Persistent session_id inside an iframe - php

I have a php system that works fine stand-alone but not when embedded in an iframe.
It's embedded in a page on another domain.. and consists of:
main.php graps a parameter off iframe-URL, look up in MySQL, sets a session variable and draws a grid.
Then, using ajax, tries to get data to display in the grid.
- but the ajax.php doesn't have the same session_id() ?!?
AND in subsequent ajax-calls for data (to update the grid) the session_id() keeps changing!
To recap: ALL my PHP is inside the SAME iframe - no XS trouble..?
There IS a session_start() in all the right places (it works stand-alone).
The session_save_path() is the same in main.php and ajax.php (and they're in the same dir)
I've seen and tried different versions of header('P3P: CP="CAO PSA OUR"') - fruitlessly : (
Found it: My browser didn't allow Third Party Cookies - including the session-cookie!
But isn't this wrong - no cookies are being shared across domains (it stays inside the iframe) ?
- still.. it IS another domain than the one the user asked for in the URL... hmm... shit.

As mentioned, the problem was the browser blocking (not allowing) Third Party Cookies.
(That is, ignoring cookies not issued from the server behind the main (visible) URL)
There exists a way to circumvent this security-feature: google "P3P"
- but that's not reliable across browsers (Chrome).
My solution is to keep the session_id in javascript, and append it as an extra parameter in all ajax-calls,
enabling me to pick the relevant session in ajax.php: session_id( $_POST['sessID'] ); session_start( );
This solution does make it somewhat easier for a malicious user to dick around with the session_id.
- since it's now available (for modification) using javascript alone (easier than modifying a cookie)...
I would like to hear peoples thoughts about this "increased vulnerability" ?

Related

Go back to calling website

after searching (and testing) a way to offer a kind of go-back button I am asking that question here (maybe there is an easy solution).
I have a description about orienteering on my website (5 pages): http://www.uhebeisen.net/o-def/o-definition_ge.php
There are many websites from abroad having a link to this pages. Now I'd like to get their URL if a websurfer is entering my pages. Then I can place a button go-back to my navigation list that brings him back to his page from where he clicked the link to my description-pages.
I've seen solutions using javascript:history.go(-1) or $_SERVER['HTTP_REFERER'] with PHP but problem is that a websurfer can move around my pages and if finishing his reading from any page should be provided with his (calling) URL, e.g. the one of his University.
So I need to catch his URL and store it in a safe place until he decides to leave. And if he returns to the starting page while surfing on my pages his URL shouldn't be overwritten.
Since I do not program - just copy&paste and try to understand what happens. Any suggestion on how this can be done is welcome.
thank you George, that one worked
I wasn't aware to place the session_start at the very beginning of the file that's why I get the two warnings.
While testing this function I found that the session variables were not always cleared by the browser. Especially with Firefox, it keeps the calling URL almost forever (WinXP, FF 5.x) whereas Firefox 5 on the Mac, Safari (Mac) and Camino (Mac) work as expected: after restarting the program I can test successfully with another website.
Does Firefox have different setting possibilities in regard of sessions than other browsers?
You should store $_SERVER['HTTP_REFERER'] in the user's session upon arrival. Using this method, the value won't be overritten when the user browses within your site.
session_start();
if ( !isset( $_SESSION['referrer'] ) ) {
if ( !empty( $_SERVER['HTTP_REFERER'] ) ) { // Because not all browsers set this
$_SESSION['referrer'] = $_SERVER['HTTP_REFERER'];
}
}
One way to do it would be to store somewhere (perhaps in a cookie or session, which easy to do with your PHP page) the page they're coming from, but only if that page is not on your website's domain. This would require some if-statements to set the cookie/session value appropriately, but it can be done relatively easily using particular parts of the referrer variable. There is probably a more efficient way to store this, but this is one that jumps to mind right away.
EDIT: I highly recommend George's solution, much better way to do this.
Have you tried using a session?
session_start();
if( !isset($_SESSION['refer']) )
{
$_SESSION['refer'] = $_SERVER['HTTP_REFERER'];
}
then, once your ready to make the button, set the link to $_SESSION['refer'].
In my past projects I usually stores the redirect url following this process:
search for a query string parameter url (www.yoursite.com/?redirect_url=my_encoded_url)
If search at point 1 doesn't return any results, then I checks for the HTTP_REFERER
In both cases, I stores that value in a SESSION variable after verified that the url belongs to my site's domain.

Equivalent of PHP Sessions in JavaScript

I was going to ask about how to implement sessions in JS,I found few functions that can be used like this example I found :
String exforsys = request.getParameter("test");
session.setAttribute("test", exforsys);
And then just use session.getAttribute( exforsys);
But no response, I guess it's only used in servlets or something.
Anyway, I decided that maybe someone has an alternative way other than just use sessions, what am trying to do is click on a link in one page and depending on which link was pressed I will load different information.
Since its a onclick function, I'm stuck with JS!
So I need to pass this information to the second page, cookies works well cause it can be handled with both PHP and JS easily but some computers deletes cookies and that wouldn't be nice!
Any suggestions or other ways I can reach what I want but with out using sessions?
Sessions are server variables. Thus cannot be used by JavaScript.
However, you can retrieve the session variables, through ajax request.
Script (jQuery)
//This portion will be triggered once the DOM is loaded and is ready
$(document).ready(function() {
$.post("getsession.php",
{ "variable" : "yourneededsessionvariable" },
function(data) {
//data contains your session data
}
);
});
PHP
//getsession.php
<?PHP
session_start();
echo $_SESSION[$_POST['variable']];
?>
Use local storage or client controlled cookies.. Sessions uses server-controlled cookies. Cookies are just small files that resided on the client.
A session handle is stored in a cookie. If cookies are not accepted, the server will add the sessionID to the URL. If you do not have cookies, you cannot persist anything except in the url.
Why does "onclick" stop you from using sessions? You can ajax things to the server and add them to the session onclick
A session generally means "Some data stored on the server and associated with a user via a token stored in a cookie". You can't do that with client side JavaScript (for obvious reasons).
You could store data directly in a cookie.
If you are willing to sacrifice wide browser support, then you can get increased storage by using one of the client side storage mechanisms introduced by HTML 5 and Friends.
maybe someone has an alternative way other than just use sessions,what am trying to do is click on a link in one page,and depending on which link was pressed I will load different information.
Just link to different pages.
some computers deletes cookies and that wouldn't be nice
If they delete all cookies, then a session isn't going to work either.
Append the data you want the next page to get on the query string.
123
456
Then on foo.html you can inspect location.href to see what was passed in. THere is no need for cookies here.
PHP is a server scipring language while javascript is client end language
you cannot literally make sessions in javascript
Why not just use request parameters? i.e. http://yourserver.com/page.php?link=1

PHP Multi site login

I am currently working on a project that spans accross multiple domains. What I want is for the user to be able to login on one site and be logged in on all the others at the same time.
The users session is stored in the database, the cookies that I set on each domain contain the session id.
So basically when a user logs in to example.com a cookie is created with their session id, the session data is stored in the database. Once this is done a cookie needs to be created on all the other domains with this unique session id so that as the user travels from site to site they will automatically be logged in.
Now I have found a way to do this in Firefox (using image tags that executes PHP scripts on the other domains, essentially creating the different cookies on the different domains) but this method doesn't work in IE (havn't tested Opera or Safari etc. yet).
Does anyone have any ideas about how I can get this to work in IE?
Have a look at my question Cross Domain User Tracking.
What you need to do is to add another HTTP header to the "image".
Quote from Session variables are lost if you use FRAMESET in Internet Explorer 6:
You can add a P3P compact policy
header to your child content, and you
can declare that no malicious actions
are performed with the data of the
user. If Internet Explorer detects a
satisfactory policy, then Internet
Explorer permits the cookie to be set.
A simple compact policy that fulfills
this criteria follows:
P3P: CP="CAO PSA OUR"
This code sample shows that your site
provides you access to your own
contact information (CAO), that any
analyzed data is only
"pseudo-analyzed", which means that
the data is connected to your online
persona and not to your physical
identity (PSA), and that your data is
not supplied to any outside agencies
for those agencies to use (OUR).
You can set this header if you use the
Response.AddHeader method in an ASP
page. In ASP.NET, you can use the
Response.AppendHeader method. You can
use the IIS Management Snap-In
(inetmgr) to add to a static file.
Follow these steps to add this header
to a static file:
Click Start, click Run, and then type inetmgr.
In the left navigation page, click the appropriate file or
directory in your Web site to which
you want to add the header,
right-click the file, and then click
Properties.
Click the HTTP Headers tab.
In the Custom HTTP Headers group box, click Add.
Type P3P for the header name, and then for the compact policy
string, type CP=..., where "..." is
the appropriate code for your compact
policy.
Not sure if it a good suggestion at this point in your development, but you should definitely look at Single Sign-on if you want to do it the "right" way.
Is it just me, or does it sound like your CSRFing yourself with your technique using images that works in Firefox?
Interesting approach, although I hope you're not opening yourself up to a security threat there.
I haven't done this myself, but I think you're going the right way. I would probably do the same, except instead of an image I would use a Javascript file. It would be generated on the serverer side and would update the cookies on the client side.
Possibly me being a bit silly, but could you not set the cookies for each domain name on login? So rather than them having one cookie when they login to Site A, they have five, or however many sites you have?
setcookie(A, $sessid, expire, path, domainA.com);
setcookie(B, $sessid, expire, path, domainB.com);
setcookie(C, $sessid, expire, path, domainC.com);
setcookie(D, $sessid, expire, path, domainD.com);

PHP session doesn't work with IE

I have a site made with php which uses server side sessions throughout the site.
In fact, it's a site with a user login which depends on session variables and if there were a problem with all session variables, no pages would load at all.
On the site, there's an iframe that holds a feed of little messages from other users.
Those little messages have clickable photos next to them that open the user's profile.
Now, each page requires some formatting to open the user's profile on that specific page...there's really only a few problem pages, but those pages have to have the onclick functions formatted a little differently or they break the page.
So I set a session variable on each page ($_SESSION["current_page"]) that lets the feed know how to format the clickable photos. Now Firefox, Opera, Chrome, Safari all work as they are supposed to.
But IE6 and IE7 are having problems on the pages that require special formatting.
So after pulling my hair out a bit, I eventually got around to printing my session variables form the server.
And lo and behold, on the special pages, ($_SESSION["current_page"]) is always set to "main" instead of "special1" or "special2".
I printed the same session variable in Firefox and all the other browsers I mentioned and they print out "special1" or "special2" as they're supposed to.
Can anyone think of something - possibly related to the fact that the feed is in an iframe??? - that would cause IE to treat server side session variables differently or somehow launch page "main" silently in the background?
I have checked the feed very carefully for any reference to page "main" - it doesn't seem like there's any ways it's loading that page.
this doesn't make sense to me.
Check the name of the server machine. IE has problems with machine names that contain '-' or '_' - they cannot maintain a session! I've had this problem twice in the past, and it always takes me weeks to figure out, and I'm shocked IE hasn't fixed it.
Just rename the machine to have no strange characters! You can get it working if you just use the IP address of the server in the url to test.
IE has cookie issues with it's handling of iFrames which maybe causing the session issue you mention, take a look at these links
http://adamyoung.net/IE-Blocking-iFrame-Cookies
http://gathadams.com/2007/06/25/how-to-set-third-party-cookies-with-iframe-facebook-applications/
http://nileshtrivedi.in/blog/2008/09/01/iframe-cookies-and-internet-explorer/
Try testing the page while using some sort of monitoring proxy (I use Fiddler) and see what pages the browser requests. That might give you some clues to what's going on.
Also, try capturing the requests/responses from different browsers and see what IE is doing differently (order of requests, content of requests?).
To pinpoint the problem, can you rewrite the code without using SESSION (it's mentioned in one of the other answers)? Maybe IE is accessing the pages in different order than other browsers? Maybe it is requesting the main page more than once, which means that the session var is set to "main"? Without session variables, the pages won't affect each other's state.
In most cases, this php line at file begining will be enough:
header('P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”');
If it isn't, for IE7 you may also try:
header('P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”');
header('Set-Cookie: SIDNAME=ronty; path=/; secure');
header('Cache-Control: no-cache');
header('Pragma: no-cache');
And if that doesn't work for IE6, you may use GET params for session ID:
header('location: land_for_sale.php?phpSESSID='.session_id());
I thought some people might find the solution to this problem interesting. Fiddler certainly helped here. Thanks to Fiddler, I could see that I was, in fact, hitting the page main.php (thus setting the session variable moments after setting it on the target page), but the server was defaulting there after getting a 302 on the root of the site. This was all happening silently in the background, and before my onload="" javascript ran.
So I was sure something on those pages was causing an error, but not a catastrophic one.
here it is: <img src= "" >
IE was freaking out about the blank src attribute and hitting the server root and the defaulting to page main. I don't fully understand the mechanics happening here. I also don't understand if this is how IE is supposed to behave (it is a malformed img tag after all) or not. Is this a bug?
I found if you added header('P3P: CP="CAO PSA OUR"'); to the top of your doc. It seems to have fixed the problem.
I had this problem, and it was due to the date on my dev box being out. Firefox didn't mind, IE and chrome were seeing the session as being expired as soon as it was set.
I have the same problem and it's SOLVED now.
The blank or empty attribute's values of any IMG tags cause the problem.
For me, I used JavaScript to change IMG object's source to an empty value.
Doing that could also make the problem.
If I understand it correctly, you are trying to use a session variable to pass data from a page to pages within iframes on that page? This doesn't seem a good way to go about it - why not just pass a GET variable into the iframe url i.e. ?current_page=special1 . I would think this would be more reliable as it does not rely on session state.
Remember also that the session variables will be the same for several pages of the same site that are open on a user's PC (e.g. on multiple tabs), which could cause odd behaviour.
Session data is stored on the server side, not the client. I would check the other pages, where this value would be set.
I had the same problem with ie7 and this is what I do:
If you have this problem using a IIS or Apache in Windows Server, look at the URL where you are redirecting it must be writed in the same way as the URL where you was before the redirection.
For example:
site.com/pages/index.php redirection to site.com/Pages/index2.php is going to loose the session in IE7 because the capital letter in Pages.
Maybe it's session.cookie_lifetime. I have faced the same problem. I updated session.cookie_lifetime: 4500 to session.cookie_lifetime:0. This means the session cookie never expires until the browser shuts down.

PHP : session variable aren't usable when site is redirected

I've to admin a small website for my alumni group which is hosted by my ISV. The url is something like www.myIsv.com/myWebSite/ which is quite ugly and very forgetable. The main admin of the webserver has registered a domain name www.mysmallwebsite.com and put a index.html with this content:
<html>
<head>
<title>www.mysmallwebsite.com</title>
</head>
<frameset>
<frame src="http://www.myIsv.com/myWebSite/" name="redir">
<noframes>
<p>Original location:
http://www.myIsv.com/myWebSite/
</p>
</noframes>
</frameset>
</html>
It works fine, but some features like PHP Session variables doesn't work anymore! Anyone has a suggestion for correcting that?
Edit:
This doesn't work both on IE and on Firefox (no plugins)
Thanks
Sessions are tied to the server AND the domain. Using frameset across domain will cause all kind of breakage because that's just not how it was designed to do.
Try using apache mod rewrite to create a "passthrough redirection", the "proxy" flag ([P]) in the rule is the magic flag that you need
Documentation at http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html
What do you mean?
Are you saying that when you go from www.mysmallwebsite.com to www.myIsv.com/myWebSite/ then the PHP session is lost?
PHP recognizes the session with an ID (alpha-numeric hash generated on the server). The ID is passed from request to request using a cookie called PHPSESSID or something like that (you can view the cookies a websites sets with the help of your browser ... on Firefox you have Firebug + FireCookie and the wonderful Web Developer Toolbar ... with which you can view the list of cookies without a sweat).
So ... PHP is passing the session ID through the PHPSESSID cookie. But you can pass the session ID as a plain GET request parameters.
So when you place the html link to the ugly domain name, assuming that it is the same PHP server (with the same sessions initialized), you can put it like this ...
www.myIsv.com/myWebSite/?PHPSESSID=<?=session_id()?>
I haven't worked with PHP for a while, but I think this will work.
Do session variables work if you hit http://www.myIsv.com/myWebSite/ directly? It would seem to me that the server config would dictate whether or not sessions will work. However, if you're starting a session on www.mysmallwebsite.com somehow (doesn't look like you're using PHP, but maybe you are), you're not going to be able to transfer session data without writing some backend logic that moves the session from server to server.
Stick a session_start() at the beginning of your script and see if you can access the variables again.
It's not working because on the client sessions are per-domain. All the cookies are being saved for mysmallwebsite.com, so myIsv.com cannot access them.
#pix0r
www.myIsv.com/myWebSite/ -> session variable work
www.mysmallwebsite.com -> session variable doesn't work
#Alexandru
Unfortunately this is not on the same webserver
What browser/ ad-on do you have? it may be your browser or some other software (may be even the web server) is blocking the sessions from http://www.myIsv.com/myWebSite/ working from with-in the frame, as its located on a different site, thinking its an XSS attack.
If the session works at http://www.myIsv.com/myWebSite/ with out the frame you could always us a redirect from http://www.mysmallwebsite.com to the ugly url, instead of using the frame.
EDIT:
I have just tried your frame code on a site of mine that uses sessions, firefox worked fine, with me logging in and staying loged in, but IE7 logged me straight out again.
So when you place the html link to the ugly domain name, assuming that it is the same PHP server (with the same sessions initialized), you can put it like this ...
www.myIsv.com/myWebSite/?PHPSESSID=<?=session_id()?>
From a security point of view, I really really really hope that doesn't work
You could also set a cookie on the user-side and then check for the presence of that cookie directly after redirecting, which if you're bothered about friendly URLs would mean that you don't have to pass around a PHPSESSID in the query string.
When people arrive # www.mysmallwebsite.com I would just redirect to http://www.myIsv.com/myWebSite/
<?php header('Location: http://www.myIsv.com/myWebSite/'); ?>
This is all I would have in www.mysmqllwebsite.com/index.php
This way you dont have to worry about browsedr compatibility, or weather the sessions work, just do the redirct, and you'll be good.

Categories