My problem is that multiple session cookies are generated for the same user and browser/tab.
I have a init.php file, which is the only file responsible for starting sessions, the first few lines of said file looks like this:
<?php
session_start();
...
...?>
This file is located at /include/init.php, which itself is in a subdirectory.
i then have a another php file located at /include/phpjson/memberInfo.php.
This file, like all the other files, includes the init.php file. But as soon as this file is executed, another session cookie shows up in the tmp directory.
The problem isn't just that another session cookie is created, but also that my main pages located at root now seems to be using a different session than the ones located in any subdirectory.
after searching stackoverflow and other sites on google, i found that some people recommended using the session_set_cookie_params function to set the path for the session cookies. However, since all the session cookies were already in the same folder, this didn't have any effect.
I understand that whichever file including the init.php will run the containing code from the file itself, not from where init.php is originally located. Which explains why all the files in root seem to be sharing the same session.
The simple solution here is to have every php script in the root directory, but this doesn't seem like the right thing to do.
If there are any questions regarding this issue please ask in the comments. I will try to respond to them as soon as possible.
Thanks in advance :)
Regards
Daniel Holst
PHP sessions work as expected in root directory, and one directory deep. Directories that exist 2 deep end up with a new session id, and all session varaibles are lost.
I include a file config.inc.php (absolute path) into all pages which calls session_start() and initializes the SESSION variables. I found a PHP directive setting that seems to mention subdirectories, but it looks like it is referring to subdirectories of temporarily stored session files.
I've double checked using the HTTPFox firefox plugin, as soon as I visit any page 2 levels deep, the session is gone, and and a new session ID is issued. Very Strange...
Ah, it looks like I was writing my URLS to those particular directories using localhost instead of 127.0.0.1... The different domain caused the browser to think it was a different website, I guess. Changing this solved my problem.
I have two scripts on the same domain.
www.xxx.com/first/
www.xxx.com/second/
I have register_globals=on, I've checked the spelling multiple times. I've checked session_save_path() and they both are working on the same directory.
I even tried setting session_save_path to a new directory just in case.
Each script is accessing a session independently. If I set the value of a session variable in one script, it stays. If I set the value of it in the other script it stays. Neither of the scripts are updating the other, so they must be writing their own sessions. I'm using the same browser without any security.
Any ideas to what would make these talk?
Thanks!
UPDATE!
Found out that one of the scripts was defining a session_name variable. Make sure that these are the same.
Thanks for all your help anyways!
You should recognize the first tag as an opening php tag (if you don't you should probably learn php). What follows is a small check that makes sure that this file is being included by Kohana. It stops people from accessing files directly from the url.
http://kohanaframework.org/3.2/guide/kohana/tutorials/hello-world
Let's assume that your webservers DocumentRoot is /srv/www and you put your example code under /srv/www/application/classes/controller/hello.php.
"stop accessing files directly from URL" means that if a user now navigates to www.example.com/application/classes/controller/hello.php it will not run the script, instead it will display 'No Direct Script Access', since SYSPATH is not defined.
http://kohanaframework.org/3.2/guide/kohana/flow
So I have a fairly noobish question, I have been reading up a lot around the subject, but can't quite find the answer I want, so bear with me...
I have a fairly simple website that I have been designing, consisting of the following:
1) HTML and PHP files that I want the user to be able to access directly by typing in the url in the browser.
2) HTML files that are only to be viewed inside an iframe in 1) (don't ask me why I used iframes)
3)PHP files that are called on by 1), e.g. when form data is submitted. I want 2) and 3) to be accessible to 1), but not directly accessible to the user by typing in the url.
4) images and includes, etc.
5) maybe this is a different issue altogether, but I also have a MySQL database.
I understand that I can control access to files by putting them in private/public folders in the website directory? My question is how should my directory structure be and where should I put 1), 2), 3), etc.?
Thanks a lot for your help.
Your directory structure does not matter. Any URL that is accessible to some users is accessible to all users. You only have control over the content of that URL.
If you really need to limit access to the content loaded by 1) you have to use PHP to serve the content. That PHP script can check some parameters or login credentials or something that makes sure the URL has been loaded by 1).
However, it's hard to give you a clear answer since you don't describe the concrete problem you're having. For example, it makes much difference how secure the method needs to be. For example, it's rather simple to check if a URL is loaded inside a frame using JavaScript but that check is not hard to circumvent.
Your httpdocs directory is your Apache DocumentRoot (found in /etc/httpd/conf/httpd.conf) or your vhost DocumentRoot (if you've got vhosts defined), so assuming Linux:
1,2,4 should go into /var/www/vhosts/sitename.com/httpdocs/ - these are directly accessible through the browser.
3 should go into /var/www/vhosts/sitename.com/library/. When the user submits data it should hit a handler page (the user must be able to "see" this page) and that page includes the necessary files from this library directory. As long as your server is configured to run PHP for all *.php scripts this is probably unnecessary, as there is little advantage to be gained from hiding PHP scripts. If you don't want them invoked directly and you'd like to leave them in a publicly accessible area, try:
public script:
define('INVOKED_BY_SCRIPT', true);
...
include "../library/hiddenScript.php";
"hidden" script:
if (!defined('INVOKED_BY_SCRIPT') || true !== INVOKED_BY_SCRIPT) {
echo "Cannot invoke directly";
exit;
}
Your MySQL database should be in /var/lib/mysql, or wherever it's been installed by default. Be sure to run the MySQL security script mysql_secure_installation to remove default passwords and test databases.
Everything except the includes should be in your public_html directory.
For 3, it is not possible to have a PHP script that can be referenced by a form, but it not accessible by the user typing in the address into the address bar. The best you could do is to check the post variables to see whether anything has been posted. You could check the HTTP_REFERER variable, but I would not recommend this since it cannot be relied on.
You can't make HTML only to be viewed inside an iframe
There are NO files called by 1). It's users browser that calls your files.
So, just leave your directory structure as is, it's okay.
What you're probably looking for is a way to "hide" your executable files outside of the document root, which you can do with a directory structure something like this:
public_html <-- (document root)
index.php <-- (publicly accessed index file)
images
htmlstuff
private_index.php <-- (application's "real" index file)
application
tmp
Then, for public_html/index.php, you'd just have:
<?php
require_once('../private_index.php');