[thelist] HELP! recongnize PHP session variables in frames

Eric Cestari eric at ohmforce.com
Sat Feb 17 17:07:03 CST 2001


Hi,

As Matt said, a session variable is a variable passed to every script the
user invokes.
So wherever you session_register() a variable, it is available in the global
scope of all the scripts during the session.


<tip type="php session variables are globals" author="eric cestari">
When using a session variable in a function in PHP, don't forget to declare
it global first !
This is one source of bugs, as php won't tell you that it has not been
declared.
</tip>
You can also use the very practical session_is_registered("foo") to check if
variable $foo has been ... well ... registered. Two main uses : debug and
security.

debug is obvious. And you might want to use it :)
For security, if you don't have the  track_vars configuration option
activated, if you check that a user is logged do not use :
if (isset($login))
{
      perform_secure_tasks();
}
else
{
    kick_out();
}

as a malicious user could add at the end of the script url
    http://some.url/bar.php?login=true

and isset($login) would return true.
do instead :
if (session_is_registered("login"))
{
      perform_secure_tasks();
}
else
{
    kick_out();
}

Hope this helps :)

    Eric

----- Original Message -----
From: "Warden, Matt" <mwarden at odyssey-design.com>
To: <thelist at lists.evolt.org>
Sent: Saturday, February 17, 2001 10:16 PM
Subject: Re: [thelist] HELP! recongnize PHP session variables in frames


> <disclaimer>
> I know very little about PHP sessions. What I'm offering is information on
the
> usual implementation of sessions and adding a bit of common sense into the
> mix.
> </disclaimer>
>
> > If I have the frames listed below in a file called framepage.php:
> >
> > <FRAMESET COLS="73,*">
> >  <FRAME SRC="sidebar.html" NAME="sidebar">
> >  <FRAME SRC="main.php" NAME="main">
> > </FRAMESET>
> >
> > How can I send a session variable to main.php instead of just the entire
> > framepage.php??
> >
> > I am using php session variables for a login session, so framepage.php
is
> loading
> > up, but the main frame section called main.php needs to call theses
> variables also
> > to perform different tasks depending on the user logged in.
>
> The basic idea of sessions is to "link" a set of requests to a single
user. If
> a user makes two HTTP requests, the server doesn't know whether those
requests
> came from two different users or the same user. With sessions, this
> information is available (as long as cookies are enabled or some other
method
> is used (like passing the sessionid in the querystring)). So, then it
doesn't
> make sense that framepage.php would have session variables available and
> main.php (or sidebar.php for that matter).
>
> Have you varified that you can print out the session variables in
> framepage.php? If you can't, there's a problem with sessions, not passing
the
> variables.
>
> If, in fact, there is some unique issue with PHP sessions, you can always
do
> this:
>
> <FRAMESET COLS="73,*">
>  <FRAME SRC="sidebar.html" NAME="sidebar">
>  <FRAME SRC="main.php<? echo "?var1=$sessionvar1" ?>" NAME="main">
> </FRAMESET>
>
> and it will be available to main.php as $var1 and $HTTP_GET_VARS['var1']
>
> But, like I said, you shouldn't have to do that.
>
>
>
> HTH,
>
>
> --
> mattwarden
> mattwarden.com
>
===========================+========================
Eric Cestari                                         |               Ohm
Force
Chief Web Designer                            |  Digital Audio Software
mailto:eric.cestari at ohmforce.com   | http://www.ohmforce.com
===========================+========================









More information about the thelist mailing list