I'm creating a dashboard where I have the front end on one subdomain and the api which is in php on another subdomain. I was looking for how to preserve $_SESSION between the two and found this. So what I'm inquiring about is since cookies are stored on the users machine and I'm sending the user id to the api, would they be able to manipulate this value and browse the app as a different user assuming I use session_set_cookie_params(). So I would be using $_SESSION in the api but this native function makes me think they'd be able to change the value.
I don't believe this method I've alluded to is of any danger (knock on wood) but I'm just going to go for the /api/ subfolder structure anyways at this point as having a separate endpoint seems to make things too spread out.
I have the following issue (that i know many of you probably have or had) but still i haven't found an explanation anywhere that satisfies me, or at least a proper solution.
In the session script of any of the sites that i make, if the user goes through the domain using www.domain.com and logs in, but then in a different tab he goes to the same page without the www. (domain.com) The session hasn't been started in that one.
i have found this two questions on stackoverflow but none of them offers a real solution or at least an explanation of why this behavior.
different session with url's with-www and without-www
PHP session login different for url with www and without www?
Ok to go the point, This redirections and rules doesn't work in my case.
Why? because i'm working with a payment provider that uses cURL to retrieve some data i send to them, and when they send the response back to me, they use a default URL wich i have to give to them. currently they set up the address as www. but what if one of my users goes to an especific page of the site using the domain without the www.? When i get the response from the provider it goes to www.site.com and the user there is not logged. and no actions can be applied.
Any help in this please?
Thanks
Cheers.
As said there http://www.php.net/manual/en/function.setcookie.php
Cookies available to a lower domain, such as 'example.com' will be
available to higher subdomains, such as 'www.example.com'
So just do
session_set_cookie_params(0, '/', 'yourdomain.com');
without www
Well I m having strange problem here. I have a codeigniter 2 web application which requires user login.
My session works perfectly when I jump from one page to another. But when I turn on Firebug and try to jump to another page, i m kicked back to login page.
This happens always everytime I turn firebug on, but works okay if its not turned on. I have no clue whats going around.
Why Codeigniter session is not working when Firebug is turned on?
Any help will be highly appreciated.
Edit:
I have two separate applications made with Codeigniter. Both have same issue.
P.S. I am facing this problem in my local machine, haven't checked in remote server.
Thanks,
Sabin
if you have the session filtering by user agent that's the problem. firebug adds additional stuff which can cause CI to think your session has been hijacked.
if you have firebug on globally, you may notice some sites tell you to disable the plugin for their site(for example gmail) for that very reason.
Also, if the sessions are not setting try a couple different values in cookie_domain. Setting it to empty did the trick to me. It appears that codeigniter tries to fill in the value for you ($config['cookie_domain'] = "";)
i have 2 stores here : oc v1.4.9.3
1) tsubamecorp.com/singapore/
2) tsubamecorp.com/malaysia/
The problem is when you login to tsubamecorp.com/singapore/admin everything is work fine.
The url after login look something like this tsubamecorp.com/singapore/admin/index.php?route=common/home&token=827bcf36d9c167581620f377417e8774 but when you change the folder from singapore to malaysia in url tsubamecorp.com/malaysia/admin/index.php?route=common/home&token=827bcf36d9c167581620f377417e8774
you can login without put username or pass in login page for malaysia store!!!
This only happen when you try in same browser.
Any solutions??
Without changing the default behaviour of OpenCart (as explained by Zappo) you should set up a new host name for each shop instead. You'll have to register two separate DNS names and then access your shops as follows...
malaysia.tsubamecorp.com/admin/index.php
singapore.tsubamecorp.com/admin/index.php
You can still run with a single installation of OpenCart and a single database. This post may help you understand this configuration better...
http://forum.opencart.com/viewtopic.php?f=20&t=21411
I think this will only occur when you change the name and refresh. I guess when you log out and try to login again it will no work.
That's default OpenCart behaviour...
I also think Jerome is correct. The cookies are in the same domain, so OpenCart thinks you're still logged-in.
HOWEVER, I don't see your problem...
If someone is able to get that cookie set, he or she already logged in...
(e.g. This can not happen when someone did not log in)
I've to admin a small website for my alumni group which is hosted by my ISV. The url is something like www.myIsv.com/myWebSite/ which is quite ugly and very forgetable. The main admin of the webserver has registered a domain name www.mysmallwebsite.com and put a index.html with this content:
<html>
<head>
<title>www.mysmallwebsite.com</title>
</head>
<frameset>
<frame src="http://www.myIsv.com/myWebSite/" name="redir">
<noframes>
<p>Original location:
http://www.myIsv.com/myWebSite/
</p>
</noframes>
</frameset>
</html>
It works fine, but some features like PHP Session variables doesn't work anymore! Anyone has a suggestion for correcting that?
Edit:
This doesn't work both on IE and on Firefox (no plugins)
Thanks
Sessions are tied to the server AND the domain. Using frameset across domain will cause all kind of breakage because that's just not how it was designed to do.
Try using apache mod rewrite to create a "passthrough redirection", the "proxy" flag ([P]) in the rule is the magic flag that you need
Documentation at http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html
What do you mean?
Are you saying that when you go from www.mysmallwebsite.com to www.myIsv.com/myWebSite/ then the PHP session is lost?
PHP recognizes the session with an ID (alpha-numeric hash generated on the server). The ID is passed from request to request using a cookie called PHPSESSID or something like that (you can view the cookies a websites sets with the help of your browser ... on Firefox you have Firebug + FireCookie and the wonderful Web Developer Toolbar ... with which you can view the list of cookies without a sweat).
So ... PHP is passing the session ID through the PHPSESSID cookie. But you can pass the session ID as a plain GET request parameters.
So when you place the html link to the ugly domain name, assuming that it is the same PHP server (with the same sessions initialized), you can put it like this ...
www.myIsv.com/myWebSite/?PHPSESSID=<?=session_id()?>
I haven't worked with PHP for a while, but I think this will work.
Do session variables work if you hit http://www.myIsv.com/myWebSite/ directly? It would seem to me that the server config would dictate whether or not sessions will work. However, if you're starting a session on www.mysmallwebsite.com somehow (doesn't look like you're using PHP, but maybe you are), you're not going to be able to transfer session data without writing some backend logic that moves the session from server to server.
Stick a session_start() at the beginning of your script and see if you can access the variables again.
It's not working because on the client sessions are per-domain. All the cookies are being saved for mysmallwebsite.com, so myIsv.com cannot access them.
#pix0r
www.myIsv.com/myWebSite/ -> session variable work
www.mysmallwebsite.com -> session variable doesn't work
#Alexandru
Unfortunately this is not on the same webserver
What browser/ ad-on do you have? it may be your browser or some other software (may be even the web server) is blocking the sessions from http://www.myIsv.com/myWebSite/ working from with-in the frame, as its located on a different site, thinking its an XSS attack.
If the session works at http://www.myIsv.com/myWebSite/ with out the frame you could always us a redirect from http://www.mysmallwebsite.com to the ugly url, instead of using the frame.
EDIT:
I have just tried your frame code on a site of mine that uses sessions, firefox worked fine, with me logging in and staying loged in, but IE7 logged me straight out again.
So when you place the html link to the ugly domain name, assuming that it is the same PHP server (with the same sessions initialized), you can put it like this ...
www.myIsv.com/myWebSite/?PHPSESSID=<?=session_id()?>
From a security point of view, I really really really hope that doesn't work
You could also set a cookie on the user-side and then check for the presence of that cookie directly after redirecting, which if you're bothered about friendly URLs would mean that you don't have to pass around a PHPSESSID in the query string.
When people arrive # www.mysmallwebsite.com I would just redirect to http://www.myIsv.com/myWebSite/
<?php header('Location: http://www.myIsv.com/myWebSite/'); ?>
This is all I would have in www.mysmqllwebsite.com/index.php
This way you dont have to worry about browsedr compatibility, or weather the sessions work, just do the redirct, and you'll be good.