Session propagation problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
s_iskenderian
Forum Newbie
Posts: 3
Joined: Fri Oct 04, 2002 1:11 am
Location: Melbourne, Australia

Session propagation problem

Post by s_iskenderian »

Hi,

I'm currently running PHP version 4.0.1.p12 on Linux and I'm using PHPLIB for session management and user authentication. The application I'm working on allows the user to navigate between a few pages on the same webserver. It also allows the user to navigate to a page on other webservers. Now, that's where my problem starts!!

My background research on PHP session management as well as PHPLIB definitely increased my knowledge of PHP but still I can't get to the bottom of it.

Following a successful login the user can navigate around with no problems until the following link is selected.

The php code HREF that should navigate the user to the required page is:

$urlRef = "<A HREF=\"http://".$host."/finddevice.php4?address=".urlencode($curDevice["Address"]).$passStr."\" onMouseOver='window.status=\"".$in_devicePort." : ".$curDevice["Name"]." @ ".$host."\"; return true;' onMouseOut='window.status=\"\"; return true;'>";

This essentially is http://sandalbox.ap.thmulti.com/finddev ... ssword=ABC

where 'abc1' is the username and 'ABC' is the password. 'address' is a device address.

I understand the problem with going between different webservers the session id may not be propagated even if we're sending the username and password across through the URL.

Whenever I click on the URL link above, the login form pops up and the user is requested to relogin a second time.

Following that the user has no problem navigating to any page. What's more intriguing is that, 'sandalbox' is the same computer where the user first logged in and *not* a different web server.

Right before selecting the URL link above the session id is valid ($sess->id), however, as expected when the user logs in a second time the session id becomes different. What's confusing is that if instead of relogging in I navigate back to the previous page and click on the same link (above), it successfully takes me to the required page with a DIFFERENT session id.

This seems to be a session id propagation problem but why on earth would the session id expire when I click on the link above?

Questions:

1) Is the session id SID implicitely passed through the different pages (I'm using session cookies) or must I append the SID to the url string above? (?SID)
2) Can I use the hidden_session() function to propage the session id between different webservers?
3) In the above link the username and password are visible in the URL field which doesn't look good for security. I need to implicitely pass the username and password. Should I be using POST here?
4) Which is better to use for session id propagation: cookies or URL?

I seem to be going in circles (a viscous one!). I would greatly appreciate any comments or suggestions.

In anticipation.

Kind regards,
Shiraz
Melbourne, Australia
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Is there a reason you are using PHPLIB for sessions instead of the built-in functions there were added in PHP 4.0?

Most people here seem to have much more experience with the built-in functions. I remember reading somewhere that in PHPLIB you do have to propagate the SID parameter manually, but I don't know if that information was out of date.
s_iskenderian
Forum Newbie
Posts: 3
Joined: Fri Oct 04, 2002 1:11 am
Location: Melbourne, Australia

PHPLIB

Post by s_iskenderian »

The program was written during php3 days with PHPLIB and then it was ported to php4 without changing the PHPLIB session management stuff. Unfortunately, I'll have to try to fix the bug in the current environement.

Shiraz
s_iskenderian
Forum Newbie
Posts: 3
Joined: Fri Oct 04, 2002 1:11 am
Location: Melbourne, Australia

Session Mgmt

Post by s_iskenderian »

Given that I was trying to access an absolute URL,
http://sandalbox.ap.thmulti.com/fin...c1&password=ABC

PHPLIB thinks its an external request, so it automatically pops up the Login page. I had to put a check in this section to only use the absolute path if going to other webservers

Shiraz
Post Reply