So if I use a server to make call to web page (cURL or file_get_contents or something), and that web page assigns a session to that call (like I use that call to add an item to a shopping cart), is it possible to then migrate that session to a user's browser from the server?
If I'm understanding correctly, you want your server code to browse to a separate site behind the scenes, do something there that creates a session, and then redirect the user of your app to that separate site, but using the same session you created.
If the session is maintained using a cookie, as is likely, than no, you can't -- you'd have to set the cookie in the user's browser as if it came from that other site, and you can't. In general, this seems like it would be prevented by any sort of session hijacking protection, which most decent sites do have.
The alternative, I suppose, is to proxy for your user for their entire use of that other site (i.e. they click on stuff in your app and you pass it on to the other site behind the scenes).
I would suggest to use simpletest's scriptable browser ( http://simpletest.sourceforge.net/en/browser_documentation.html ) to keep track of states while browsing the interwebs form your PHP codez
Probably not - That call to cURL / file_get_contents will likely generate specific session information for the machine that requested it (i.e. your server). The remote machine should be keeping track of things like IP address and other identifiable information to prevent such a maneuver.
If this is possible, then your shopping cart software is horrifically vulnerable to session hijacking.
I don't believe that is possible. But you can start a session between the user's browser and your server, which keeps track of the session cookie that the remote web page issues you.
Related
Is it possible to read the cookies that are sent by a third-party homepage using php?
In concrete, i want to find out if a page using GTM does also set .ga cookies.
I was thinking of a "virtual browser" solution on the server, is that possible / is anybody experienced with that?
Thanks!
No, because PHP runs on the server and gets only the cookies of that domain
Cookies are stored on the client (browser). PHP is executed on the other side. The cookies are stored in the browser and the browser sends the cookie values along with the HTTP request to the server.
Therefore, the PHP process only gets to see the cookies of that domain.
And if you think of it, everything else would be a security flaw because every site could read for example secrets of sessions that are open on another site!
Since PHP sessions are basically cookies, and I am using them to authenticate logged in users (I know, I should move to tokens), is it possible to read the session cookie on my node app? (I want to create a simple chat that gets the logged in username from the PHP session, and on the way allow only logged in users to use the chat)
What would then be the preferred way to do that? (In terms of security as well)
**Edit: I am trying to get something sort of the node equivalent of this in PHP:
if(!isset($_SESSION['user_id']){
//don't allow access to the chat page
} else {
//show chat for logged user
}
A cookie is not language specific so if the cookie is there, you could certainly read it with node.js.
BUT, the browser only sends cookies to the server that they are associated with. So, if your PHP server is not part of the same sub-domain as the node.js server and the cookies are configured to allow sharing with sub-domains, then the browser won't send the PHP cookie to your node.js server.
To read cookies with Express, you can use the cookie-parser module. Samples for how to use it are in the doc. After installing the cookie-parser middleware, you would end up referencing:
req.cookie
to access that same cookie. To manage sessions using Express and node.js and keep track of server-side session state, one would typically use the express-session module.
I am working on a PHP website which is using the php_svn module to retrieve data from our SVN repositories.
For this I have set internally a hardcoded user/pwd so I can connect (dirty way...)
Now I would like to connect using my current LDAP user. Means that once I try to connect to SVN, then PHP should be able to retrieve my current windows session (the client side that executes IE,etc..) and pass it to SVN so it will still recognise me without prompting user/pwd...
Not sure if this is possible but would be brilliant to achieve it :)
Has someone achieved something similar? In the php_svn site not much information is available for this specific point...
http://php.net/manual/en/book.svn.php
Thanks in advance!
It seems like you're trying to get a web request to be session based. Web requests are stateless (meaning each request starts over from a blank slate). If you want to maintain credentials between requests, you'll need to use some kind of session handler. PHP has a built in one. http://php.net/manual/en/book.session.php
You won't be able to directly access the 'windows session' however. The information has to make its way from the windows session, into the browser, which isn't really possible without some kind of browser plugin... the more realistic way to do this is: have the user log in to the website, submit their credentials, then store them in a PHP session, to be re-used by PHP on every subsequent page load.
If I have an Application that requires the user to log in. If I log in at home on one network then go some where else, like the library down the street and switch networks will the session continue?
In my question this is about Flash SWF embedded in an HTML page requesting a PHP page for login.
Also, it would be helpful to know how this behavior is the same with HTML requests. I mean if Flash uses the browser to send requests then the result is the same for SWFs applications and HTML applications correct?
Most web requests with Flash are made via the browser and so follow the same rules in terms of what cookies are sent, etc. (the exception is the old file uploader, for which you had to hardcode it into the URL).
If your session are created via the standard PHP session module and you have enabled cookies (i.e. session.use_cookies ini setting), the browser will keep sending the session cookie until you close it.
If you have implemented IP address checks (which you shouldn't, but that's a personal thing), it might be possible for a session to get invalidated based on IP changes which are very likely to happen when you switch networks.
I think the question as it's asked is overly simplifying things.
The only sort of "session" that the browser is aware of is the concept of a session cookie. This is a snippet of information stored against a domain which will expire when you close the browser.
PHP sessions are implemented on top of session cookies, so until you close the browser you are in the same session, even if your IP address changes.
I don't know if Flash has its own concept of sessions at all. If not then whether your session expires depends on exactly how the flash application is coded.
I hope this clarifies things.
I want to clear all the cookies of a particular website in the users browser when a person runs a php script in my website.
Go through all of your cookies and run this:
setcookie("cookie_name", $site_name, time()-timeout);
You cannot do this as the browser maintains the cookies for that web site, not your web site. This would be a breach in the contract between the web server and the browser.
Also it is up to the browser to handle cookies in the way that it sees fit - after all a cookie is asking the browser to do the web server a favour by storing some info between web page visits from that server (domain).
But if the cookies are from your domain/server then you can ask the browser to either make them time out or give them an invalid value.