PHP Session Trouble on Multiple Include

Sean Pinto

Ok, you all are going to have to bear with me on this one as it is
kinda complicated to explain. I am implementing a company management
suite that requires Role-Based authentiations (ie. users are in groups
and groups have roles). I have one script which is included in EVERY
page in the protected area (masterFuncs.ph p) and it contains function
declarations as well as the authentication module kick-off. Here is a
snippet from masterFuncs
<snip>
<?
require_once("$ {includeBase}co mpany/utils/cipher/crypt_class.php ");
require_once("$ {includeBase}co mpany/utils/Adodb/adodb.inc.php") ;
require_once("$ {includeBase}co mpany/security/RoleAuth.php");
require_once("$ {includeBase}_d ata/__common/pageFunctions.p hp");

$rAuth = new RoleAuth();

if( isset($_GET['logout']) && TRUE == $_GET['logout'] )
{
$rAuth->logout();
header("Locatio n: ${baseRef}compa ny/index.php?feedb ack=".urlencode ("You
Have Been Logged Out"));
}

if( count($mustHave Roles) > 0 )
{
//User is required to have ALL roles
$rAuth->requireRoles($ mustHaveRoles);
}

if( count($atLeastR oles) > 0 )
{
//User is required to have 1 role
$rAuth->requireAtLeast ($atLeastRoles) ;
}
</snip>
Then when I want to restrict a page to a subset of my users i put at
the top:
<?
$mustHaveRoles( array("userCrea te", "userEdit") );
$atLeastRoles(a rray("userView" ));

include "../masterFuncs.php "
?>
Deeply seeded within the requireAtLeast( ) and requireRole() methods is
a session_start() . The problem arises when a script has
$mustHaveRoles or $atLeastRoles set and then after the return of the
include masterFuncs.php and the roles have been validated the script
may "include" another page that may have different role requirements
set and reincludes masterFuncs.php to verify them. When it gets to
the session_start() there is no session data set and it wants you to
re-authenticate.

As a weird twist, if i substitute require_once or include_once for the
include directive everything works...however i don't think that the
second role requirements are enforced because it does not re-evaluate
the script. Ideas??

Thanks in advance,
Sean Pinto

Jul 17 '05 #1

Subscribe Reply

2439

Ron

"Sean Pinto" <sp****@virtual slo.com> wrote in message
news:a0******** *************** **@posting.goog le.com...

I have one script which is included in EVERY
page in the protected area (masterFuncs.ph p) and it contains function
declarations as well as the authentication module kick-off. Here is a
snippet from masterFuncs
<snip>
<?
require_once("$ {includeBase}co mpany/utils/cipher/crypt_class.php ");
require_once("$ {includeBase}co mpany/utils/Adodb/adodb.inc.php") ;
require_once("$ {includeBase}co mpany/security/RoleAuth.php");
require_once("$ {includeBase}_d ata/__common/pageFunctions.p hp");

$rAuth = new RoleAuth();

if( isset($_GET['logout']) && TRUE == $_GET['logout'] )
{
$rAuth->logout();
header("Locatio n: ${baseRef}compa ny/index.php?feedb ack=".urlencode ("You
Have Been Logged Out"));
}

if( count($mustHave Roles) > 0 )
{
//User is required to have ALL roles
$rAuth->requireRoles($ mustHaveRoles);
}

if( count($atLeastR oles) > 0 )
{
//User is required to have 1 role
$rAuth->requireAtLeast ($atLeastRoles) ;
}
</snip>
Then when I want to restrict a page to a subset of my users i put at
the top:
<?
$mustHaveRoles( array("userCrea te", "userEdit") );
$atLeastRoles(a rray("userView" ));

include "../masterFuncs.php "
?>
Deeply seeded within the requireAtLeast( ) and requireRole() methods is
a session_start() . The problem arises when a script has
$mustHaveRoles or $atLeastRoles set and then after the return of the
include masterFuncs.php and the roles have been validated the script
may "include" another page that may have different role requirements
set and reincludes masterFuncs.php to verify them. When it gets to
the session_start() there is no session data set and it wants you to
re-authenticate.

As a weird twist, if i substitute require_once or include_once for the
include directive everything works...however i don't think that the
second role requirements are enforced because it does not re-evaluate
the script. Ideas??

Thanks in advance,
Sean Pinto

Hi,

First, regarding the require / include _once.

this variant is intended to prevent the same file being included more then
once. If any of the code in an included file would overwrite a previous
function or define declaration the system throws a fatal error. your best
bet would be to pull the system start out and put it in a place where it is
included exactly once for each run in all cases.

Second Session Variables

Note that session variable handling is affected by the register globals
setting session variable type (server/cookies etc and also by PHP version.
check the manual for differences.
I use a 4.3.x server with globals off. the recommended construct for this is
$_SESSION['varname'] I test for the presence of my session variable and if
not found prime it.
thereafter until the end of the session (session_destro y()) or close of
browser it is always there..
For reliability I always set the variable initially before headers are sent,
in fact if you can process your session variables before sending headers you
get around lots of behavioural differences between implementations ,

To make handling easy, remember that (with session files anyway- others
untested) you can make your session variable into a multidimensiona l array,
so testing for the base name is sufficient for crude tests, followed by
detailed examination/setting of the array elements for fine control.
HTH

Ron

Jul 17 '05 #2

Similar topics

7111

Reality Check: Session Hijacking

by: mrbog | last post by:

Tell me if my assertion is wrong here: The only way to prevent session hijacking is to NEVER store authentication information (such as name/password) in the session. Well, to never authenticate a user from information you got from the session. Each secure app on a site must challenge the user for name and password, each and every time the user accesses it (not just once and then store it in the session). If a secure app is multi-page,...

PHP

1424

Help seeing Session vars from Include scipts

by: james | last post by:

I am new to php and need some help getting the session variables into include files. (after-thought, Sorry for the drawn out post but I really, really need help....;) Here's what I'm doing.. I have a php request_form that I use 2 different ways: by itself (url directly to the form) and as an include to be displayed in existing php pages. This form uses POST to another php_script that performs serverside validation and db write. If all...

PHP

2907

session variable inconsistency

by: Geoff Winsor | last post by:

Hi, I am experiencing a problem with recalling a session variable which stores whether a person is logged in to a "members only" section of a website. This area of the site has been working flawlessly for a couple of years under Windows 2000 server but now is very inconsistent following a recent upgrade to Windows server 2003. Following a login, the login info is passed to this asp page that checks an Access database for the user name and...

ASP / Active Server Pages

2840

Session Problems with Desktop Shortcuts in IE

by: headware | last post by:

I have an issue that I've been encountering in an ASP application I'm working on. Most of the application is written in ASP, but there is one page written in ASP.NET. The ASP.NET page needs to have access to the ASP Session data to run correctly. In order to achieve this I create my own HTTP request for a certain ASP page with the name of Session variable that I want is stored in the query string of the request. The requested ASP page...

ASP / Active Server Pages

2286

question on "include" in schema files (.xsd). Trouble validating schema in .NET

by: bibsoconner | last post by:

Hi, I hope someone can please help me. I'm having a lot of trouble with schema files in .NET. I have produced a very simple example that uses "include" to include other schema files. It all works with SPY, but when I pick "Validate Schema" from the .NET 2003 menu, it fails with message: "Type XType is not declared." As I hinted at in my subject line, I suspect that it has to do with including another schema multiple times.

.NET Framework

5303

User control remember state across pages without session

by: McGeeky | last post by:

Is there a way to get a user control to remember its state across pages? I have a standard page layout I use with a header and footer as user controls. Each page uses the same layout by means of copy paste (I hear this will improve in ASP.Net 2 via master pages). When I navigate from one page to the next the header and footer user controls lose their state because they are effectively different instances of the user control. Is there...

ASP.NET

2554

Multiple session table joins

by: p175 | last post by:

Hi people, I have a stored procedure that creates many Global temporary session tables. Into each of these tables go the results of various processing using relational division all keyed and based on a common ID from an ID session table. So we can have various session tables with differing results but if they contain records, they are all keyed to the common ID. My problem now however is how do I report the overall findings of the

DB2 Database

5934

Yet Another "session_start() Cannot send session cache limiter - headers already sent" Question

by: three-eight-hotel | last post by:

I'm somewhat of a newbie to PHP coding, but have developed a site using the technology, and have been pleasantly surprised by the capabilities offered. I am more comfortable in the ASP world, however and am really struggling with managing sessions in PHP, based on my experiences with managing sessions in ASP. 99.9% of the feedback I have seen when dealing with the errors has referred to having whitespace before the <?php or after the...

PHP

8653

maintain a single session across multiple servers

by: Samir Chouaieb | last post by:

Hello, I am trying to find a solution to a login mechanism for different domains on different servers with PHP5. I have one main domain with the user data and several other domains that need a login to show data. I want the user to login only once when he visits any of my domains.

PHP

8392

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

8305

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

8503

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

7324

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

6163

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

5632

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

4151

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

1953

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP

1611

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General