Hi,
I'm currently running PHP version 4.0.1.p12 on Linux and I'm using PHPLIB for session management and user authentication. The application I'm working on allows the user to navigate between a few pages on the same webserver. It also allows the user to navigate to a page on other webservers. Now, that's where my problem starts!!
My background research on PHP session management as well as PHPLIB definitely increased my knowledge of PHP but still I can't get to the bottom of it.
Following a successful login the user can navigate around with no problems until the following link is selected.
The php code HREF that should navigate the user to the required page is:
$urlRef = "<A HREF=\"http://".$host."/finddevice.php4?address=".urlencode($curDevice["Address"]).$passStr."\" onMouseOver='window.status=\"".$in_devicePort." : ".$curDevice["Name"]." @ ".$host."\"; return true;' onMouseOut='window.status=\"\"; return true;'>";
This essentially is http://sandalbox.ap.thmulti.com/finddev ... ssword=ABC
where 'abc1' is the username and 'ABC' is the password. 'address' is a device address.
I understand the problem with going between different webservers the session id may not be propagated even if we're sending the username and password across through the URL.
Whenever I click on the URL link above, the login form pops up and the user is requested to relogin a second time.
Following that the user has no problem navigating to any page. What's more intriguing is that, 'sandalbox' is the same computer where the user first logged in and *not* a different web server.
Right before selecting the URL link above the session id is valid ($sess->id), however, as expected when the user logs in a second time the session id becomes different. What's confusing is that if instead of relogging in I navigate back to the previous page and click on the same link (above), it successfully takes me to the required page with a DIFFERENT session id.
This seems to be a session id propagation problem but why on earth would the session id expire when I click on the link above?
Questions:
1) Is the session id SID implicitely passed through the different pages (I'm using session cookies) or must I append the SID to the url string above? (?SID)
2) Can I use the hidden_session() function to propage the session id between different webservers?
3) In the above link the username and password are visible in the URL field which doesn't look good for security. I need to implicitely pass the username and password. Should I be using POST here?
4) Which is better to use for session id propagation: cookies or URL?
I seem to be going in circles (a viscous one!). I would greatly appreciate any comments or suggestions.
In anticipation.
Kind regards,
Shiraz
Melbourne, Australia
Session propagation problem
Moderator: General Moderators
-
s_iskenderian
- Forum Newbie
- Posts: 3
- Joined: Fri Oct 04, 2002 1:11 am
- Location: Melbourne, Australia
Is there a reason you are using PHPLIB for sessions instead of the built-in functions there were added in PHP 4.0?
Most people here seem to have much more experience with the built-in functions. I remember reading somewhere that in PHPLIB you do have to propagate the SID parameter manually, but I don't know if that information was out of date.
Most people here seem to have much more experience with the built-in functions. I remember reading somewhere that in PHPLIB you do have to propagate the SID parameter manually, but I don't know if that information was out of date.
-
s_iskenderian
- Forum Newbie
- Posts: 3
- Joined: Fri Oct 04, 2002 1:11 am
- Location: Melbourne, Australia
PHPLIB
The program was written during php3 days with PHPLIB and then it was ported to php4 without changing the PHPLIB session management stuff. Unfortunately, I'll have to try to fix the bug in the current environement.
Shiraz
Shiraz
-
s_iskenderian
- Forum Newbie
- Posts: 3
- Joined: Fri Oct 04, 2002 1:11 am
- Location: Melbourne, Australia
Session Mgmt
Given that I was trying to access an absolute URL,
http://sandalbox.ap.thmulti.com/fin...c1&password=ABC
PHPLIB thinks its an external request, so it automatically pops up the Login page. I had to put a check in this section to only use the absolute path if going to other webservers
Shiraz
http://sandalbox.ap.thmulti.com/fin...c1&password=ABC
PHPLIB thinks its an external request, so it automatically pops up the Login page. I had to put a check in this section to only use the absolute path if going to other webservers
Shiraz