For some reason I am unable to read any cookies from my CakePHP app on any page after they have been set, the only thing that is returned is garbled text.
My code is as simple as this:
$this->Cookie->write('Region', 'test');
$reg = $this->Cookie->read('Region');
pr($reg);
I uncomment the $this->Cookie->write() line and all I get back is a bunch of random control characters. I also recently upgraded to CakePHP 1.3 but AFAIK this should not effect cookie like this...
This was working fine until I changed server, this must be the root of my problem.
Update
After probing around further I have discovered this is a known issue with the Suhosin security patch for PHP effecting the rand() and srand() methods, I had configured Suhosin to allow the rand() functions but still it is happening, is there a more effective work around out there?
Try this code which will disable cookie encryption:
$this->Cookie->write('Region', 'test', false);
$reg = $this->Cookie->read('Region');
pr($reg);
The write method has the following params:
write(mixed $key, mixed $value, boolean $encrypt, mixed $expires)
By default all values in the cookie are encrypted by CakePHP. However for security reasons you may wish to look into working with the encryption.
CakePHP encrypts cookies by default.
Is your Security.salt value the same in this new installation?
How about the $key value in your cookie controller setup?
Related
PHP Version: 7.4
I'm using password_hash and I'm having a peculiar problem. My code works perfectly for me, I'm able to sign in to my website without any problems using Chrome. However, another person trying to sign in keeps getting an incorrect password error using Chrome, so I then tried signing in in another browser and I started getting the same error.
I've pinpointed the problem to the use of password_hash and password_verify which are returning null and false respectively. password_verify is returning false because it's comparing a null string against the valid password string in the database.
The password in the database looks similar to this: $2y$10$pH87se8G0fP9bE/s6RtPReVDqn2qOqs0CA8BE90DLCD9RLtLdG74e.
My code is as follows:
Password Creation (Only used on register.php):
$options = [ // pass hash options
'cost' => 14,
];
$pass = password_hash(base64_encode(hash("sha512", strval($_POST['password']), true), PASSWORD_DEFAULT, $options));
Password Verification (used on signin.php):
if(!password_verify(base64_encode(hash("sha512", strval($_POST['password']), true)), $fetch['password'])) {
As I said, this works perfectly for me in Chrome but not in any other browser, and this does not work for anybody else on any browser.
I also use this system on other websites and have never had issues before so I have no idea why I'm experiencing this problem.
Any ideas?
I solved this problem by removing the manual encoding as suggested by #Jeto (Jeto's Comment).
My code now looks as so:
password_hash($_POST['password'], PASSWORD_DEFAULT)
password_verify($_POST['password'], $fetch['password'])
The issue I had was still unusual because it sometimes worked as it was, but going back to basics solved the problem (as it so often does).
Thanks Jeto.
I'm been using PHP5.3.8 for a while now and I've just come across a new error for me;
Warning: Unknown: Your script possibly relies on a session side-effect
which existed until PHP 4.2.3. Please be advised that the session
extension does not consider global variables as a source of data,
unless register_globals is enabled. You can disable this functionality
and this warning by setting session.bug_compat_42 or
session.bug_compat_warn to off, respectively. in Unknown on line 0
To which there is a solution to here; PHP session side-effect warning with global variables as a source of data.
However, I still don't understand why this is happening. As far as I'm aware, there should be no ambiguity between $foo and $_SESSION['foo']?
I've tried testing a few of the scripts online that people say throw this error, but they don't throw the warning on my system, and the script I'm getting this warning on is hella complicated and stripping it down to a few lines in order to replicate the error is proving problematic.
However, I have narrowed it down to one line;
$bonus = isset($_GET['bonus']) ? $_GET['bonus'] : '';
$_SESSION['bonus'] is set to null in a previous page, and register_globals has been off since about PHP4.2 something, so can't be the $_GET scope.
So this brings me back to my first point; why is there suddenly an issue between $bonus and $_SESSION['bonus']? I say suddenly, because I am using this exact script on another site (same box) and I get no errors.
Could someone point me to anywhere that perhaps explains in more detail how PHP deals with session vars etc and why there is an issue between the two variables?
Thanks.
[Update]
Looking here; PHP Runtime Configuration it does mention that:
[PHP has...] an undocumented feature/bug that allows you to initialize a session variable
in the global scope...
I guess there may not be much more to say other than that. It just seems odd to me that PHP has issues with $_SESSION['foo']/$foo when $_SESSION['foo'] != $foo...
Try setting session.bug_compat_42 to off, it will turn off the functionality the warning is about. c.f. http://php.net/manual/en/session.configuration.php
Anyone got this problem before?
From codignier v1.7 i encode some data in order to provide web service to another site using codignier 2.0
$to_send = $this->encrypt->encode($data, '12345');
To another site using codignier 2.0 to get data from curl
if i dont encode and decode, data from curl is fine.
$to_get = $this->encrypt->decode($data, '12345');
I also try to add this to both site of website , but still not help in case it got some thing change in default value.
$this->encrypt->set_cipher(MCRYPT_RIJNDAEL_256);
$this->encrypt->set_mode(MCRYPT_MODE_CFB);
when echo $to_get data is not usable
"^6>þ×È·¾ˆ÷Íón´= wÁSùçâÈþbåNÚÁ»¿_óÈÔfÞã#sf=µ#¹vÏŽ§ÃíŽÞ"
Thanks
There is a encode_from_legacy method in the Encryption library introduced with the 2.0.0 updates. See the upgrading guide's Step 4. for more information.
Also make sure that you use the old site's encryption key when using the method (via the configuration files or passed in explicitly).
Setting up phpThumb for a website, and I want to secure the script by using hash-url's for each image.
I have enabled the security-option in phpThumb.config.php:
// * Security configuration
$PHPTHUMB_CONFIG['high_security_enabled'] = true; // if enabled, requires 'high_security_password' set to be set and requires the use of phpThumbURL() function (at the bottom of phpThumb.config.php) to generate hashed URLs
$PHPTHUMB_CONFIG['high_security_password'] = ' '; // required if 'high_security_enabled' is true, and must be at complex (uppercase, lowercase, numbers, punctuation, etc -- punctuation is strongest, lowercase is weakest; see PasswordStrength() in phpThumb.php). You can use a password generator like http://silisoftware.com/tools/password-random.php to generate a strong password
I use the function phpThumbURL() as described in the documentation;
require_once('img/phpThumb.config.php');
echo '<img src="'.phpThumbURL('src=/wp-content/uploads/2011/08/wall140-73.jpg&w=640&h=400&zc=1').'">';
Still, all I get is Error: Invalid hash
I got phpThumbs to work without this security-option, but I really do not want to have the script open for anyone to generate thumbnail-images on my server.
I don't understand how the hash can be invalid, and why it doesn't work.
For me helped INFO at the bottom of phpThumb.config.php
//////////////////////////////////////////////////////////////////////////////
// Function for generating hashed calls to phpThumb if 'high_security_enabled'
// example:
// require_once('phpThumb/phpThumb.config.php');
// echo '<img src="'.htmlspecialchars(phpThumbURL('src=/images/pic.jpg&w=50', '/phpThumb/phpThumb.php')).'">';
so to make thumb I use function htmlspecialchars(phpThumbURL(...)):
$path = 'C:\wamp\www\_img_test\\'; // YOUR PATH
require_once($path.'phpThumb\phpThumb.config.php');
$img = '1.jpg'; // YOUR IMAGE
$ParameterString = 'w=200&h=200'; // YOUR PARAMS
$url = 'http://localhost/_img_test/'; // YOUR URL
$path = htmlspecialchars(phpThumbURL('src=../'.$img.'&'.$ParameterString, $url.'phpThumb/phpThumb.php'));
echo '<img src="'.$path.'">'; // YOUR IMAGE
echo $path; // // YOUR IMAGE PATH
Of course in phpThumb.config.php set:
$PHPTHUMB_CONFIG['high_security_enabled'] = true;
$PHPTHUMB_CONFIG['high_security_password'] = 'V_8r}ZZj-)p4vVx0H6.4'; // YOUR PASSWD from: http://silisoftware.com/tools/password-random.php
$PHPTHUMB_CONFIG['disable_debug'] = true;
For me it works.
I had an same issue, sadly on production so I had to solve it.
There is a function at the bottom of "phpThumb.config.php" which calculates hash from "$parameterString" combined with "high_security_password", this hash is compared to the hash calculated in "phpThumb.php". Everything seems to be ok, but on my case "$parameterString" in "phpThumb.config.php" contained special HTML entities and "$_SERVER['QUERY_STRING']" in phpThumb.php didn't. So my solution was to add "htmlspecialchars_decode" for "$parameterString".
phpThumb v.1.7.11
This may seem silly, but in my config it seems the error I got of "invalid hash" was due to the use of GLOBALS in the phpThumbURL function at the end of phpThumb.config.php, the reason I got an invalid hash match was because the hash check in phpThumb.php was matching using the high_security_password and high_security_url_separator, whilst the function has itself inside the phpThumb.config.php was generating it without because despite the GLOBAL declaration of $PHPTHUMB_CONFIG vars, my server was ignoring it as the php_flag register_globals was off.
I merely changed
return $path_to_phpThumb.'?'.$ParameterString.$PHPTHUMB_CONFIG['high_security_url_separator'].'hash='.md5($ParameterString.$PHPTHUMB_CONFIG['high_security_password']);
to
return $path_to_phpThumb.'?'.$ParameterString.'&'.'hash='.md5($ParameterString.'my_high_security_password');
Replacing the high_security_password and high_security_url_separator with their actual values to fix this,
As of PHP 4.2.0, the register_globals directive defaults to off,
You could I guess use .htaccess if your host allows it and add a .htaccess entry: php_flag register_globals on.
I should note I did not get any error messages to warn me that this was happening, and it took a bit of debugging to back track to the fact that no password or separator was being used in the config to generate the hash which caused the mismatch.
I even ran the phpThumb.demo.check.php which indicated that my server was ready to go and did not specify this as a potential problem.
To be fair as PHP 5 is now the standard on all webservers, with register globals off by default, having this required to be enabled for phpThumb to work as default seems like a bit of an oversight as you would expect the class to work under typical defaults for the current version of PHP.
As someone else mentioned, register_globals is off by default in most environments and removed as of PHP 5.4.0 you can still use $GLOBALS though.
Before
function phpThumbURL($ParameterString, $path_to_phpThumb='phpThumb.php') {
}
put
$GLOBALS['PHPTHUMB_CONFIG'] = $PHPTHUMB_CONFIG;
That fixed it in my case
This might seem like a rather silly question, but you did fill in a sufficiently strong high_security_password?
Allthough #user3270861 is right about what causes the issue, there's a much easier solution:
You only need to place global $PHPTHUMB_CONFIG; somewhere at the beginning of the phpThumb.config.php file, for example right after the // START USER CONFIGURATION SECTION: part.
I just bumped into this problem myself.
I was using filters in the form of url params like :
&fltr[]=mask|../images/test.png&
It was working fine on Chrome but it turns out Firefox changes the
[] into %5B%5D
So the hash was messed up.
The solution was to replace [] by %5B%5D in my url. Chrome understood it ok and firefox did not have change it.
Looks like it is going to work when working on a live environment.
It just didn't on my localhost.
I've got a python/WSGI app which needs to check to see if a user has logged on to a PHP web app. The problem is that the PHP app checks if a user has logged on by comparing a value in the $_SESSION variable to a value in the cookie from the user's browser. I would prefer to avoid changing the behavior of the php app if at all possible.
My questions:
Is there anyway I can access the session variables from within python? Where should I start to look?
Are there any obvious security/performance issues I should be aware of when taking this approach?
yep. session (in default) is a regular file. so all what you need is look over session directory and find file with name of session cookie value. then - you have to implement php-like serialize/unserialize and do whatever you want.
nope
Depends on the PHP app, if it's keeping session data in a database (MySQL maybe) you can just connect to the database and get the data, if it's using native PHP sessions you should look to the session.save_path config setting in php.ini, that's the place where the runtime saves files with the session data.
Once you have the data you can parse it to get it unserialized, take a look at how serialize() and unserialize() work in PHP.
I'm currently in the process of trying to run a python server side by side with an existing Apache/php one. A custom solution I arrived at was to save the $_SESSION as an encrypted cookie, letting the php authentication operate as before, then share a private key between the two servers.
Two issues:
Up to you how to handle session expiry stuff.
I haven't bothered with an Initialization Vector, assuming the time stamp from my expiry stuff is enough. See https://stackoverflow.com/a/12486940/4495503 for why I might be being too security lax...
Anyway, my php encrypted cookie function:
session_start();
$encryptToCookie = function($varToEncode,$cookieName,$privateKey){
$iv = $privateKey;
$pass = $privateKey;
$method = 'aes-128-cbc';
$encryptedString = openssl_encrypt(json_encode($varToEncode), $method, $pass, true, $iv);
setcookie($cookieName,bin2hex($encryptedString));
};
$encryptToCookie($_SESSION,"sessionEncrypted","yohoyohoyohoyoho"); // private key must be 16bit
And my python side decryption:
from subprocess import Popen, PIPE
import binascii
def decrypt(encryptedString,privateKey):
encryptedString = binascii.unhexlify(encryptedString)
pathToOpenSSL = 'C:\pysrc\openssl\openssl.exe' # MODIFY THIS!!
openssl = Popen([pathToOpenSSL,
'enc','-aes-128-cbc','-d',
'-nosalt','-nopad','-K',
privateKey.encode('hex'),
'-iv',
privateKey.encode('hex')],
stdin=PIPE,stdout=PIPE)
decryptedString = openssl.communicate(encryptedString)[0].replace('\x04','')
return decryptedString
decrypt(encryptedString,'yohoyohoyohoyoho')
Hope this is of help to someone, remember all the usual stuff about generating private keys and then being careful with them!