sessions effecting $_POST??

[ale1981]

PHP 5.2.6

Apache 2.2.9

 

I am trying to store windows username / domain / workstation details into a session for our company intranet. I found a script on the internet that I can use to retrieve the information which I made into a function;

 

function get_user_details() {

// loune 25/3/2006, updated 22/08/2009
// For more information see:
// http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
// 
// This script is obsolete, you should see
// http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/
//

// NTLM specs http://davenport.sourceforge.net/ntlm.html

$headers = apache_request_headers();

if (!isset($headers['Authorization'])){
	header('HTTP/1.1 401 Unauthorized');
	header('WWW-Authenticate: NTLM');
	exit;
}

$auth = $headers['Authorization'];

if (substr($auth,0,5) == 'NTLM ') {
	$msg = base64_decode(substr($auth, 5));
	if (substr($msg, 0,  != "NTLMSSP\x00")
		die('error header not recognised');

	if ($msg[8] == "\x01") {
		$msg2 = "NTLMSSP\x00\x02\x00\x00\x00".
			"\x00\x00\x00\x00". // target name len/alloc
			"\x00\x00\x00\x00". // target name offset
			"\x01\x02\x81\x00". // flags
			"\x00\x00\x00\x00\x00\x00\x00\x00". // challenge
			"\x00\x00\x00\x00\x00\x00\x00\x00". // context
			"\x00\x00\x00\x00\x00\x00\x00\x00"; // target info len/alloc/offset

		header('HTTP/1.1 401 Unauthorized');
		header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
		exit;
	}
	else if ($msg[8] == "\x03") {
		function get_msg_str($msg, $start, $unicode = true) {
			$len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
			$off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
			if ($unicode)
				return str_replace("\0", '', substr($msg, $off, $len));
			else
				return substr($msg, $off, $len);
		}
		$user = get_msg_str($msg, 36);
		$domain = get_msg_str($msg, 28);
		$workstation = get_msg_str($msg, 44);

                       	session_start();
		$_SESSION['username'] = $user;
		$_SESSION['domain'] = $domain;
		$_SESSION['workstation'] = $workstation;
	}
}
}

 

What i would like to do is store the information in a session so I can access the information without having to call the function on every page. I have a header.php file which is called on each page, so in this file i have added;

 

require_once 'functions.php';
session_id();
session_start();
if (!$_SESSION['username']) {
    get_user_details();
}

 

This works, but seems to be breaking certain pages that retrieve $_POST details but I can not figure out why??

 

I have tried to work it out for the past 3 days but cant seem to get it to work, any help would be greatly appreciated! 

[ale1981]

UPDATE:

 

This breaks $_POST on all pages, however $_GET seems to work fine, this is giving me a huge headache!

[trq]

Whats exactly do you mean by 'breaks'?

[ale1981]

Sorry by break I mean that $_POST is always empty.

 

If i remove;

 

session_save_path($_SERVER['DOCUMENT_ROOT']. 'tmp/sessions');
session_id();
session_start();

 

from the top of my header.php file then $_POST works again!

[ale1981]

New update!

 

I think it is something in the function affecting $_POST.

 

I have removed the function call and tried to create a session and everything seems to work, what in the function could be affecting the $_POST details, could it be the header calls?

[BlueSkyIS]

why do you use these lines?

 

session_save_path($_SERVER['DOCUMENT_ROOT']. 'tmp/sessions');
session_id();

 

Also, I see that you use session_start() before the function and again within the function. that could mess things up.

[ale1981]

Hi BlueSky

 

I have since amended the files, i have removed session_id() and the second instance of session_start() in the function.

I used the session_save_path to make sure the session files were being created.

 

With more testing, if I call the function get_user_details() every time in the header.php file then $_POST works fine, however if i only call it once to store the user details then $_POST doesnt work!? Is it something inside the function that is authenticating?