I'm trying to integrate a forum (created in Codeigniter) into a website (simple php >>> no framework used).
In order to automatically login to the forum, when I login in my website, I need to use a function of the forum which expects 2 parameters $username and $password.
I already have this informations (username and password) from my website, in $_SESSION.
How can I read the $_SESSION from the forum(as I say before Codeigniter based), because, I have no acces to it.
Is there a posibility to define 2 constants, somewhere in the core / config of the forum, to hold these details from $_SESSION, in order to have acces from anywhere inside the forum ?
I know that the sessions from CI are different from $_SESSION, so please help me with something more practical, in order to solve my problem.
Thanks.
Read this url;-
http://codeigniter.com/forums/viewthread/158923/#766011
http://codeigniter.com/forums/viewthread/188648/#892137
In case for those who want to do native session with 2.0.2
Just copy the native_session.php file to your application/libraries/ and rename it as Session.php
Then change the class name and constructor name to CI_Session
Also add the following then it should work fine.
function sess_destroy()
{
$this->destroy();
}
or
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
Native / Database hybrid
Code Igniter
Citrusmedia - Matthew Lymer
*/
class CI_Session
{
var $sess_table_name = '';
var $sess_expiration = 7200;
var $sess_match_ip = FALSE;
var $sess_match_useragent = TRUE;
var $sess_time_to_update = 300;
var $encryption_key = '';
var $flashdata_key = 'flash';
var $time_reference = 'time';
var $gc_probability = 5;
var $userdata = array();
var $CI;
var $now;
/**
* Session Constructor
*
* The constructor runs the session routines automatically
* whenever the class is instantiated.
*/
function CI_Session($params = array())
{
log_message('debug', "Session Class Initialized");
// Set the super object to a local variable for use throughout the class
$this->CI =& get_instance();
// Set all the session preferences, which can either be set
// manually via the $params array above or via the config file
foreach (array('sess_table_name', 'sess_expiration', 'sess_match_ip', 'sess_match_useragent', 'sess_time_to_update', 'time_reference', 'encryption_key') as $key)
{
$this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key);
}
// Sessions, start your engines!
ini_set("session.gc_maxlifetime", $this->sess_expiration);
session_start();
// Load the string helper so we can use the strip_slashes() function
$this->CI->load->helper('string');
// Are we using a database? If so, load it
if( !$this->sess_table_name ) {
die('Session class database table name not configured');
}
$this->CI->load->database();
// Set the "now" time. Can either be GMT or server time, based on the
// config prefs. We use this to set the "last activity" time
$this->now = $this->_get_time();
// Set the session length. If the session expiration is
// set to zero we'll set the expiration two years from now.
if ($this->sess_expiration == 0)
{
$this->sess_expiration = (60*60*24*365*2);
}
// Run the Session routine. If a session doesn't exist we'll
// create a new one. If it does, we'll update it.
if ( ! $this->sess_read())
{
$this->sess_create();
}
else
{
$this->sess_update();
}
// Delete 'old' flashdata (from last request)
$this->_flashdata_sweep();
// Mark all new flashdata as old (data will be deleted before next request)
$this->_flashdata_mark();
// Delete expired sessions if necessary
$this->_sess_gc();
log_message('debug', "Session routines successfully run");
}
// --------------------------------------------------------------------
/**
* Fetch the current session data if it exists
*
* #access public
* #return bool
*/
function sess_read()
{
// Unserialize the session array
// $session = $this->_unserialize($session);
$session = array();
foreach( array('session_id', 'ip_address', 'user_agent', 'last_activity') as $key )
{
if( !isset($_SESSION[$key]) ) {
$this->sess_destroy();
return FALSE;
}
$session[$key] = $_SESSION[$key];
}
// Is the session current?
if (($session['last_activity'] + $this->sess_expiration) < $this->now)
{
$this->sess_destroy();
return FALSE;
}
// Does the IP Match?
if ($this->sess_match_ip == TRUE AND $session['ip_address'] != $this->CI->input->ip_address())
{
$this->sess_destroy();
return FALSE;
}
// Does the User Agent Match?
if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 50)))
{
$this->sess_destroy();
return FALSE;
}
$this->CI->db->where('session_id', $session['session_id']);
if ($this->sess_match_ip == TRUE)
{
$this->CI->db->where('ip_address', $session['ip_address']);
}
if ($this->sess_match_useragent == TRUE)
{
$this->CI->db->where('user_agent', $session['user_agent']);
}
$query = $this->CI->db->get($this->sess_table_name);
Related
I'm using the spotify api and for some reason their session class blocks to store own data in $_SESSION. As a workaround I wrote a class 'SystemHelper':
namespace App;
class SystemHelper
{
/**
* if session_id is empty string, then session_id has not been initialized
* then set session_id named 'session1'
* start session needs 2 parameters, name and value
* always close session after writing
*
* #param string $name any given name
* #param [type] $value any given value
*
*/
public static function customSessionStore($name, $value)
{
if (session_id() == '') {
session_id('session1');
}
session_start();
$_SESSION[$name] = $value;
session_write_close();
}
It is possible now to store data in $_SESSION but the problem is that as long as I'm logged in with my account (own login form, not spotfiy account), everybody else is logged in, no matter which browser, ip, etc...
I don't know how this can be solved. Shouldn't session_id generate a random id? Anybody can help please?
Leaving out
if (session_id() == '') {
session_id('session1');
}
doesn't solve it because I need to read and delete the data stored in session as well. So, additionally I have in this workaround:
public static function customSessionRead($name)
{
if (session_id() == '') {
session_id('session1');
}
session_start();
session_write_close();
return $_SESSION[$name];
}
and...
public static function customSessionDestroy()
{
session_start();
session_destroy();
}
If i get this right.. all your users get the same session_id().
So they technically share one session. As much as i know, if you start a session, the session_id() will be automattically generated. So you dont need to set the session_id() by yourself.
So your code should look like this:
class SystemHelper
{
/**
* if session_id is empty string, then session_id has not been initialized
* then set session_id named 'session1'
* start session needs 2 parameters, name and value
* always close session after writing
*
* #param string $name any given name
* #param [type] $value any given value
*
*/
public static function customSessionStore($name, $value)
{
session_start();
$_SESSION[$name] = $value;
session_write_close();
}
}
Solved, actually pretty simple. The problem first:
If written like this:
session_id('session1');
in both, customStore and customRead simply means resuming the session. Of course you will always get the same data, no matter which browser, ip, ... that's the point of resuming the session.
What is solved:
session_create_id($name);
So, the full again:
public static function customSessionStore($name, $value)
{
// if (session_id() == '') {
// session_id('session1');
// }
session_create_id($name);
session_start();
$_SESSION[$name] = $value;
session_write_close();
}
and,
public static function customSessionRead($name)
{
// if (session_id() == '') {
// session_id('session1');
// }
session_start();
session_write_close();
return $_SESSION[$name];
}
I want something like this in a class structure:
$public $choice;
function __construct(){
$this->set_login($this->choice);
}
private function set_login($this->choice){
if($this->choice=='2'){
// don't set login credentials
}else{
// set login credentials
}
}
The above code requires $choice to be set every time before I initialize the class.
But I want to set $choice as optional parameter.
I want if in any page, I call like this:
$login = new login();
that class will set login credentials normally but if called like this:
$login = new login();
$login->choice = 2;
then login credentials will not be set.
I am not sure, whether the class will be executed in such way because as soon as I initialize the class, the __construct method will be called and the $choice to be set at that time. But if I set $choice after initialization, then will the code work?
How can I make a parameter optional in oop?
Just define you method set_login as:
public function set_login($choice = 1) {
if ($choice == 2) {
// don't set login credentials
} else {
// set login credentials
}
}
And use it like that:
$login = new login();
// Login.
$login->set_login();
// Doesn't login.
$login->set_login(2);
EDIT:
Another solution:
private $choice;
function __construct($choice = false) {
$this->set_login($choice);
// If you want to remember the choice, you can save it in a property:
$this->choice = $choice;
}
private function set_login($choice) {
if ($choice == 2) {
// don't set login credentials
} else {
// set login credentials
}
}
Note that the following code will never work as you expect because you change the value of choice after executing the method set_login in the constructor:
$login = new login();
$login->choice = 2;
I'm running an application where in the controller I'm trying to set session variables using Zend_Session and Zend_Session_Namespace:
Bootstrap.php
protected function _initSession()
{
Zend_Session::start();
}
SomeController.php
protected function updateQuestionViewsTotal($question)
{
$userSession = new Zend_Session_Namespace('QA_Session');
if (! is_array($userSession->questionViews)) {
$userSession->questionViews = array();
}
// create session array to contain the questions this
// user has viewed.
if(array_search($question->id, $userSession->questionViews) === false) {
$question->views_total++;
$question->save();
}
// ensure that this page is in the array
array_push($userSession->questionViews, $question->id);
$userSession->questionViews = array_unique($userSession->questionViews);
}
As you can see from above, I have within one of my controllers a method with an attempt to use session variables via Zend_Session_Namespace.
However, when I insert a var_dump on the second page load (refresh):
protected function updateQuestionViewsTotal($question)
{
$userSession = new Zend_Session_Namespace('QA_Session');
var_dump($userSession));
if (! is_array($userSession->questionViews)) {
$userSession->questionViews = array();
}
..Please note: this is AFTER I've run it once, so I'm expecting that the session variable has been set. Anyway on every occasion, it is NULL. So it would seem that the variable isn't being written to $_SESSION? What am I doing wrong?
I'm writing a simple website which allows a user to login, fill out a form which is submitted to a database and then log out. In order to manage the session, I used the session manager which is described by TreeHouse on the following page: http://blog.teamtreehouse.com/how-to-create-bulletproof-sessions
In order to protect against hijacking, the client's IP address and user agent are stored in the session variable and compared to the server's values for these properties on each page. If they don't match, then it is assumed that the session has been hijacked and it is reset.
The implementation seems to work on my local machine without any issues, but when I uploaded it to the server, each page refresh causes the preventHijacking() function to return false (meaning it believes the session has been hijacked). However, if I echo any text within that function, the problem mysteriously disappears and the whole thing works as I expect it to (except for the bit of echoed text which is now displayed above my form :P).
I haven't a clue why this would be the case and I can't figure out how to fix it. The session manager code is below. At the start of each page, I use this to start the session and then each page simply uses or sets whatever variables it requires. If anyone could suggest why the function always returns false unless it echoes text and perhaps suggest what modification I need to make so that it will behave in the expected manner, I'd really appreciate it.
<?php
class SessionManager {
protected static $timeout = 600; // Time before automatic logout for the session
static function sessionStart($name, $limit=0, $path='/', $domain=null, $secure=null) {
// Set the cookie name before we start
session_name($name.'_Session');
// Set the domain to default to the current domain
$domain = isset($domain)? $domain : $_SERVER['SERVER_NAME'];
// Set the default secure value to whether the site is being accessed with SSL
$https = isset($secure)? $secure : isset($_SERVER['HTTPS']);
// Set the cookie settings and start the session
session_set_cookie_params($limit, $path, $domain, $secure, True);
session_start();
// Make sure the session hasn't expired and destroy it if it has
if(self::validateSession()) {
// Check to see if the session is new or a hijacking attempt
if(!self::preventHijacking()) {
// Reset session data and regenerate ID
$_SESSION=array();
$_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
self::regenerateSession();
// Give a 5% chance of the session ID changing on any request
} else if (rand(1, 100) <= 5) {
self::regenerateSession();
}
$_SESSION['LAST_ACTIVITY'] = time();
} else {
$_SESSION = array();
session_destroy();
session_start();
}
}
static function preventHijacking() {
if(!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent'])) {
return false;
}
if($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) {
return false;
}
if($_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) {
return false;
}
return true;
}
static function regenerateSession() {
// If this session is obsolete, it means that there already is a new id
if(isset($_SESSION['OBSOLETE']) && $_SESSION['OBSOLETE'] === True) {
return;
}
// Set current session to expire in 10 seconds
$_SESSION['OBSOLETE'] = True;
$_SESSION['EXPIRES'] = time() + 10;
// Create new session without destroying the old one
session_regenerate_id(false);
// Grab current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();
// Set session ID to the new one and start it back up again
session_id($newSession);
session_start();
// Now we unset the obsolete and expiration values for the session we want to keep
unset($_SESSION['OBSOLETE']);
unset($_SESSION['EXPIRES']);
}
static protected function validateSession() {
// Check if something went wrong
if(isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES'])) {
return false;
}
// Test if this is an old session which has expired
if(isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time()) {
return false;
}
// Check if the user's login has timed out
if(isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > self::$timeout) {
return false;
}
return true;
}
}
?>
I could be way out here (it's been a while) but that sounds like the buffer containing the headers isn't being flushed for some reason. Providing body would force them to be flushed, so maybe not providing the body doesn't flush?
Try putting ob_end_flush(); in there before you return. That may fix it.
I've been working on the security of my site (PHP) and there's a ton of information to ingest. I've tried to implement security I've researched on OWASP, but one thing I'm a little nervous about, among other things, is how to handle SESSIONS when the user logs out.
Currently all I'm using is:
session_destroy();
But, I've read that I should change the XRSF token and start another SESSION so it forces the user to resubmit login credentials in-turn explicitly ending the users SESSION.
Is session_destroy() enough?
EDIT
I've downloaded michael-the-messenger, which I believe was created by Michael Brooks (Rook) which should be VERY secure, and I saw some code that I might want to use. Is this something that could safely replace the session_destroy() I'm using?
CODE
if($_SESSION['user']->isAuth())
{
/* if they have clicked log out */
/* this will kill the session */
if($_POST['LogMeOut'] == 'true')
{
//When the user logs out the xsrf token changes.
$tmp_xsrf = $_SESSION['user']->getXsrfToken();
$_SESSION['user']->logout();
$loginMessage = str_replace($tmp_xsrf, $_SESSION['user']->getXsrfToken(), $loginMessage);
print layout('Authorization Required', $loginMessage);
}
else
{
header("Location: inbox.php");
//user is allowed access.
}
}
else
{
// code goes on ....
LOGOUT
public function logout()
{
$_SESSION['user'] = new auth();
}
Obviously $_SESSION['user'] = new auth(); reinstantiates the object which sets a private variable $auth to false.
but one thing I'm a little nervous about, among other things, is how
to handle SESSIONS when the user logs out.
According to manual:
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
So, in order to safely destroy a session, we'd also erase it on the client-machine.
session_destroy() along with setcookie(session_name(), null, time() - 86400) will do that.
Apart from that,
What you are doing wrong and why:
Session storage merely uses data serialization internally. By storing
an object in the $_SESSION superglobal you just do
serialize/unserialize that object on demand without even knowing it.
1) By storing an object in $_SESSION you do introduce global state. $_SESSION is a superglobal array, thus can be accessed from anywhere.
2) Even by storing an object that keeps an information about logged user, you do waste system memory. The length of object representation is always greater than a length of the strings.
But why on earth should you even care about wrapping session functionality? Well,
It makes a code easy to read, maintain and test
It adheres Single-Responsibility Principle
It avoids global state (if properly used), you'll access session not as $_SESSION['foo'], but $session->read['foo']
You can easily change its behaivor (say, if you decide to use DB as session storage) without even affecting another parts of your application.
Code reuse-ability. You can use this class for another applications (or parts of it)
If you wrap all session-related functionality into a signle class, then it will turn into attractive:
$session = new SessionStorage();
$session->write( array('foo' => 'bar') );
if ( $session->isValid() === TRUE ) {
echo $session->read('foo'); // bar
} else {
// Session hijack. Handle here
}
// To totally destroy a session:
$session->destroy();
// if some part of your application requires a session, then just inject an instance of `SessionStorage`
// like this:
$user = new Profile($session);
// Take this implementation as example:
final class SessionStorage
{
public function __construct()
{
// Don't start again if session is started:
if ( session_id() != '' ) {
session_start();
}
// Keep initial values
$_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
}
/**
* You can prevent majority of hijacks using this method
*
* #return boolean TRUE if session is valid
*/
public function isValid()
{
return $_SESSION['HTTP_USER_AGENT'] === $_SERVER['HTTP_USER_AGENT'] && $_SESSION['REMOTE_ADDR'] === $_SERVER['REMOTE_ADDR'] ;
}
public function __destruct()
{
session_write_close();
}
/**
* Fixed session_destroy()
*
* #return boolean
*/
public function destroy()
{
// Erase the session name on client side
setcookie(session_name(), null, time() - 86400);
// Erase on the server
return session_destroy();
}
public function write(array $data)
{
foreach($data as $key => $value) {
$_SESSION[$key] = $value;
}
}
public function exists()
{
foreach(func_get_args() as $arg){
if ( ! array_key_exists($arg, $_SESSION) ){
return false;
}
}
return true;
}
public function read($key)
{
if ( $this->exists($key) ){
return $_SESSION[$key];
} else {
throw new RuntimeException('Cannot access non-existing var ' .$key);
}
}
}
Maybe session_unset() is what you are looking for.