I am using Elgg Application, Inside FB connect plugin i am starting Session and setting some variables in the same folder i am accessing this session attributes its working fine..
But i included one more php file, after log-in if i directly call this page through url session_status is 1 but in other two folders its is set...
How to set session here also, their should be any link between pages to session variables
can any one help...
Fb_connect folder
str= "var/www/elgg/mod/fb_connect
import-contact-plugin-str="var/www/elgg/mod/importer.
new php file i added
url=var/www/elgg/engine/sample.php
When you work with Elgg, you shouldn't change its core. Almost everything can be done by plugins, and that's the preferred way of working with Elgg.
Elgg sessions are kept in database and session start is called on system boot event. When you're in plugin context however, the session is already in place, no need to to additional session_start call.
So if you decide to go on modifying the core, you should run your logic from callback registered to boot system:
elgg_register_event_handler('boot', 'system', YOUR_CALLBACK);
Related
For my Joomla! 3.8+ extension I need to be able to find and delete (unlink) PHP session files (named 'sess_' + session id) which will be stored in the session_save_path, e.g. /tmp. I understand that it is PHP who is storing the session files, i.e. not Joomla! (Joomla! session handler set to 'PHP')
My question: Will a PHP session file that is created through the use of the Joomla! website ALWAYS be read/write accessible by my extension's PHP code which is part of the same Joomla! install?
Addition: I realised later, that I omitted the word 'always' in my question, which I have now added.
Addition: More in-depth explanation about what I am trying to achieve.
As I said I have a Joomla! site, where users can log into.
The issue applies ONLY when Joomla! is configured with Session Handler set to 'PHP' (instead of 'database'). When Session Handler is 'database', there is no problem.
In basic terms, I want to achieve the following (with Joomla! session handler set to 'PHP'):
1> A user opens browser A and logs into the website and Joomla!
records the related session ID plus user ID in a database.
2> The same user opens a different browser B (maybe at a different IP)
and wants to log into the same website.
3> Because user has already logged into the website through browser A,
he/she is not allowed to log in again and will be presented a
clickable link that will destroy all his other sessions, including the
one with browser A (we have recorded the session IDs of all the other
sessions).
A mere session_destroy() in step 3 is just partly doing the trick, because the destroyed session details reappears after a little while at the Joomla! backend and also in the Joomla! session table. Although this does not interfere with the Joomla! front-end, it is not clean and I want to avoid it, to make it fool proof.
By far the best solution is if I could delete the PHP session file (for example in dir /tmp and named 'sess_....'). I have tested this and it worked fine. However... it relies upon always having delete access to the PHP session file (using session_save_path() and unlink($session_file_path)) and this is the basis of the question that I posted.
I found out that the delete of the PHP session file is not always possible; it depends on the providor's PHP config. Since it is a commercial app that I am developing, the process must work on all configs, i.e. including those that do not allow delete access to the session file.
I will continue my search for a solution and will post it here when I found it.
What you want is often possible but it poses a security risk (just think: one user can read session files before knowing who they belong to, so also those of other users), and therefore security-conscious ISPs will endeavour to prevent this.
So even if you manage to do this, nothing assures you that your code isn't going to break should the ISP tighten its security in the future. This makes for some maintenance uneasiness.
A better solution would be to have a secondary table of invalidated session-ids.
Then you write a user plugin hooking the onUserAuthorization and onUserLogout events. You will need onAfterInitialise too.
This hook will check upon initialisation whether the current session ID has been invalidated; if it is, immediate logout is triggered. Otherwise, its timestamp is updated.
On user logout, the current session id is removed from the table and the session destroyed.
At a fresh login, a warning about other sessions being open is issued: if login succeeds, all other sessions for the same user will be marked as invalidated.
As a maintenance task, all entries with a timestamp older than maximum session lifetime may safely be expunged.
That depends on the server settings.
Find the user PHP is using: How to check what user php is running as?
Check the permissons of that user on the folder where the sessions are stored: Unix: How to check permissions of a specific directory?
Change the permissions when needed: https://serverfault.com/questions/105535/how-can-i-set-full-premissions-to-a-user-in-a-specified-dir
Thank you #Nigel and #AgeDeO
By trial and error, I found out that the answer is NO, not always.
By executing the code with a few commercial ISPs, I hit one ISP who did not allow me to delete the PHP session file while it was at its default location. The location was /var/lib/php5.
I have an issue when using the HybridAuth plugin. I have included the plugin as a popup in in my home page. When clicking on the login button from home page the plugin will load in colorbox.
In my server I can't use default php session save path so that I have set it as php temp path for saving session like below in index.php of my root folder.
$dir = sys_get_temp_dir();
session_save_path($dir);
After updating this code, the plugin is authenticating the social media that customer selecting successfully and return back to my site, but it is not passing the below condition,
$hybridauth->isConnectedWith( $_GET["connected_with"] ) // it is always return false
In second case I have updated the session save path in index.php of plugin folder also, but at at that time in the login popup instead of showing login UI it is directly showing an error page like below
"You cannot access this page directly."
Any help would be appreciated. Thanks in advance.
The problem is your default session path:
$dir = sys_get_temp_dir();
session_save_path($dir);
I would print_r sessions to see what got registered. Why do you have issues with default session path? I wouldn't try to alter it and make sure that works first. This is altering the main functionality of HybridAuth.
Why can't you use the default php session save path? are you on a shared host?
--
If you have shell access make sure the web server user has write access to the directory; that should take care of the issue.
As often : RTM and discover the use of isConnectedWith
isConnectedWith()
Return a true or false if the current user is connected to a given
provider. Hybrid_Auth::isConnectedWith() use PHP Sessions. To know
more refer to the HybridAuth Sessions section.
Hybrid_Auth::isConnectedWith(provider)
Where provider is the name of the tested service. eg : Hybrid_Auth::isConnectedWith('Twitter')
Be sure that your $_GET returns the good service name.
If you want a list of connected providers : Hybrid_Auth::getConnectedProviders()
If you want to inspect session's datas : Hybrid_Auth::getSessionData()
API !
Add your own custom session handler at the top of hybridauth/index.php (located in the same dir as config.php and live.php).
This forces Hybrid Auth to use your custom session handler.
I have a folder outside /application folder of CodeIgniter called myfolder.
My CI application uses Native PHP sessions and it all works fine. CI version is the latest 3.0-development.
I need to access some of the session data in myfolder/myfile.php. If I do a session_start() and then print_r($_SESSION); then I don't see the session set by CI's session driver. I understand why it doesn't show it.
Do you know any method/hack by which I can refer to session data from the CI's session in myfolder. for example by directly including, say, Codeigniter/libraries/session/drivers/session_native.php or any other file?? I just an array from the session data.
Its a trick but do work. Place this little naughty code just before login redirect. And now you can use ci_session with php native session too ,have fun !
<?php
session_start();
echo $_SESSION['ci_session'] = $this->session->userdata['ci_session'];
?>
The current Session_native.php doesn't seem to change any of the built in session library's preference or interfere with how the session data is saved, i think the following should work:
Get a hold of the session id for the session you want to load
call session_id($sessid) with this session id before session_start()
call session_start()
This should work as long as the various ini settings that control the session lib like session.save_path is the same and maybe (if your host have this extension installed) suhoshin settings like suhosin.session.cryptdocroot doesn't interfere.
You can get in cookeis
<?php
print_r($_COOKIE['ci_session']);
Save the session data which you wants to refer from outside the folder into cookies, which may helps you.
So use cookies to refer data from outside the folder and make sure when you set cookies it should be in proper accessible path
I am using Code Igniter and I am implementing a remember user functionality.
Basically, from another stack overflow post, I implemented this the right way where I generate a random string for that user, save it in the database AND in a cookie. On site load, I check for that cookie, if that cookie is found I check it in the database. If it is found in the database then recrease the session for that user.
The problem I am having is when I load the site. I am getting the value of the cookie and I am also getting the correct response from the AJAX call. However, I have to click on a link in order for the session to get recreated (such as menu is displayed for logged in user and so on).
I am thinking that I am recreating the session AFTER the index method of the main controller is called. How can I get around this in Code Igniter? Where can I put this code which preferably gets run first thing on every page? As for instance I also want to recreate the session if the user enters the site's contact us page instead of the home page.
Many thanks in advance.
CodeIgniter allows the developer to create hooks which are called at different moments before the controller method is called.
Here is a short description of how to use hooks:
http://codeigniter.com/user_guide/general/hooks.html
If you want to access the session, I would recommend to use a post_controller_constructor hook, which is called after the controller constructor is executed, but before the action method is called. ( access the CI session in a pre controller codeigniter hook )
is it possible to remove files from the folder when session will destroy. am doing that when a user come into the site and he can upload files(images, or textfiles), etc.. with out login into the site. and the files 'll store into my project's folder. now i need to do if the user quits from browser with out login i need to delete all the files what he upload in to project folder. how to do this ?
Thanks in advance.
You can do this by implementing your own session handler. This way, you can define a callback for various events, including the destruction of a session. See this link for more information:
http://www.php.net/manual/en/function.session-set-save-handler.php
Update: The problem with that solution is that you need to implement the rest of the session handling code as well (initialize the session, close the session, read from storage, write, garbage collect). However, the linked page above gives a full example that you can add your functionality to.
It all depends on the business decision.
You can do, Do not save the file in projects folder instead save it somewhere else like 'tmp' folder and save the reference of that file (file path) in session.
by unlink("path") function you can do it in PHP .. but it also depends on the logic that you have used.
if you just want to delete uploaded file then unlink is your solution
use session set save handler to create an event handler for session events.
Sriram,
In PHP, seems the server does not keep track of session on its side. Only time the server knows of a session is expired is when it receives the info about the session cookie in the request. If the cookie is there session exist or else, its expired..