach ($result as $row) {
if (password_verify($_POST['pass'], $row['password'])) {
echo "Welcome! You're logged in " . $row['user'] . "! <a href='index.php?logout=true'>logout</a>";
$_SESSION['pass'] = $_POST['pass'];
$_SESSION['timeout'] = time();
}
}
}
if (empty($_SESSION['pass'])) {
echo '<form method="POST" action=""><input type="password" name="pass"><form>';
}
?>
MY QUESTION IS: How can I use my php script to protect different files?Is there any way to embed a logout link too?
One way is to store a token in session variables when a user logs in. Confirm the token is there on each page, if it isn't redirect the user to the login page. For example assert_login.php:
<?php
session_start();
if('' == $_SESSION['token']) {
header("Location: login.php");
exit();
}
?>
Then, in the PHP at the top of each of your pages:
<?php
require('assert_login.php');
?>
You can also clear the session variable on logout, logout.php for example:
<?php
require('assert_login.php'); // has session_start() already
$_SESSION['token'] = ''; // empty the token
unset($_SESSION['token']); // belt and suspenders
header("Location: login.php");
exit();
?>
I was also going through same issue & the way I solved it:
PSEUDO CODE:
PHP SESSION START
if(isset(GET(logout){
SetLogout();
die()}
$redirect=false
if not session[auth] exists
if SERVER REQUEST METHOD IS POST
$redirect=true;
if POST(username) && POST(pass) exists
Sanitize both of them & assign to $user& $pass
if user == "John" && $pass == "secret"
Go To SetLogin();
else{
Go To SetLogout();
echo "Wrong Username or Password"
drawlogin();
die();}
} //user pass comparing ends
} //Server method is NOT POST, so maybe it is GET.
//Do nothing, let the control pass to next lines.
}//SESSION(auth) does not exists, so ask user to login
else {
drawlogin();
}
//Post-Redirect-Get
if ($redirect)
redirect header to this same page, with 301
die()
// Secret Content here.
function SetLogin($user){
$SESSION(auth) = TRUE;}
function SetLogout($user){
if SESSION(auth) exists
unset($SESSION(auth))
redirect back with 301, without query string //shake ?logout
}
function drawlogin(){
echo all the HTML for Login Form
What it does is, it checks various things/variables, and if all passes, the control passes to Secret Content.
Save it as pw.php, & include it on top of any file you want to protect. Logout can be triggered by Logout
Note that this is just a pseudo code, typed on a tablet. I will try to update it with actual version. It is not checked for errors. Use all standard PHP Security precautions..
i have a problem calling a session variable from another script. can anybody help me on this matter.
Below is the script that i create the session and store the time in a session variable.
<?php
session_start();
$orgtimestamp = date("Y-m-d h:i:sa");
$_SESSION['orgtimestamp'] = $orgtimestamp;
?>
Here is the script that i try to access this session variable from a function of it. till now nothing worked
<?php
include '../../mydomain/myscript.php';
class survey_Tracksciprt
{
public static function timeofclick(){
session_start();
$time_org = $_SESSION['orgtimestamp'];
echo $time_org;
}
}
this hasnt worked upto now, nothing prints...can anybody give tips to sought this out and its compulsory to have this function timeofclick
You're not creating your class on your second file add:
//I don't know what this does but if it already starts a session remove the session start inside the class.
include '../../mydomain/myscript.php';
$survey = new survey_Tracksciprt();
$survey::timeofclick();
class survey_Tracksciprt
{
public static function timeofclick(){
session_start();
$time_org = $_SESSION['orgtimestamp'];
echo $time_org;
}
}
I also advice putting session_start at the top of your file.
<?php
session_start();
include '../../mydomain/myscript.php';
class survey_Tracksciprt
{
public static function timeofclick(){
$time_org = $_SESSION['orgtimestamp'];
echo $time_org;
}
}
Always use the session_start(); at the top line of the page.
First, you need an init-session.php file, containing:
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
Second, you need to include this file at the start of your loader/layout (whatever you have there), so no operation will be executed before you initialize your session.
Third, you should initialize $orgtimestamp like this:
<?php
$orgtimestamp = date("Y-m-d h:i:sa");
$_SESSION['orgtimestamp'] = $orgtimestamp;
?>
Fourth, you need to call survey_Tracksciprt::timeofclick().
I have a pretty simple function, it checks to see if ['id'] exists in the session and redirects if that's the case, located on the top of my login.php
It works, but only after I submit the login form twice.
require_once 'inc/header.inc';
which contains before html:
<?php
require 'inc/init.php';
session_regenerate_id();
?>
init.php contains
<?php
session_start();
if(!isset($_SESSION) || empty($_SESION) ){
require 'inc/db.php';
require 'users.class.php';
require 'general.class.php';
require 'functions.php';
$users = new Users($db);
$general = new General($db);
$errors = array();
}
?>
This is the top of my login.php :
<?php
require_once 'inc/header.inc';
if ($general->is_logged_in()) {
header("Location: index.php");
exit;
}
Yet the page keeps on loadin the first time.
The function if you care for it:
public function is_logged_in() {
if (isset($_SESSION['id'])) {
return true;
} else {
return false;
}
}
don't you think it should be like this
session_start();
session_regenerate_id();
as in your function the id is generated first and then session is started as a result of which the values is not assigned to session.
Just added redirect after return/setid from login(), rather than relying on checking if id exists at page load and runnin the redirect on page load - user can then not re-enter the page in any case. Not sure why the former wouldn't work.
Im using two pages first page s getting values from url and its displaying some content. I included first page in second page but the first page should not be displayed but i have to access the values in second page which is used in first page..
The coding for first page
first.php
In utl the value is passed as first.php?Logid=7773&shiftdate=2013-01-04&shiftid=146&pshift=1&tsid=1&dctype=timebased
<?php
$Logid=$_GET['Logid'];
$ShiftDate=$_GET['shiftdate'];
$ShiftID=$_GET['shiftid'];
$PShift=$_GET['pshift'];
$TsID=$_GET['tsid'];
$DcType=$_GET['dctype'];
// below this some process is carried out
sec.php
<?php
ob_start();
include('first.php');
ob_end_clean();
echo $Logid;
echo $ShiftDate;
echo $ShiftID;
echo $PShift;
echo $TsID;
echo $DcType;
?>
The value is not displayed in second page..
Say how i can access the values in second page .
Pls help me
Thank u !!!
The best way to access data in PHP "generally" (except in small, insubstantial snippets) is through encapsulation. You could put those values into an object. Then, you will be able to access them on sec.php:
first.php:
<?php
class pageData {
public $Logid;
public $ShiftDate;
public $ShiftID;
public $PShift;
public $TsID;
public $DcType;
public function __construct() {
$this->Logid = $_GET['Logid'];
$this->ShiftDate = $_GET['shiftdate'];
$this->ShiftID = $_GET['shiftid'];
$this->PShift = $_GET['pshift'];
$this->TsID = $_GET['tsid'];
$this->DcType = $_GET['dctype'];
}
}
$pageData = new pageData();
?>
sec.php:
<?php
include('first.php');
echo $pageData->Logid;
// ...
echo $pageData->DcType;
?>
Remove ob_end_clean(); and see that will solve it.
ob_end_clean — Clean (erase) the output buffer and turn off output buffering
More
sec.php
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
include("first.php");
?>
try above code and see if its return any error.
You are trying to pass the values which are set by GET in the page to the second page, am I right? How about trying to use sessions instead.
You can start a session and define values which will be stored as long as the browser is open and the session is still alive. So:
first.php
<?php
// Starting the session
session_start();
$_SESSION['Logid'] = $_GET['Logid'];
$_SESSION['ShiftDate'] = $_GET['shiftdate'];
$_SESSION['ShiftID'] = $_GET['shiftid'];
$_SESSION['PShift'] = $_GET['pshift'];
$_SESSION['TsID'] = $_GET['tsid'];
$_SESSION['DcType'] = $_GET['dctype'];
?>
sec.php
<?php
echo $_SESSION['Logid'];
echo $_SESSION['ShiftDate'];
echo $_SESSION['ShiftID'];
echo $_SESSION['PShift'];
echo $_SESSION['TsID'];
echo $_SESSION['DcType'];
?>
and use
session_unset();
session_destroy();
to kill the session and destroy the data in the global variable ($_SESSION). If you want to be extra cautious you can use:
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
to make sure everything is really destroyed. A bit of an overkill if you'd ask me but use if necessary.
Hope it helps!
i am using a session variable to authenticate, acc to my knowledge the session variable is supposed to be stored at the server even when new pages are loaded.
I am using the following code:
<?php
session_start();
echo $_POST['path'];
if($_POST['path']=="index")
{
$_SESSION['rightPath']=1;
if(isset($_SESSION['rightPath']))
echo "it is set";
?>
<script type="text/javascript">parent.location='UI.php'</script>
<?php
}
else
{?>
<script type="text/javascript">parent.location='index.php'</script>
<?php
}
?>
here this isset function tells me that the variable is set but in the next page ui.php is it not giving me the same result.
<?php
if(!isset($_SESSION['rightPath']))
{
echo "it not is set";?>
<?php }
?>
this is the ui.php page snippet. here the if statement is executing.
what am i doing wrong ?
you need to start session here is well
<?php
session_start();
if(!isset($_SESSION['rightPath']))
{
echo "it not is set";?>
<?php }
?>
You are not starting the session in UI.php. The code should be like this, with session_start at the top:
<?php
session_start();
if(!isset($_SESSION['rightPath']))
{
echo "it not is set";?>
}
?>
The session_start() creates a session or resumes the current one. So, while you are creating the session earlier, it is NOT resumed unless you do a session_start() again on every page where you intend to use the session variables.