473,322 Members | 1,522 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

CURL ignores $_SESSION???

I have a security mechanism that checks that session variables are set,
and if not, redirects. It seems, however, that CURL just ignores this
statement and completely breaches my security.

Does anyone have any ideas how to avoid this?
Feb 18 '07 #1
5 2392
turnitup wrote:
I have a security mechanism that checks that session variables are set,
and if not, redirects. It seems, however, that CURL just ignores this
statement and completely breaches my security.

Does anyone have any ideas how to avoid this?

It seems that CURL ignores the redirect header. I had to put an exit
after that statement. Sorted now. CAVEAT REDIRECTOR!!!
Feb 18 '07 #2
Rik
On Sun, 18 Feb 2007 17:02:36 +0100, turnitup <same@samewrote:
turnitup wrote:
>I have a security mechanism that checks that session variables are set,
and if not, redirects. It seems, however, that CURL just ignores this
statement and completely breaches my security.
Does anyone have any ideas how to avoid this?


It seems that CURL ignores the redirect header. I had to put an exit
after that statement. Sorted now. CAVEAT REDIRECTOR!!!
Which is why redirecting should actually be done like this:

<?php
$target = 'http://example.com';
header("Location: $target");
print("You are being redirected to $target, click <a
href=\"$target\">here</aif you don't get redirected.");
exit;
?>

NOt only cURL, but all kinds of applications & browsers can choose not to
directly follow your location headers. If you open pages with cURL, and
you want to obey redirects from the header, use:
curl_setopt($curl,CURLOPT_FOLLOWLOCATION, true);
--
Rik Wasmus
Feb 18 '07 #3
turnitup kirjoitti:
turnitup wrote:
>I have a security mechanism that checks that session variables are
set, and if not, redirects. It seems, however, that CURL just ignores
this statement and completely breaches my security.

Does anyone have any ideas how to avoid this?


It seems that CURL ignores the redirect header. I had to put an exit
after that statement. Sorted now. CAVEAT REDIRECTOR!!!
You always have to put exit after redirection. And mind you this has
nothing to do with CURL, it's just that PHP won't stop executing a
script just because you set a header unless you say so. And remember
that this is a good feature, not a bad. You just need to be aware of it.

--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirviö
sp**@outolempi.net | Gedoon-S @ IRCnet | rot13(xv***@bhgbyrzcv.arg)
Feb 18 '07 #4
>I have a security mechanism that checks that session variables are set,
>and if not, redirects. It seems, however, that CURL just ignores this
statement and completely breaches my security.

Does anyone have any ideas how to avoid this?
If you send sensitive data to the browser anyway when it fails
requirements for getting it, you have no security. Never depend
on the browser to do what you want. It could just be something
that sucks down the response and stores it in a file, or a telnet
client that logs the session. Oh, yes, ordinary clients might cache
it where it can be found by a user, also.

One of the more likely clients to ignore your "security" mechanism
is a search engine.

Feb 18 '07 #5
Kimmo Laine wrote:
You always have to put exit after redirection. And mind you this has
nothing to do with CURL, it's just that PHP won't stop executing a
script just because you set a header unless you say so.
Whatsmore, PHP doesn't send the headers to the client until you either
output some non-header content or your script exits.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
Feb 19 '07 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Haluk Durmus | last post by:
Hello I checked out openssl,mm,apr,apr-util,apache 2,curl,libxml and php from cvs. php couse an ERROR I did the following steps:
0
by: Phil Powell | last post by:
I am having trouble retrieving URLs using curl for PHP whereby the URL requires a cookie to produce proper data. I wrote a wrapper class called Timer that will time the execution/download of a...
0
by: Phil Powell | last post by:
What is the most standardized method of utilizing the CURL functions in PHP (version 4.3.2) to be able to retrieve the contents of a remote URL that happens to be dependent upon $_SESSION for its...
3
by: Chris Fortune | last post by:
# uname -a Linux stargate.mxc-online.net 2.4.20-021stab022.2.777-smp #1 SMP Wed Jul 28 17:12:37 MSD 2004 i686 i686 i386 GNU/Linux I recompiled PHP with mcrypt, openssl, and curl phpinfo():...
3
by: Hans | last post by:
Hi everybody, I am desperately trying to log into my account at godaddy.com with PHP and Curl and just cannot make it happen. Has anybody written a script for this purpose? Here is what I...
3
by: Leo | last post by:
Can anyone help or offer some explanation with this problem: I'm trying to do a POST from one of my PHP pages, to another page on my site using curl. To maintain the session I'm sending the...
2
by: lookee | last post by:
Hello all, I have simple PHP application that on one page strarts session and write some information to it. On another page program tryes to fetch information from a third page using cURL. On that...
0
by: nfhm2k | last post by:
I've been trying to find a solution to this for quite some time now... I even took a look at existing scripts... Including this one......
1
by: stillnight | last post by:
My web host has disabled fopen and now uses curl. I am a newbie to php so I am at a complete loss. I am trying to change the code in sendcard at sendcard.org to use curl. The beginning login will...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.