Session interrupt

Bounty_y2k · November 15, 2014, 12:18:07 PM

Hi,I have a problem with my website and forums. On my main website I start a session but it gets interrupted when accessing forums. I did a

Code Select

print_r($_SESSION); on every page on my webs and it shows something like this:

Code Select

Line 8 : Array ( ) //not yet created
Line 22 : Array ( [bbthemes] => 3 ) //created

After this executed all web pages are like:

Code Select


Line 8 : Array ( [bbthemes] => 3 )
Line 22 : Array ( [bbthemes] => 3 )

And on main page of forums:

Code Select

Line 8 : Array ( [session_value] => 879cb419b7112192002f6124d9631e91 [session_var] => ada78ff138f1 [mc] => Array ( [time] => 1416071540 [id] => 0 [gq] => 0=1 [bq] => 0=1 [ap] => Array ( ) [mb] => Array ( ) [mq] => 0=1 ) [ban] => Array ( [last_checked] => 1416071540 [id_member] => 0 [ip] => [ip2] => [email] => ) [log_time] => 1416071540 [timeOnlineUpdated] => 1416071540 ) 
//no 'bbthemes' session and there should be
Line 22 : Array ( [session_value] => 879cb419b7112192002f6124d9631e91 [session_var] => ada78ff138f1 [mc] => Array ( [time] => 1416071540 [id] => 0 [gq] => 0=1 [bq] => 0=1 [ap] => Array ( ) [mb] => Array ( ) [mq] => 0=1 ) [ban] => Array ( [last_checked] => 1416071540 [id_member] => 0 [ip] => [ip2] => [email] => ) [log_time] => 1416071540 [timeOnlineUpdated] => 1416071540 [bbthemes] => 13 ) 
//new one created

It seems like smf session reset my webs session.
Any ideas on how can I get this to work?

Arantor · November 15, 2014, 12:47:01 PM

SMF does its own session fixation for security purposes.

Ideally use SMF's wherever possible. Without knowing what you are doing on your site, I can't give you any advice.

Bounty_y2k · November 15, 2014, 01:18:05 PM

So there is no way to keep any session except SMF's original on forums?

Arantor · November 15, 2014, 01:25:49 PM

I didn't say that.

However, SMF's is harden - and proven - against things like session fixation which your own code may not be. As I said, more information would be helpful to giving you a better answer.

Bounty_y2k · November 15, 2014, 01:37:12 PM

Oh sorry.
This is whats going on.
I have style.php witch randomizes a number and by that number builds styles for my web site.

Code Select


<?php
	session_start();

	$maxt = 20;
	$dark = false;
	$adresa = "http://".$_SERVER['HTTP_HOST']."/website/";
	print_r($_SESSION); //test
	if (isset($_COOKIE['bbtheme'])) {
 		$ran = $_COOKIE['bbtheme'];
 	}else if(isset($_SESSION["bbthemes"])){
 		$ran = $_SESSION["bbthemes"];
 	}else if(!isset($_COOKIE['bbtheme']) && !isset($_SESSION["bbthemes"])){
 		$ran = rand(1, $maxt);
 		$_SESSION["bbthemes"] = $ran;
 	}
 	if(isset($_GET['bbthemef']) && $_GET['bbthemef'] !== '' && is_numeric($_GET['bbtheme'])){ 
 		$bbthemef = $_GET['bbthemef']; 
 		if($bbthemef > $maxt || $bbthemef < 1){
 			$ran = rand(1, $maxt);
 		} else {
 			$ran = $bbthemef;
 		}
 	}
 	print_r($_SESSION); //test
	$body = "body{ background-image:url(\"".$adresa."/source/img/bgs/".$ran.".jpg\");}";
        $style = "<style type='text/css'>".
			$body.
			"</style>";
        //i simply echo $body inside <head> tags to get styles
?>

This file is included in all of my web pages and index.template.php of my theme.
So it basically checks for cookies,sessions and if there is none it renders a random number.
But sessions on site and forums work independently so I get two different styles for my site and forums.

Arantor · November 15, 2014, 01:39:57 PM

Yeah, there's security issues with doing that. Session hijacking is a thing.

Quick solution: include SMF's SSI.php then don't start your own session. You get access to SMF's session data and $_SESSION will work as expected (provided you set subdomain independent cookies to on) and can also make use of information about whether the user is logged in or not should you want to do such.

Randomising the user experience rarely works well.

Bounty_y2k · November 15, 2014, 02:05:16 PM

So I would just need to replace session_start(); in my style.php with include '/path/SSI.php'; ?
How can I set sub domain independent cookies? (sry,first time I hear about this).

Arantor · November 15, 2014, 02:06:25 PM

Yes, pretty much that's what you do. SMF starts its own session which it protects.

As for setting subdomain independent cookies, Admin > Configuration > Server Settings > Sessions and Cookies.

This is required because otherwise SMF's cookie will be restricted to the folder in which SMF resides.

Bounty_y2k · November 15, 2014, 02:49:11 PM

I get the following error outside the forums:

Code Select

Warning: include(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in ..path\source\style.php on line 3

Warning: include(..path/forum/SSI.php): failed to open stream: no suitable wrapper could be found in path..\source\style.php on line 3

Warning: include(): Failed opening '..path/forum/SSI.php' for inclusion in ..path\source\style.php on line 3

Arantor · November 15, 2014, 02:53:27 PM

You are not supposed to include it by way of an http:// link. Use the correct path to its actual file.

Bounty_y2k · November 15, 2014, 04:10:20 PM

Works like a charm. Thank you very much,you helped me a lot.

Bounty_y2k · December 17, 2014, 12:44:47 PM

Sorry for this,it fails again -.-
It worked on my localhost but on real host something is wrong.
Session isn't set until user visits forums when he does sessions work for whole website and forums but before user visits the forum sessions aren't stored.
I include ssi.php like this:

Code Select

$urld = $_SERVER["REQUEST_URI"];

	if (strpos($urld, 'forum') !== false){
		(include "SSI.php") or die('fail 1');
	} else {
		(include "forum/SSI.php") or die('fail 2');
	}

The page does not 'die' so it should work well but it does not....:/

Kindred · December 17, 2014, 01:12:26 PM

Why are you doing that?

SSI itself already has a check to see if SMF is running (and won't load the conflicting parts of itself, if it is)

just

include("/home/youracct/public_html/forum/SSI.php");

nothing more, nothing less.

Bounty_y2k · December 17, 2014, 01:54:14 PM

Of course...sorry for that

Thank you again.

Bounty_y2k · December 18, 2014, 08:39:12 AM

Ok,back on problem no.1
I just added this into my php:

Code Select

include("/home/myacc/public_html/forum/SSI.php");

	if (isset($_COOKIE['bbtheme'])) {
 		$ran = $_COOKIE['bbtheme'];
 		echo 'Found Cookie = '.$ran;
 	}else if(isset($_SESSION["bbthemes"])){
 		$ran = $_SESSION["bbthemes"];
 		echo 'Found Session = '.$ran;
 	}else if(!isset($_COOKIE['bbtheme']) && !isset($_SESSION["bbthemes"])){
 		$ran = rand(1, $maxt);
 		$_SESSION["bbthemes"] = $ran;
 		echo 'Creating Session = '.$ran;
 	}

I get "Creating Session" on every page before I visit forums, after visiting forums that I get "Found Session" on every page forum and non-forum. It seems like on first time on the page it creates session but on the second SSI.php overwrites it and unset it...so its really never stored. Sorry for bothering you so much with this.

Kindred · December 18, 2014, 09:08:16 AM

why are you loading SSI multiple times on a page?

Bounty_y2k · December 18, 2014, 09:43:39 AM

That is the first and only time i include SSI.php. Oh,sorry, by 'adding' I was talking about echo's..

Bounty_y2k · December 21, 2014, 03:28:15 PM

Anyone? :S

Arantor · December 21, 2014, 03:38:36 PM

Are you still running session_start() before? Any other session code beforehand?

Bounty_y2k · December 21, 2014, 04:11:42 PM

Nope,this is the beginning of the one and only file that does the job.

Code Select

<?php
	//(include("/home/web/public_html/forum/SSI.php")) or die('Fail!');
	include("/home/web/public_html/forum/SSI.php");

	//print_r($_SESSION); //test
	if (isset($_COOKIE['bbtheme'])) {
 		$ran = $_COOKIE['bbtheme'];
 		//echo 'Found Cookie = '.$ran;
 	}else if(isset($_SESSION["bbthemes"])){
 		$ran = $_SESSION["bbthemes"];
 		//echo 'Found Session = '.$ran;
 	}else if(!isset($_COOKIE['bbtheme']) && !isset($_SESSION["bbthemes"])){
 		$ran = rand(1, $maxt);
 		$_SESSION["bbthemes"] = $ran;
 		//echo 'Creating Session = '.$ran;
 	}

News:

Session interrupt