471,071 Members | 3,839 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,071 software developers and data experts.

PHP Session Trouble on Multiple Include

Ok, you all are going to have to bear with me on this one as it is
kinda complicated to explain. I am implementing a company management
suite that requires Role-Based authentiations (ie. users are in groups
and groups have roles). I have one script which is included in EVERY
page in the protected area (masterFuncs.php) and it contains function
declarations as well as the authentication module kick-off. Here is a
snippet from masterFuncs
<snip>
<?
require_once("${includeBase}company/utils/cipher/crypt_class.php");
require_once("${includeBase}company/utils/Adodb/adodb.inc.php");
require_once("${includeBase}company/security/RoleAuth.php");
require_once("${includeBase}_data/__common/pageFunctions.php");

$rAuth = new RoleAuth();

if( isset($_GET['logout']) && TRUE == $_GET['logout'] )
{
$rAuth->logout();
header("Location: ${baseRef}company/index.php?feedback=".urlencode("You
Have Been Logged Out"));
}

if( count($mustHaveRoles) > 0 )
{
//User is required to have ALL roles
$rAuth->requireRoles($mustHaveRoles);
}

if( count($atLeastRoles) > 0 )
{
//User is required to have 1 role
$rAuth->requireAtLeast($atLeastRoles);
}
</snip>
Then when I want to restrict a page to a subset of my users i put at
the top:
<?
$mustHaveRoles(array("userCreate", "userEdit"));
$atLeastRoles(array("userView"));

include "../masterFuncs.php"
?>
Deeply seeded within the requireAtLeast() and requireRole() methods is
a session_start(). The problem arises when a script has
$mustHaveRoles or $atLeastRoles set and then after the return of the
include masterFuncs.php and the roles have been validated the script
may "include" another page that may have different role requirements
set and reincludes masterFuncs.php to verify them. When it gets to
the session_start() there is no session data set and it wants you to
re-authenticate.

As a weird twist, if i substitute require_once or include_once for the
include directive everything works...however i don't think that the
second role requirements are enforced because it does not re-evaluate
the script. Ideas??

Thanks in advance,
Sean Pinto
Jul 17 '05 #1
1 2166
Ron
"Sean Pinto" <sp****@virtualslo.com> wrote in message
news:a0*************************@posting.google.co m...
I have one script which is included in EVERY
page in the protected area (masterFuncs.php) and it contains function
declarations as well as the authentication module kick-off. Here is a
snippet from masterFuncs
<snip>
<?
require_once("${includeBase}company/utils/cipher/crypt_class.php");
require_once("${includeBase}company/utils/Adodb/adodb.inc.php");
require_once("${includeBase}company/security/RoleAuth.php");
require_once("${includeBase}_data/__common/pageFunctions.php");

$rAuth = new RoleAuth();

if( isset($_GET['logout']) && TRUE == $_GET['logout'] )
{
$rAuth->logout();
header("Location: ${baseRef}company/index.php?feedback=".urlencode("You
Have Been Logged Out"));
}

if( count($mustHaveRoles) > 0 )
{
//User is required to have ALL roles
$rAuth->requireRoles($mustHaveRoles);
}

if( count($atLeastRoles) > 0 )
{
//User is required to have 1 role
$rAuth->requireAtLeast($atLeastRoles);
}
</snip>
Then when I want to restrict a page to a subset of my users i put at
the top:
<?
$mustHaveRoles(array("userCreate", "userEdit"));
$atLeastRoles(array("userView"));

include "../masterFuncs.php"
?>
Deeply seeded within the requireAtLeast() and requireRole() methods is
a session_start(). The problem arises when a script has
$mustHaveRoles or $atLeastRoles set and then after the return of the
include masterFuncs.php and the roles have been validated the script
may "include" another page that may have different role requirements
set and reincludes masterFuncs.php to verify them. When it gets to
the session_start() there is no session data set and it wants you to
re-authenticate.

As a weird twist, if i substitute require_once or include_once for the
include directive everything works...however i don't think that the
second role requirements are enforced because it does not re-evaluate
the script. Ideas??

Thanks in advance,
Sean Pinto


Hi,

First, regarding the require / include _once.

this variant is intended to prevent the same file being included more then
once. If any of the code in an included file would overwrite a previous
function or define declaration the system throws a fatal error. your best
bet would be to pull the system start out and put it in a place where it is
included exactly once for each run in all cases.

Second Session Variables

Note that session variable handling is affected by the register globals
setting session variable type (server/cookies etc and also by PHP version.
check the manual for differences.
I use a 4.3.x server with globals off. the recommended construct for this is
$_SESSION['varname'] I test for the presence of my session variable and if
not found prime it.
thereafter until the end of the session (session_destroy()) or close of
browser it is always there..
For reliability I always set the variable initially before headers are sent,
in fact if you can process your session variables before sending headers you
get around lots of behavioural differences between implementations,

To make handling easy, remember that (with session files anyway- others
untested) you can make your session variable into a multidimensional array,
so testing for the base name is sufficient for crude tests, followed by
detailed examination/setting of the array elements for fine control.
HTH

Ron

Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

27 posts views Thread by mrbog | last post: by
reply views Thread by james | last post: by
3 posts views Thread by Geoff Winsor | last post: by
20 posts views Thread by p175 | last post: by
13 posts views Thread by Samir Chouaieb | last post: by
reply views Thread by leo001 | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.