Extracting session data using PHP

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Eddyphp
Forum Newbie
Posts: 8
Joined: Sun Sep 20, 2009 7:43 am

Extracting session data using PHP

Post by Eddyphp »

Is there any way to broker a ssl session with a php server side script post the client application establishing a session with the server. The client application logs on to the web server however when the client calls a server side php script the script cannot access pages on behalf of the client because no session exists between the php script and the server.

What I would like to do is program the php script to extract the session data from the client and use it to get pages from the server.

Is this possible?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Extracting session data using PHP

Post by kaisellgren »

It's not clear to me what you want, but the session data is stored on files by default. If you can access the files (or the place where they are held), then you can access the session data.
Eddyphp
Forum Newbie
Posts: 8
Joined: Sun Sep 20, 2009 7:43 am

Re: Extracting session data using PHP

Post by Eddyphp »

What I'm trying to do is perform additional server side processing on an xml response which is generated by an iis addin which is parsing files with a specific extension. I can't modify the parser but I can modify the pages requesting the page. Instead of calling the page directly I want to call a php script where the php script will request the parsed file. The problem is the web browser establishes a secure session with the server and the php script can't access the server files because the parser does not detect any session when the php script is accessing the page. The server reports that no session exists.

What I would like to do is send the session info to the script where the script can use the session data to access the webserver.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Extracting session data using PHP

Post by kaisellgren »

Did you try sending the session identifier?
Eddyphp
Forum Newbie
Posts: 8
Joined: Sun Sep 20, 2009 7:43 am

Re: Extracting session data using PHP

Post by Eddyphp »

I'm not quite sure how to do this. Do I start a session in the PHP script or do I set cookie values or send the data by url? I can see three values when I print_r the SESSION global one of which is a very long hex type string which seems to be a session ID. I tried setting a cookie in the PHP script using these values however it reports that no session exists when the browser calls the web page via the PHP script. When I change the URL in the browser to call the page directly even after the error is reported the session is still active and the web server delivers the page.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Extracting session data using PHP

Post by kaisellgren »

What error?

If a PHP script accesses another PHP script and it must use the same session as the user who accessed the first script, then supply PHPSESSID, whose value is session_id(), as GET in the request to the target script. But why don't you just include the script? If it's on a remote server then you need to share the session data. A remote SQL server or Memcached is often used.
Eddyphp
Forum Newbie
Posts: 8
Joined: Sun Sep 20, 2009 7:43 am

Re: Extracting session data using PHP

Post by Eddyphp »

In this instance it's not a php script calling another php script. It's a php script stuffed in the middle trying to alter the output of an IIS .dll which is configured to parse files with an extension .gwt which is using proprietary tags understood by the IIS .dll. The .dll file responds to requests with pure .xml

Usually the web pages are configured to call the .gwt files directly i.e. IIS is hosting the web site and anytime the page posts to a .gwt file the IIS dll takes over and processes the file and responds with pure xml. What I'm trying to do is modify the pages so they don't request the .gwt pages directly as the pure xml response needs to be filtered.

The IIS server has been extended to support .php files along with .gwt files. I've modified one of the .xhtml files hosted on the IIS server to post to the .php file as opposed to posting to the .gwt file. The problem I have is the post coming from the .xhtml file is accepted as it contains session data which passes the .gwt parsers security sessions checks. When the post is routed through the .php script the session data is missing and the php request to the .gwt file is rejected because no session exists.

What I'm trying to do is very simple however, it's complex to describe.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Extracting session data using PHP

Post by kaisellgren »

Just to make sure you realize, the session data is never known by the client (e.g., the browser). The client supplies an identifier, which tells PHP where to look for the session data. The data is stored in session.save_path in a file called session_id() (e.g., "e2bdf0...") with no extension. So, in your POST requests, there should be PHPSESSID somewhere, or PHP won't look for any session data.
Eddyphp
Forum Newbie
Posts: 8
Joined: Sun Sep 20, 2009 7:43 am

Re: Extracting session data using PHP

Post by Eddyphp »

I thought that if I included session_start() at the begining of the PHP script that all the relevant session information would be passed over to any pages that the PHP script accesses.

The server already knows the location of the session file however, the server doesn't consider the php script to be part of the session, even though the php script was called from the browser with the active session.

Maybe what I'm trying to do is not possible as what I'm effectively doing is trying to grab an active ssl session and trick the server into thinking that the php initiated request is coming direct from the browser. There are probably major security issues too and although I'm just exploring php, if I was writing an authentication mechanism in a real life application I would implement an extra level of caution to make sure this type of spoofing could not happen.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Extracting session data using PHP

Post by kaisellgren »

Eddyphp wrote:I thought that if I included session_start() at the begining of the PHP script that all the relevant session information would be passed over to any pages that the PHP script accesses.
Depends on the way of accessing. If you are including another PHP scripts, then the session data is still (of course) accessible, but if you are creating a new HTTP request, you need to supply the session identifier and the target script must know how to deal with it (if it's not a PHP script).
Post Reply