Jump to content

Strange session behavior

vineld

By vineld
in PHP Coding Help

 Share

Recommended Posts

vineld Member

vineld

Posted
Posted

I use a unique key in certain places to make sure that the pages don't receive external post data. The "problem" is that I store this in a session variable. Unfortunately this seems to time out when least expected at the site I am currently working on. Here is the logic of what happens in the file.

 

1. Session is initiated:

 

session_start();
$session = session_id();

 

2. If form has been posted, check that the posted key is equal to $_SESSION["secret"]

 

3. Set $_SESSION["secret"] to a random key

 

Am i failing to see some simple mistake in this process or why does this happen? I checked session.gc_maxlifetime and that was set to 1440 (24 minutes) both local and global.

Link to comment
Share on other sites
vineld Member

vineld

Posted
  • Author
Posted

Maybe you're right but I think you might stop some automated bot scripts this way. After all, now that it's there it would be a waste of time to remove it  :P

 

No matter what, I would still like to know the reason for this strange behavior since it might cause other problems in the future. Is it possible that server sessions can become unstable and for some reason time out prior to the set limit?

Link to comment
Share on other sites
rhodesa Newbie

rhodesa

Posted
Posted

Nope...shouldn't be...when do you set the random key? it should be like this:

 

<?php
  session_start();
  if($_SERVER['REQUEST_METHOD'] == 'POST'){
    if(!empty($_SESSION['secret']) && !empty($_POST['key']) && $_SESSION['secret'] == $_POST['key']){
      echo "You, my friend, passed the test.<br />";
    }else{
      echo "You are evil, away with you!<br />";
    }
    print_r($_POST);
    exit;
  }
  $_SESSION['secret'] = md5(time().rand());
?>
<form action="" method="POST">
  <input type="hidden" name="key" value="<?php echo $_SESSION['secret']; ?>" />
  <input type="text" name="foobar" />
  <input type="submit" value="Let's Go" />
</form>

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

The "problem" is that I store this in a session variable.

 

That's not a problem considering the purpose it's a good choice.

 

Unfortunately this seems to time out when least expected at the site I am currently working on. Here is the logic of what happens in the file.

 

How do you exactly mean time out?

 

1. Session is initiated:

session_start();
$session = session_id();

 

2. If form has been posted, check that the posted key is equal to $_SESSION["secret"]

3. Set $_SESSION["secret"] to a random key

 

Nothing with this process either.

Link to comment
Share on other sites
vineld Member

vineld

Posted
  • Author
Posted

Yup, that's exactly what is done, everything goes in the order I listed in the first post. Most of the time it works just fine and the only page where I have encountered it to fail (once in a while, whenever it feels like it apparently) is where I do file uploading so I wonder if there is some instability over at my host's server?

Link to comment
Share on other sites
vineld Member

vineld

Posted
  • Author
Posted

I have printed all values (key, post and session arrays) and they are always set. I have also searched the file + included files and those are the only places where the variables are in use. As it appears only once in a while, even if I do the exact same thing, it seems very strange.

 

Could other users' use of sessions on the server affect mine as well in any situations?

Link to comment
Share on other sites
rhodesa Newbie

rhodesa

Posted
Posted

no...user sessions are all separate

 

if they are set and not the same, my guess is the php script is changing it somewhere :) can you explain the flow a little more...especially with file uploads?

-Does it submit to the same php file or a different one?

-Do file uploads happen in the same form or in a different step?

Link to comment
Share on other sites
vineld Member

vineld

Posted
  • Author
Posted

If the code followed a different path depending on the situation I would probably think so too  :-\ However, nothing changes and it seems random albeit unusual.

 

The code itself is not really complex, there is only one form and it posts to the same page. File uploads are done in the same file but some image handling take place in included functions but that's about it. The code where the session is first initiated is also in an included file but that shouldn't matter...

 

Judging from the strange random factor I find it very hard to believe that the flaw is anywhere else but on the server but, if so, what could possibly cause it?

Link to comment
Share on other sites
rhodesa Newbie

rhodesa

Posted
Posted

sounds like we are in agreement...without some code, i can't really help any further

 

maybe your hosting service is flaky, but i've never had this problem, and since both keys are set to something, it leads me to believe it's not the session prematurely dying

Link to comment
Share on other sites
vineld Member

vineld

Posted
  • Author
Posted

I have never had this problem before either  :-\ I have stripped the code down to make it readable although I doubt it will do any good (unless I have failed to catch something obvious that I am blind to at this point):

 

<?php
include [file where session is set:

session_start();
]

// Error check prints
print_r($_SESSION);
print_r($_POST);

// Database connection and log in check

// Check if form has been submitted
if (isset($_POST["submit"]))
{
// External attack check
if (isset($_SESSION['secret']) && $_POST['secretValue'] == $_SESSION['secret'])
{

	// yada yada yada PHP code

	if [file has been selected]
	{
		[error handling, image editing etc.]
	}
}
}

// Secret key is set
$secret = md5(uniqid(rand(), true));
$_SESSION["secret"] = $secret;

// Error check
echo $secret;
?>


<html>

<head>
</head>

<body>

// yada yada yada HTML

// The form itself

<form method="post" action="[same file]" enctype="multipart/form-data">
<input type="hidden" name="secretValue" value="<?php echo $secret; ?>" />
<input type="submit" class="submit" name="submit" value="Send" />
</form>

</body>

</html>

 

Don't take my pseudocode literally  :)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.