I have a strange problem with the session after an authentication.
The whole authentification part works, troubles come after that :
$result = $this->getAuthService()->authenticate();
if ($result->isValid()) {
$storage = $this->getAuthService()->getStorage();
$storage->write(($this->getAuthService()
->getAdapter()
->getResultRowObject(array(
'email_utilisateur',
'password_utilisateur',
))));
$redirect = 'success';
}
Right now, I am logged, and email+password are stored, in the "Zend_Auth" key (don't pay attention to the fact that I store password btw, it's for the example ^^).
But when I go on another page (even if it's the same), my Session key "Zend_auth" gets broken, and I have an incomplete PHP object....
Array
(
[__ZF] => Array
(
[_REQUEST_ACCESS_TIME] => 1369667659.7526
)
[Zend_Auth] => __PHP_Incomplete_Class Object
(
[__PHP_Incomplete_Class_Name] => Zend\Stdlib\ArrayObject
)
)
So, any idea why changing page would screw my session variable ?
Thanks in advance, I've spent like 5 hours on this problem, testing things etc...
EDIT 28/05/2013 :
So, I still didn't find.
Anyway, the object that gets corrupted is a Zend\Stdlib\ArrayObject. A reason why this arrayobject gets corrupted would be that the session starts before the inclusion avec Zend\Stdlib\ArrayObject. I'll try to figure it out, but if that's the reason, then it's a bug of the framework. By the way, I'm using ZF 2.2.
I FOUND !
So, as said, the reason was that the session started before the ArrayObject thing was known by the application. And, as you can read there :
https://zf2-docs.readthedocs.org/en/latest/modules/zend.session.advanced-usage.html
**Do not enable PHP‘s session.auto_start setting. If you do not have the ability to disable this.**
And that was the thing. session.auto_start was enabled in my php.ini. In order to fix this, you must set it to 0 in your php.ini file :
php_value session.auto_start 0
If your PHP is used for several applications/sites, then add this line to your .htaccess instead :
php_value session.auto_start 0
This will override the actual value of the php.ini
Hope it will help someone ^^.
Related
Firstly I'd like to apologise in advance if this is a stupid question - Although I have been writing PHP for the last 12 years, I work on bespoke applications and have only been using Magento for the last hour, so I'm clueless on its structure. If possible I'd like to avoid having to dig too much into Magento as the entire reason why I'm using Magento is to save time.
Anyway, the error:
Call to a member function getResourceId() on a non-object in /var/www/[site]/lib/Zend/Acl.php on line 1174
This error occurred after attempting to log in to the administration area immediately after install. The error is in the &_getRules method in lib/Zend/Acl.php.
So, I did a little digging and $resource (the variable it is attempting to call the &_getRules method on) is actually an array - which I found odd as the this is the method definition:
protected function &_getRules(Zend_Acl_Resource_Interface $resource = null, Zend_Acl_Role_Interface $role = null, $create = false){
So, to verify that I wasn't actually losing my mind I wrote the following as the first line of the &_getRules method
if($resource!==null&&!$resource instanceof Zend_Acl_Resource_Interface){
die('<pre>'.print_r($resource,1).' </pre>');
}
Which printed:
Array
(
[G1] => Array
(
[instance] => Mage_Admin_Model_Acl_Role_Group Object
(
[_roleId:protected] => G1
)
[parents] => Array
(
)
[children] => Array
(
[U1] => Mage_Admin_Model_Acl_Role_User Object
(
[_roleId:protected] => U1
)
)
)
[U1] => Array
(
[instance] => bea423c23f6343e2b509fb192a00826f:3EOt7Vo0agtENPH8Wm73EOelgSDoDxYO
[parents] => Array
(
[G1] => Ryan
)
[children] => Array
(
)
)
)
So yeah, i guess my question comes in four parts:
Why doesn't this work out of the box?
Am I just being an idiot?
Why isn't PHP preventing this method from running considering the $resource variable is neither a Zend_Acl_Resource_Interface or null?
How do i fix it?
I should mention that this is a local test site, running on Ubuntu 12.04, Apache 2.4.9 (likely to be nginx in production though), PHP 5.5.12, Magento CE 1.9.0.2.
Thanks in advance,
Ryan
/*************************UPDATE*********************************/
Hi again everyone,
So I've noticed there is a pattern to how this problem/bug/whatever comes around. So, this is my admin url:
http://magento.example.local/admin_system/
If I go to this url, I am able to login and then this issue happens. At this point the url is now
http://magento.example.local/index.php/admin_system/[some_irrelevant_stuff]
So this is where it gets odd. If I then navigate to the original url I am once again redirected to the second url but the beginning of [some_irrelevant_stuff] is /index/denied/ (which I assume is relevant now haha).At this point I am provided the header of the Magento admin panel and I am able to logout.
OK so thats one part of the issue. If I then logout, or if I start my login process at /index.php/admin_system/ then I am able to log in and use the admin area as usual. So, the long and short of it is, I don't know what's going on but I'm hoping this extra info might get me more details.
Thanks for your time,
Ryan
Wow, I am genuinely surprised that nobody had an answer for this. Anyway, the following details are not so much an explanation as to what caused this issue, but a solution to stop it happening.
So, as you'll see from the edit of my question, I noticed that this seemed to have a bizarre connection to the URL and using different URLs to access the admin area (eg. /index.php/admin instead of /admin) caused different errrors. So for this reason, and because having index.php in all my admin area URLs, I took a look into rewriting the admin URLs. This is made available using this plugin: http://www.magentocommerce.com/magento-connect/admin-rewrites.html
If I'm not mistaken, I did not need to make any changes to the RewriteRule(s) that are set by default by magento so following the instructions on the plugin page above should work.
Either way, this appears to resolve the issue so I hope it helps someone having similar issues.
I'm been using PHP5.3.8 for a while now and I've just come across a new error for me;
Warning: Unknown: Your script possibly relies on a session side-effect
which existed until PHP 4.2.3. Please be advised that the session
extension does not consider global variables as a source of data,
unless register_globals is enabled. You can disable this functionality
and this warning by setting session.bug_compat_42 or
session.bug_compat_warn to off, respectively. in Unknown on line 0
To which there is a solution to here; PHP session side-effect warning with global variables as a source of data.
However, I still don't understand why this is happening. As far as I'm aware, there should be no ambiguity between $foo and $_SESSION['foo']?
I've tried testing a few of the scripts online that people say throw this error, but they don't throw the warning on my system, and the script I'm getting this warning on is hella complicated and stripping it down to a few lines in order to replicate the error is proving problematic.
However, I have narrowed it down to one line;
$bonus = isset($_GET['bonus']) ? $_GET['bonus'] : '';
$_SESSION['bonus'] is set to null in a previous page, and register_globals has been off since about PHP4.2 something, so can't be the $_GET scope.
So this brings me back to my first point; why is there suddenly an issue between $bonus and $_SESSION['bonus']? I say suddenly, because I am using this exact script on another site (same box) and I get no errors.
Could someone point me to anywhere that perhaps explains in more detail how PHP deals with session vars etc and why there is an issue between the two variables?
Thanks.
[Update]
Looking here; PHP Runtime Configuration it does mention that:
[PHP has...] an undocumented feature/bug that allows you to initialize a session variable
in the global scope...
I guess there may not be much more to say other than that. It just seems odd to me that PHP has issues with $_SESSION['foo']/$foo when $_SESSION['foo'] != $foo...
Try setting session.bug_compat_42 to off, it will turn off the functionality the warning is about. c.f. http://php.net/manual/en/session.configuration.php
I'm trying to save an array into a cookie, in a serialized manner. So what I do is this:
$serial_auth = serialize($_SESSION['auth']);
setcookie("auth_cookie", $serial_auth , 2592000 + time());
and in the next page I'm trying to use this data like this:
if(isset($_COOKIE['auth_cookie']))
{
$_SESSION['auth'] = unserialize($_COOKIE['auth_cookie']); //but it returns an empty array.
}
now the strange thing is the whole thing works in my localhost, but it does not work on 000webhost site.
and a note: when I try to echo those, I get this:
$_SESSION['auth'] =
Array ( [status] => ok [userid] => 1 [username] => user11 [visiblename] => user11 )
SERIALIZED =
a:4:{s:6:"status";s:2:"ok";s:6:"userid";s:1:"1";s:8:"username";s:6:"user11";s:11:"visiblename";s:6:"user11";}
This may be a PHP configuration issue, but I would like to learn if there is a way for this, without changing any PHP configuration. Thanks for any help.
This has severe security drawbacks and shouldn't be done.
An attacker can set the cookie value to anything, including serialized objects. These objects may execute code when recreated. So an attacker may execute code on your machine by sending you a properly crafted serialization string! One cannot want attackers to be able to do this.
See the warning at the bottom of this page: http://www.php.net/manual/en/function.unserialize.php
The second thing is: Why the hell do you need the authentication info in a separate cookie, and what is connected with it? What would an attacker be able to do if he changes any of the values, especially the userid or the status? I assume he might gain access to things he shouldn't be able to.
If someone doesn't feel like reading the whole explanation, you can skip to the last 2 paragraphs where I have the actual question
So I have this bunch of websites made with CakePHP. In one of the pages (this is the same for all the websites), I load an XML file and process its contents (using the XML helper). This has been working for quite some time. Now, suddenly, it doesn't work anymore in any of the websites (and the code hasn't changed a bit), it gives an "error opening file".
At the same time, another script of those websites (which has nothing to do with the previous one, it's plain PHP, outside the cakephp "area") has stopped working too. In this case, it's a scripts that creates a connection with a video hosting provider (Fliqz) and retrieves the URL of a video given a video id. Suddently, it throws an error something like "session was not created" (the script creates some sort of session with Fliqz' server to get the URL).
All this sounds very weird, I know. The first thing I've done, after checking that the code is correct, is call 1&1 (the hosting provider) and ask if they have made any change in the server. They said that they changed to PHP5 a few months ago (which I was aware of, and everything was working fine after that change), but that they haven't changed anything else.
My question would be, is there anything I can do to figure out what is causing these problems? For example, I found some post of someone saying that his hosting had restricted some functionality that allowed external connections. Or in another post I saw a suggestion about doing this: echo file_get_contents("http://google.com/") and I got an error, meaning that some setting wasn't right. I even tried to use simplexml_load_file (instead of the XMl helper) in the page where I load the XML file and didn't work, giving another error...
I would like to know, if a PHP setting is causing this, which one could it be, so I can look at it and call again 1&1 to tell them what they need to change (if there's anything to change). Otherwise, how in the world can something just stop working?
Thank you for any advice! It is much appreciated!
EDIT: detailed explanation of errors
1. Error related to the XML not loading using CakePHP's XML helper
This is the code I use (which used to worked perfectly):
$completeurl = '/full/path/to/file/myfile.xml';
App::import('Xml');
$xml =& new XML($completeurl);
$this->list = Set::reverse($xml);
I don't get any error or warning. If I debug $xml, I get this:
Xml Object
(
[__parser] =>
[__file] =>
[__rawData] =>
[__header] =>
[__tags] => Array
(
)
[version] => 1.0
[encoding] => UTF-8
[name] => #document
[namespace] =>
[namespaces] => Array
(
)
[value] =>
[attributes] => Array
(
)
[children] => Array
(
)
[__parent] =>
)
If I debug $this->list I get an empty array. Before this problem, I would get an associative array with all the information of the XML file, perfectly structured. Oh, and the XML file is the same it used to be, and I've revalidated it just in case giving no errors.
2. Error related to XML file not loading using simplexml_load_file()
This is the code I've tried with "regular" php (without using any CakePHP helper):
$file = '/full/path/to/file/myfile.xml';
if(!$xml = simplexml_load_file($file))
exit('Failed to open '.$file);
And this are the errors (warnings):
Warning (2): simplexml_load_file() [function.simplexml-load-file]: URL file-access is disabled in the server configuration [APP/plugins/icd_discovery/webroot/videos.php, line 29]
Warning (2): simplexml_load_file(http://discovery.ingles100.com/icd_discovery/xml/videos_unidades.xml) [function.simplexml-load-file]: failed to open stream: no suitable wrapper could be found [APP/plugins/icd_discovery/webroot/videos.php, line 29]
Warning (2): simplexml_load_file() [function.simplexml-load-file]: I/O warning : failed to load external entity "http://discovery.ingles100.com/icd_discovery/xml/videos_unidades.xml" [APP/plugins/icd_discovery/webroot/videos.php, line 29]
If I put a relative path for the file, I just get the last warning, but still not loading it.
** 3. Error related to script to load URL of hosted videos in Fliqz**
The page that contains this script is totally unrelated to the previous ones (meaning that the code there doesn't affect the code here). We use the following script (provided by Fliqz) to request the URL of our videos hosted there:
include_once '../fliqz/dlMetrics.php';
// initializing new session
$videoID = '123123123';
$applicationID = '456456456';
$uniqueID = null;
// create a new fliqzDownload Object
$metricsObj = new dlMetrics();
// get new session, using Application ID from Account:
$sessionID = $metricsObj->newSession($applicationID,NULL,NULL,NULL,$uniqueID);
// show server time when new session was created:
$start = $metricsObj->getSessionStart();
// Get asset location (note: must use dashes in asset ID example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
$video_URL = $metricsObj->initLoad($videoID);
By doing this, we would get the URL of the video in the $video_URL variable. Again, this used to work perfectly. Suddenly, it doesn't.
So is it a coincidence that all this things stop working? I think that something has changed somewhere. Not the code, I'm the only one who touches that. The PHP version changed a while ago, and everything was working fine. Something in the server? 1&1 says that they didn't, or at least the person I talked to. If I have to call back, I would like to be able to point a little better where do I think the problem might be coming from, that's why I need you help guys!
Again, thanks for any advice!
Create a file called php.ini with the following content:
allow_url_fopen = ON
and place it in the same folder (or folders) as those scripts.
I have been researching this problem for over 12 hours now, with no success.
We have a large custom CMS we have built for a governmental client. The software was developed on PHP 5.3.3. The initial deployment was done on PHP 5.2.2, which caused a few problems, but they finally upgraded their server to PHP 5.3.8. We have little control on exactly which versions gets deployed to their servers.
We have encountered a show-stopper problem. We have an AJAX request which submits a large form via POST with up to 5 levels deep of nested arrays. This has worked fine for several months, but all of a sudden using the new PHP install, we are only getting a partial decode of the data inside the $_POST variable. I have confirmed that PHP is received all the data by inspecting php://input (I also checked that the data was being sent from the browser via Firebug).
This is what we are receiving as the decoded output (via var_dump, I've shortened it for brevity, this should give you a good idea)
Array
(
[db_required_fields] => Array
(
[awr_title] => Array
(
[en] => phil test eng
)
)
[subtitle_intro] => Array
(
[awr_subtitle] => Array
(
[en] =>
)
)
[products] => Array
(
[cp_recall] => Array
(
[1] => Array
(
[product_common_name] => Array
(
[en] =>
)
)
)
)
)
What is missing: each of the [en] should have a peer [fr] array index entry. For example, there should be a [fr] phil test fr entry. Several other index entries at the 2nd array level are missing. The request data itself is not particularly large, roughly 6-7Kb.
What I've done:
- I have had suhosin disabled since it was often mentioned as the cause of similar problems.
- Pored over the phpinfo(); from both a working and the now-working server, trying to identify relevant differences.
- Investigated every module and option within which might affect things (mbstring, for example).
I am now considering writing my own parser for the php://input data, but this seems fraught with (potentially hidden) danger.
Any suggestion or hint ?
I would suggest serializing the post data before sending it. And I would send it as a single string of JSON in one "field." Something like this:
$.ajax({
type: 'POST',
url: 'YOUR URL',
data: {
json: JSON.stringify(form_data) // Where form_data is the JSON object.
},
success: function(response)
{
// Do stuff.
}
});
Then on the server-side, json_decode as follows:
<?php
$_POST = json_decode($_POST['json'], true);
?>
EDIT:
You want json_decode instead of unserialize. Whoops.
You are probably being affected by the new PHP configuration variables max_input_nesting_level or max_input_vars (particularly the latter). Try setting it to a higher value so that PHP doesn't start ignoring some input.
Note, that when you want to change settings like max_input_vars and max_input_nesting_level and you have Suhosin running, you also need to change these params for Suhosin. Example for max_input_vars:
You need to add this to the .htaccess file:
php_value suhosin.post.max_vars 4000
php_value suhosin.request.max_vars 4000
You also need to add the following to your php.ini file in order to allow the change of the suhosin parameters within the .htaccess:
suhosin.perdir = "pr"
"p" allows the change for "post" settings, "r" for request settings.