Can you use PHP Session on a file called by another domain? - php

I have a php file on external-site.com like this:
<?php
session_start();
if($_SESSION['something'] == true) {
//do something
}
?>
This PHP file I include on a different website example.com like this:
<script src="http://external-site.com/session.js.php"></script>
When the visitor visits example.com he is redirected to external-site.com. Here I have this code:
<?php
session_start();
$_SESSION['something'] = true;
?>
And then the visitor is immediately redirected back to example.com.
Does this work? Because I am not violating the Same Origin Policy, right? I do not want to use the session on example.com itself. I only need it for external-site.com. So I do not want to transfer the session to another domain or anything like that.
If so, in which browser does it work and in which browser it does not?

Session are only available on the site which host the session calls.if you have two sites, they can't share natively session.
Edit : so if your session is opened on external -ite.com, you can't use it on example.com. in your case you need to use a SSO service.

Related

How can I restrict URL shortcuts on my website?

What I want is rather simple but I cannot figure it out. I want that if someone tries to access any of the webpages directly on my website then he/she must be redirected to the home page of the website.
For Example : Someone tries to access www.domain-name.com/aboutus he gets re directed to www.domain-name.com/
you can check referrer to block any direct access to your website.
include this code in every page of your website.
<?php
$ref = $_SERVER['HTTP_REFERER'];
$url = "http://www.domain-name.com";
// $url is the main url of your website
if($ref==$url){}else{
header("location:$url");
}
?>
But it is completely deepened on browser to send the referrer header,
so it may not work sometimes.
You can use 2 way do it:
In your code, directed www.domain-name.com/aboutus to www.domain-name.com
Config webserver (apache, nginx)

Allow access to php file only if redirected

Is it possible to disallow direct access to a PHP file and allow the access only if it's redirected from other PHP file?
For example, access to loading.php should be only allowed if it's redirected from example.php page. How how can I do that?
I hope you understand what I mean. If not, please ask me, and I will try to explain better.
example.php
session_start();
$_SESSION['loading']='yes';
loading.php
session_start();
if($_SESSION['loading']=='yes'){
/all good
}else{
//bad, redirect back or whatever
}
$_SESSION['loading']=''; // clear session var
You can check referer, but it not secure:
loading.php
<?php
if($_SERVER['HTTP_REFERER']!=='http://yoursite/example.php')
die('Denied');
--
or you can set visited flag in session
example.php
<?php
$_SESSION['isVisitedExample'] = true;
loading.php
<?php
if(!isset($_SESSION['isVisitedExample']))
die('Denied');
--
or in cookie (not secure)
example.php
<?php
setcookie('isVisitedExample', 1);
loading.php
<?php
if(!isset($_COOKIE['isVisitedExample']))
die('Denied');
--
or mix this methods
Test for the variable $_SERVER['HTTP_REFERER']. (yes, the incorrect spelling is what must be used.) That variable contains the URL of the site that a user came from. The REFERER header is blank or '-' if the page is accessed directly.
The code for this would look something like the following:
if (empty($_SERVER['HTTP_REFERER']) or $_SERVER['HTTP_REFERER'] == '-') {
exit; // do nothing if hit directly.
}
// The real page logic goes here.
If you want to only allow the loading page from a specific URL, then you may test for that URL instead of testing for empty().
Please be aware that the REFERER header is sent by the browser and easily spoofed. That said, checking the referer header is useful for blocking other sites from directly loading images from your site.
Another option would be to use sessions and session variables to check that someone hit the appropriate page before the loader page.

URL rewriting, same URL across multiple PHP files

Hey so I have create a login system to a website and I wish to have this login appear when I type in my address. When I have typed in details and logged in, I wish to be redirected to another PHP file, but with the same address.... this way, All I need to do is type in my address if I am allready logged in and I will go to the site which requires login.
I have made a transaction happen identifing if the session is created, if it is, it redirects me to another page, but also to another URL. I tried googleing it, but couldn't find anything exact and straight forward.
Currently:
Login page:
www.example.com
Member page:
www.example.com/members
What I wish for:
Login page:
www.example.com
Member page:
www.example.com
The program structure should look like this.
index.php
if (user is logged in)
display dashoard
else
display login page
Since you are using PHP, make use of session functions. Thus, URL rewriting is no longer necessary.
Update
Assuming if you have file structure in PHP like this:
- index.php
- login.php
+ template
- login.php
- dashboard.php
You can do the following structure in index.php file.
define('IN_FILE', true);
if (isset($_SESSION['user'])) {
require 'template/dashboard.php';
} else {
require 'template/login.php';
}
In template/dashboard.php
if (!defined('IN_FILE')) {
exit;
}
// Then your HTML, PHP and whatnot
And in login.php
if (!isset($_SESSION['user'])) {
require 'template/login.php';
} else {
header('Location: index.php');
}
Change the code according to your needs.
This can be achieved using several approaches.
a) Use session to determine the current page, so if a user click on a link, create a session store the value and on page load read the session data and include the file accordingly.
b) Use URL parameter to determine the page (this is the most common approach). for example in index.php you can add more parameters like index.php?page=somepage and by reading the value using $_GET and including the PHP file accordingly.
There are some more way to achieve what you want to, for instance using javascript/jQuery this is possible.

Switch between mobile and full site

All my full site pages are under folder public_html, which contains index.php and folder m which contains all the mobile site pages. index.php is like this:
<?php
if (...mobile client) {
header('Location: m/');
} else {
include 'front.html.php';
}
?>
There is also an index.php in m, simply `include 'front.html'.
This script can detect user's client and direct to full site and mobile site automatically.
But now I want a link on the mobile site to switch to full site. If it is like switch to full site, there will be front.html.php in the address bar, and I don't want this. However, if it is like switch to full site, it will detect again and back to mobile site.
How to deal with that?
You can accomplish this by setting a cookie.
setcookie("forceClient", "full", time()+3600);
Then from that php script, redirect to the home page.
In your index.php, check the cookie:
if($_COOKIE["forceClient"] == "full"){
//logic
}
Make a session variable
like
$_SESSION['viewer_type'] = "Mobile";
or
$_SESSION['viewer_type'] = "Regulare";
and then define a new variable call it base_url and save it in the session also
and do this
if($_SESSION['viewer_type'] == 'Mobile'):
$_SESSION['base_url'] = "http://www.m.site.com/";
else:
$_SESSION['base_url'] = "http://www.site.com/";
endif;
the link now will be
Test
You need to set the session variable each time the view changed from mobile to regular or visa versa

How to end a PHP session on page close

I have several pages inside an AJAX directory. I don't want these pages accessible directly so you cannot just type in the URL of the page within the AJAX directory and access it. I "solved" this by using a PHP session on the page that calls it as follows:
Main page:
<?php
session_start();
$_SESSION['download']='ok';
?>
and on the ajax page I have this:
<?php
session_start();
if($_SESSION['download']!=='ok'){
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit;}
?>
The only problem is that if a user goes through the correct process once, the cookie is stored and they can now access the page directly. How do I kill the session once they leave the parent page?
thx
why use session ?
if i understood what you want:
<?php /// Is ajax request var ?
if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
if (strtolower($_SERVER['HTTP_X_REQUESTED_WITH'])=="xmlhttprequest") {
// do your ajax code
} else {
// redirect user to index.php since we do not allow direct script access, unless its ajax called
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit();
}
} ?>
A really simple solution is to open up each of the files you want to protect from direct URL entry & add the following to the top:
<?php if (isset($_GET['ajax']) != true) die();?>
Now get rid of your redirect script since it's useless now. You don't need to use sessions for this. Every time you request a page, use it's direct URL, just add ?ajax=1 to the end of it.
By adding the ?ajax=1, PHP will set a key of 'ajax' to the $_GET global variable with the value of 1. If ?ajax=1 is omitted from the URL then PHP will not set a key of 'ajax' in $_GET and thus when you check if it's set with isset() it will return false, thus the script will die and not output anything. Essentially the page will only output data if ?ajax=1 is at the end of the URL.
Someone could still "spoof" the URL and add '?ajax=1' themselves, but that is not the default behavior for people or web browsers. If you absolutely need to prevent this then it will be much more complicated, e.g. using templates outside of a publicly available folder. Most other "simple" solutions will have the same "spoofing" potential.
There's really no way to accomplish this with a 100% certainty - the problem is, both AJAX and regular web browser calls to your web site are using the same underlying protocol: HTTP. If the integrity and security of your site depends on keeping HTTP clients from requesting a specific URL then your design is wrong.
so how do you prevent people from directly accessing files inside certain directories while still letting the site use them??
Create a controller file. Send all AJAX requests to this controller.
ajax-control.php
<?php
$is_ajax = true;
include "ajaxincludes/test.php";
// ... use the ajax classes/functions ...
ajaxincludes/test.php
<?php
if (!isset($is_ajax) || !$is_ajax)) {
exit("Hey you're not AJAX!");
}
// ... continue with internal ajax logic ...
If clients try to access the file directly at http://mysite/ajaxincludes/test.php they'll get the error message. Accessing http://mysite/ajax-control.php will include the desired file.
I don't think there is a surefire way to do what you are asking, since HTTP request headers can be faked. However, you can use $_SERVER['HTTP_REFERER'] to see if the request appears to be coming from another page on your site.
If the rest of the security on your site is good, the failure of this method would not grant the user access to anything they were not already able to access.
I've never tried this but maybe you could do something with jQuery's .unload() and then call a PHP page to unset() the session.
Why not (on Ajax page):
session_start();
if($_SESSION['download']!=='ok'){
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit;
}
// do whatever you want with "access granted" user
// remove the download flag for this session
unset($_SESSION["download"]);

Categories