Page 2 of 3
Reply
Posted: Wed Mar 28, 2007 4:00 pm
by user___
It does not work here. I might have missed something and if so please correct me.
redir.php:
Code: Select all
<?php
//Sessions
//Session start
session_start();
//Regenerate id
session_regenerate_id();
//Set session vars
$_SESSION['username'] = 0;
$_SESSION['password'] = 0;
//Set session vars
$_SESSION['username'] = 'username';//Hard coded
$_SESSION['password'] = 'password';//Hard coded
//Disable session writing
session_write_close();
//With full URLs does not work too
header("Location:http://www.mysite.com/secured.php?show_menu=1");
?>
Posted: Wed Mar 28, 2007 4:34 pm
by RobertGonzalez
Does this work? To test it, save the code into their own pages, then call page one, then click the link to page 2, then come back to page 1 using the link.
session-test-page1.php
Code: Select all
<?php
//Session start
session_start();
//Set session vars
if (!isset($_SESSION['username']) && !isset($_SESSION['password']))
{
$_SESSION['username'] = 'testusername';
$_SESSION['password'] = 'testpassword';
}
else
{
echo '<p>You user name is already set to ' . $_SESSION['username'] . '</p>';
echo '<p>And your password is already set to ' . $_SESSION['password'] . '</p>';
}
if (isset($_GET['clear']))
{
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();
echo '<p>Even though you see the information above, the session has already been terminated.
<a href="' . basename($_SERVER['SCRIPT_FILENAME']) . '">Refresh the page</a> and you will see nothing as the page sets the session vars again.</p>';
}
echo '<p><a href="session-test-page2.php">Click here for page 2</a></p>';
echo '<p><a href="?clear=true">Click here to clear the session data</a></p>';
?>
session-test-page2.php
Code: Select all
<?php
//Session start
session_start();
//Set session vars
echo '<p>You user name is ' . $_SESSION['username'] . '</p>';
echo '<p>And your password is ' . $_SESSION['password'] . '</p>';
echo '<a href="session-test-page1.php">Click here to go back to page 1</a>';
?>
PS I tested these locally on my machine. I know they work so if they do not work for you it may be something wrong with your set up.
Reply
Posted: Wed Mar 28, 2007 4:55 pm
by user___
Everah, this does work but I want it using header() not a link. If I use <a href="..."></a> it works else by using header() it does not. It is very strange. I even used meta tag but it does not work, yet.
BTW:Thank you for your script but I stiil need it using header().
Posted: Wed Mar 28, 2007 5:00 pm
by RobertGonzalez
header() may not work now that I think about. Try throwing a redirect in place of the link and see what happens. I am not sure the outcome as I haven't tested it.
EDIT | No, header() will work. I just tested it in my script.
Reply
Posted: Thu Mar 29, 2007 8:01 am
by user___
In, my case it does not. I just can not get it with header(). Do you have an idea how to solve this?
Posted: Thu Mar 29, 2007 10:43 am
by RobertGonzalez
Does the header function work at all? If so, does it work with the code I have posted? Also, can you run the following in a new file and tell us the results please.
Code: Select all
<?php
$neg = array('off', 0, false, '', null);
$flags = array(
'Register Globals' => 'register_globals',
'Short Tags' => 'short_open_tag',
'Display Errors' => 'display_errors',
'Magic Quotes GPC' => 'magic_quotes_gpc',
'Magic Quotes Runtime' => 'magic_quotes_runtime',
'Magic Quotes Sybase' => 'magic_quotes_sybase',
);
$ve = phpversion();
$os = PHP_OS;
$er = intval(error_reporting());
foreach ($flags as $n => $v)
{
$flags[$n] = (in_array(strtolower(ini_get($v)), $neg) ? 'Off' : 'On');
}
$flags['Config file'] = get_cfg_var('cfg_file_path');
if (empty($flags['Config file']))
{
$flags['Config file'] = '-';
}
$cli = (php_sapi_name() == 'cli');
$eol = "
";
$gle = get_loaded_extensions();
$rows = array();
$le = '';
$wide = 4;
$j = count($gle);
$pad = $wide - $j % $wide;
$len = max(array_map('strlen', $gle));
$func = create_function('$a', 'return str_pad($a, ' . intval($len) . ');');
$gle = array_map($func, $gle);
for($i = 0; $i < $j; $i += $wide)
{
$le .= ' ' . implode(' ', array_slice($gle, $i, $wide)) . $eol;
}
$ec = array(
'E_STRICT' => 2048, 'E_ALL' => 2047, 'E_USER_NOTICE' => 1024,
'E_USER_WARNING' => 512, 'E_USER_ERROR' => 256, 'E_COMPILE_WARNING' => 128,
'E_COMPILE_ERROR' => 64, 'E_CORE_WARNING' => 32, 'E_CORE_ERROR' => 16,
'E_NOTICE' => 8, 'E_PARSE' => 4, 'E_WARNING' => 2, 'E_ERROR' => 1,
);
$e = array();
$t = $er;
foreach ($ec as $n => $v)
{
if (($t & $v) == $v)
{
$e[] = $n;
$t ^= $v;
}
}
if (ceil(count($ec) / 2) + 1 < count($e))
{
$e2 = array();
foreach ($ec as $n => $v)
{
if (!in_array($n, $e) and $n != 'E_ALL')
{
$e2[] = $n;
}
}
$er = $er . ' ((E_ALL | E_STRICT) ^ ' . implode(' ^ ', $e2) . '))';
}
else
{
$er = $er . ' (' . implode(' | ', $e) . ')';
}
if (!$cli)
{
echo '<html><head><title>quick info</title></head><body><pre>', $eol;
}
echo 'PHP Version: ', $ve, $eol;
echo 'PHP OS: ', $os, $eol;
echo 'Error Reporting: ', $er, $eol;
foreach ($flags as $n => $v)
{
echo $n, ': ', $v, $eol;
}
echo 'Loaded Extensions:', $eol, $le, $eol;
if (!$cli)
{
echo '</pre></body></html>', $eol;
}
?>
Reply
Posted: Thu Mar 29, 2007 11:09 am
by user___
Yes, header() works as it is supposed to. It redirects to a given location but without sending any sessions.
The result is:
PHP Version: 5.2.0
PHP OS: WINNT
Error Reporting: 6135 ((E_ALL | E_STRICT) ^ E_STRICT ^ E_NOTICE))
Register Globals: Off
Short Tags: On
Display Errors: On
Magic Quotes GPC: On
Magic Quotes Runtime: Off
Magic Quotes Sybase: Off
Config file: C:\WINDOWS\php.ini
Loaded Extensions:
bcmath calendar com_dotnet ctype
session filter ftp hash
iconv json odbc pcre
Reflection date libxml standard
tokenizer zlib SimpleXML dom
SPL wddx xml xmlreader
xmlwriter apache2handler bz2 curl
dba dbase fdf gd
pdf gettext imap ldap
mbstring exif mhash msql
mysql xmlrpc xsl zip
Reply
Posted: Thu Mar 29, 2007 11:41 am
by user___
Everah, I was testing your script and after thirteen very fast clicking on the link which redirects me to the first page I got results. In all other cases it does not work.
Do you have an idea why?
Posted: Thu Mar 29, 2007 12:01 pm
by RobertGonzalez
I have no idea. Your set up is almost identical to mine. I use the apache server locally. What server are you using? For me it worked right out of the chutes. The first page should load with two links. Click the page 2 link and it should spit out the session data. Click the return to page 1 link and it should now spit out the session data and if you click the clear session infromation link, it will have three links.
EDIT | Strike that. First load of page one sets the session data and redirects to page 2, which looks like this:
Code: Select all
You user name is testusername
And your password is testpassword
Click here to go back to page 1
When you click the back link, it takes you to:
Code: Select all
You user name is already set to testusername
And your password is already set to testpassword
Click here for page 2
Click here to clear the session data
Click on the clear link and it looks like:
Code: Select all
You user name is already set to testusername
And your password is already set to testpassword
Even though you see the information above, the session has already been terminated. Refresh the page and you will see nothing as the page sets the session vars again.
Click here for page 2
Click here to clear the session data
Click the refresh link and it looks like (page 2 again):
Code: Select all
You user name is testusername
And your password is testpassword
Click here to go back to page 1
Reply
Posted: Thu Mar 29, 2007 12:31 pm
by user___
I use Apache like you.
Code:
You user name is testusername
And your password is testpassword
Click here to go back to page 1
This is the same but without testusername, and password(No sessions).
Then I get:(When I have already clicked thirteen times and have sessions set):
You user name is already set to testusername
And your password is already set to testpassword
Even though you see the information above, the session has already been terminated. Refresh the page and you will see nothing as the page sets the session vars again.
Click here for page 2
Click here to clear the session data
.
Finally:
You user name is testusername
And your password is testpassword
Click here to go back to page 1
.
This is the same but without testusername, and password(No sessions).
Posted: Thu Mar 29, 2007 12:45 pm
by RobertGonzalez
Run that test again. This time, clear your cache and cookies before running the test. Immediately after the test, look at your cookies and see what is there. Post back.
Reply
Posted: Thu Mar 29, 2007 1:19 pm
by user___
I have some sessions files created in my tmp directory(Sessions are saved there) whose values are as they should be
username|s:12:"testusername";password|s:12:"testpassword";
but aqlythough everything seems to be working the last file created is always empty.
I have no cookies.
Array();
Posted: Thu Mar 29, 2007 2:04 pm
by RobertGonzalez
I am at a loss then man. I can't see how 13 fast clicks would suddenly trigger a session to take. It justs seems weird.
Just to satisfy me though, could you run the tests again, this time using these files, and post back with what is echoed to the screen for each step? Make sure to click the 'Go to page 1' link, the 'Clear session information' link and the 'Refresh' link in that order as they appear, then capture each screen and post back what is echoed for each screen. Just to humor me...
Please don't try to force it (ie, clicking 13 times really quick). Just run the pages in order as a regular user.
session-test-page1.php
Code: Select all
<?php
//Session start
session_start();
//Set session vars
if (!isset($_SESSION['username']) && !isset($_SESSION['password']))
{
$_SESSION['username'] = 'testusername';
$_SESSION['password'] = 'testpassword';
header('Location: session-test-page2.php');
exit;
}
else
{
// Quick error checking
echo '<pre>'; var_dump($_SESSION); echo '</pre>';
echo '<p>You user name is already set to ' . $_SESSION['username'] . '</p>';
echo '<p>And your password is already set to ' . $_SESSION['password'] . '</p>';
}
if (isset($_GET['clear']))
{
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
// Finally, destroy the session.
session_destroy();
echo '<p>Even though you see the information above, the session has already been terminated.
<a href="' . basename($_SERVER['SCRIPT_FILENAME']) . '">Refresh the page</a> and you will see nothing as the page sets the session vars again.</p>';
}
echo '<p><a href="session-test-page2.php">Click here for page 2</a></p>';
echo '<p><a href="?clear=true">Click here to clear the session data</a></p>';
?>
session-test-page2.php
Code: Select all
<?php
//Session start
session_start();
// Quick error checking
echo '<pre>'; var_dump($_SESSION); echo '</pre>';
// Echo session vars
echo '<p>You user name is ' . $_SESSION['username'] . '</p>';
echo '<p>And your password is ' . $_SESSION['password'] . '</p>';
echo '<a href="session-test-page1.php">Click here to go back to page 1</a>';
?>
Reply
Posted: Thu Mar 29, 2007 2:23 pm
by user___
First screen:
array(0) {
}
You user name is
And your password is
Click here to go back to page 1
and an infinite screen
array(0) {
}
You user name is
And your password is
Click here to go back to page 1
because I have no sessions set it redirects me here again some times but this time seven.
Although you have said to do what a normal user would do I did click seven times extremely fast and I got this:
array(2) {
["username"]=>
string(12) "testusername"
["password"]=>
string(12) "testpassword"
}
You user name is already set to testusername
And your password is already set to testpassword
Click here for page 2
Click here to clear the session data
Then:
array(2) {
["username"]=>
string(12) "testusername"
["password"]=>
string(12) "testpassword"
}
You user name is already set to testusername
And your password is already set to testpassword
Even though you see the information above, the session has already been terminated. Refresh the page and you will see nothing as the page sets the session vars again.
Click here for page 2
Click here to clear the session data
Finally:
array(0) {
}
You user name is
And your password is
Click here to go back to page 1
.
Everah, I may try something else if you do not mind, of course. Can you post me this part of your .ini file which has sessions set there cause it seems this weird thing to be by setting which I can not find.
If you have a better idea I would be happy to hear it.
Posted: Thu Mar 29, 2007 2:39 pm
by RobertGonzalez
This is from my local file system set up:
Code: Select all
[Session]
; Handler used to store/retrieve data.
session.save_handler = files
; Argument passed to save_handler. In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
;
; As of PHP 4.0.1, you can define the path as:
;
; session.save_path = "N;/path"
;
; where N is an integer. Instead of storing all the session files in
; /path, what this will do is use subdirectories N-levels deep, and
; store the session data in those directories. This is useful if you
; or your OS have problems with lots of files in one directory, and is
; a more efficient layout for servers that handle lots of sessions.
;
; NOTE 1: PHP will not create this directory structure automatically.
; You can use the script in the ext/session dir for that purpose.
; NOTE 2: See the section on garbage collection below if you choose to
; use subdirectories for session storage
;
; The file storage module creates files using mode 600 by default.
; You can change that by using
;
; session.save_path = "N;MODE;/path"
;
; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
;session.save_path = "/tmp"
; Whether to use cookies.
session.use_cookies = 1
; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1
; Name of the session (used as cookie name).
session.name = PHPSESSID
; Initialize session on request startup.
session.auto_start = 0
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0
; The path for which the cookie is valid.
session.cookie_path = /
; The domain for which the cookie is valid.
session.cookie_domain =
; Handler used to serialize data. php is the standard serializer of PHP.
session.serialize_handler = php
; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.
session.gc_probability = 1
session.gc_divisor = 1000
; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440
; NOTE: If you are using the subdirectory option for storing session files
; (see session.save_path above), then garbage collection does *not*
; happen automatically. You will need to do your own garbage
; collection through a shell script, cron entry, or some other method.
; For example, the following script would is the equivalent of
; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
; cd /path/to/sessions; find -cmin +24 | xargs rm
; PHP 4.2 and less have an undocumented feature/bug that allows you to
; to initialize a session variable in the global scope, albeit register_globals
; is disabled. PHP 4.3 and later will warn you, if this feature is used.
; You can disable the feature and the warning separately. At this time,
; the warning is only displayed, if bug_compat_42 is enabled.
session.bug_compat_42 = 0
session.bug_compat_warn = 1
; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =
; How many bytes to read from the file.
session.entropy_length = 0
; Specified here to create the session id.
session.entropy_file =
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache
; Document expires after n minutes.
session.cache_expire = 180
; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0
; Select a hash function
; 0: MD5 (128 bits)
; 1: SHA-1 (160 bits)
session.hash_function = 0
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
;
; 4 bits: 0-9, a-f
; 5 bits: 0-9, a-v
; 6 bits: 0-9, a-z, A-Z, "-", ","
session.hash_bits_per_character = 5
; The URL rewriter will look for URLs in a defined set of HTML tags.
; form/fieldset are special; if you include them here, the rewriter will
; add a hidden <input> field with the info which is otherwise appended
; to URLs. If you want XHTML conformity, remove the form entry.
; Note that all valid entries require a "=", even if no value follows.
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"