Jump to content

Recommended Posts

I use a unique key in certain places to make sure that the pages don't receive external post data. The "problem" is that I store this in a session variable. Unfortunately this seems to time out when least expected at the site I am currently working on. Here is the logic of what happens in the file.

 

1. Session is initiated:

 

session_start();
$session = session_id();

 

2. If form has been posted, check that the posted key is equal to $_SESSION["secret"]

 

3. Set $_SESSION["secret"] to a random key

 

Am i failing to see some simple mistake in this process or why does this happen? I checked session.gc_maxlifetime and that was set to 1440 (24 minutes) both local and global.

Link to comment
https://forums.phpfreaks.com/topic/167827-strange-session-behavior/
Share on other sites

Maybe you're right but I think you might stop some automated bot scripts this way. After all, now that it's there it would be a waste of time to remove it  :P

 

No matter what, I would still like to know the reason for this strange behavior since it might cause other problems in the future. Is it possible that server sessions can become unstable and for some reason time out prior to the set limit?

Nope...shouldn't be...when do you set the random key? it should be like this:

 

<?php
  session_start();
  if($_SERVER['REQUEST_METHOD'] == 'POST'){
    if(!empty($_SESSION['secret']) && !empty($_POST['key']) && $_SESSION['secret'] == $_POST['key']){
      echo "You, my friend, passed the test.<br />";
    }else{
      echo "You are evil, away with you!<br />";
    }
    print_r($_POST);
    exit;
  }
  $_SESSION['secret'] = md5(time().rand());
?>
<form action="" method="POST">
  <input type="hidden" name="key" value="<?php echo $_SESSION['secret']; ?>" />
  <input type="text" name="foobar" />
  <input type="submit" value="Let's Go" />
</form>

The "problem" is that I store this in a session variable.

 

That's not a problem considering the purpose it's a good choice.

 

Unfortunately this seems to time out when least expected at the site I am currently working on. Here is the logic of what happens in the file.

 

How do you exactly mean time out?

 

1. Session is initiated:

session_start();
$session = session_id();

 

2. If form has been posted, check that the posted key is equal to $_SESSION["secret"]

3. Set $_SESSION["secret"] to a random key

 

Nothing with this process either.

Yup, that's exactly what is done, everything goes in the order I listed in the first post. Most of the time it works just fine and the only page where I have encountered it to fail (once in a while, whenever it feels like it apparently) is where I do file uploading so I wonder if there is some instability over at my host's server?

I have printed all values (key, post and session arrays) and they are always set. I have also searched the file + included files and those are the only places where the variables are in use. As it appears only once in a while, even if I do the exact same thing, it seems very strange.

 

Could other users' use of sessions on the server affect mine as well in any situations?

no...user sessions are all separate

 

if they are set and not the same, my guess is the php script is changing it somewhere :) can you explain the flow a little more...especially with file uploads?

-Does it submit to the same php file or a different one?

-Do file uploads happen in the same form or in a different step?

If the code followed a different path depending on the situation I would probably think so too  :-\ However, nothing changes and it seems random albeit unusual.

 

The code itself is not really complex, there is only one form and it posts to the same page. File uploads are done in the same file but some image handling take place in included functions but that's about it. The code where the session is first initiated is also in an included file but that shouldn't matter...

 

Judging from the strange random factor I find it very hard to believe that the flaw is anywhere else but on the server but, if so, what could possibly cause it?

sounds like we are in agreement...without some code, i can't really help any further

 

maybe your hosting service is flaky, but i've never had this problem, and since both keys are set to something, it leads me to believe it's not the session prematurely dying

I have never had this problem before either  :-\ I have stripped the code down to make it readable although I doubt it will do any good (unless I have failed to catch something obvious that I am blind to at this point):

 

<?php
include [file where session is set:

session_start();
]

// Error check prints
print_r($_SESSION);
print_r($_POST);

// Database connection and log in check

// Check if form has been submitted
if (isset($_POST["submit"]))
{
// External attack check
if (isset($_SESSION['secret']) && $_POST['secretValue'] == $_SESSION['secret'])
{

	// yada yada yada PHP code

	if [file has been selected]
	{
		[error handling, image editing etc.]
	}
}
}

// Secret key is set
$secret = md5(uniqid(rand(), true));
$_SESSION["secret"] = $secret;

// Error check
echo $secret;
?>


<html>

<head>
</head>

<body>

// yada yada yada HTML

// The form itself

<form method="post" action="[same file]" enctype="multipart/form-data">
<input type="hidden" name="secretValue" value="<?php echo $secret; ?>" />
<input type="submit" class="submit" name="submit" value="Send" />
</form>

</body>

</html>

 

Don't take my pseudocode literally  :)

Your method makes no sense.

 

Thank you for providing constructive feedback

 

Been staying up all night solving and helping problems... im pretty tried and grumpy.

 

If your comment has no added value then save yourself the bother.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.