By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,830 Members | 2,271 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,830 IT Pros & Developers. It's quick & easy.

CURL ignores $_SESSION???

P: n/a
I have a security mechanism that checks that session variables are set,
and if not, redirects. It seems, however, that CURL just ignores this
statement and completely breaches my security.

Does anyone have any ideas how to avoid this?
Feb 18 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
turnitup wrote:
I have a security mechanism that checks that session variables are set,
and if not, redirects. It seems, however, that CURL just ignores this
statement and completely breaches my security.

Does anyone have any ideas how to avoid this?

It seems that CURL ignores the redirect header. I had to put an exit
after that statement. Sorted now. CAVEAT REDIRECTOR!!!
Feb 18 '07 #2

P: n/a
Rik
On Sun, 18 Feb 2007 17:02:36 +0100, turnitup <same@samewrote:
turnitup wrote:
>I have a security mechanism that checks that session variables are set,
and if not, redirects. It seems, however, that CURL just ignores this
statement and completely breaches my security.
Does anyone have any ideas how to avoid this?


It seems that CURL ignores the redirect header. I had to put an exit
after that statement. Sorted now. CAVEAT REDIRECTOR!!!
Which is why redirecting should actually be done like this:

<?php
$target = 'http://example.com';
header("Location: $target");
print("You are being redirected to $target, click <a
href=\"$target\">here</aif you don't get redirected.");
exit;
?>

NOt only cURL, but all kinds of applications & browsers can choose not to
directly follow your location headers. If you open pages with cURL, and
you want to obey redirects from the header, use:
curl_setopt($curl,CURLOPT_FOLLOWLOCATION, true);
--
Rik Wasmus
Feb 18 '07 #3

P: n/a
turnitup kirjoitti:
turnitup wrote:
>I have a security mechanism that checks that session variables are
set, and if not, redirects. It seems, however, that CURL just ignores
this statement and completely breaches my security.

Does anyone have any ideas how to avoid this?


It seems that CURL ignores the redirect header. I had to put an exit
after that statement. Sorted now. CAVEAT REDIRECTOR!!!
You always have to put exit after redirection. And mind you this has
nothing to do with CURL, it's just that PHP won't stop executing a
script just because you set a header unless you say so. And remember
that this is a good feature, not a bad. You just need to be aware of it.

--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirviö
sp**@outolempi.net | Gedoon-S @ IRCnet | rot13(xv***@bhgbyrzcv.arg)
Feb 18 '07 #4

P: n/a
>I have a security mechanism that checks that session variables are set,
>and if not, redirects. It seems, however, that CURL just ignores this
statement and completely breaches my security.

Does anyone have any ideas how to avoid this?
If you send sensitive data to the browser anyway when it fails
requirements for getting it, you have no security. Never depend
on the browser to do what you want. It could just be something
that sucks down the response and stores it in a file, or a telnet
client that logs the session. Oh, yes, ordinary clients might cache
it where it can be found by a user, also.

One of the more likely clients to ignore your "security" mechanism
is a search engine.

Feb 18 '07 #5

P: n/a
Kimmo Laine wrote:
You always have to put exit after redirection. And mind you this has
nothing to do with CURL, it's just that PHP won't stop executing a
script just because you set a header unless you say so.
Whatsmore, PHP doesn't send the headers to the client until you either
output some non-header content or your script exits.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
Feb 19 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.