Session does not work as expected in Ajax and PHP request

0

Well I have a main page index.php where the person performs an action and performs a POST with Ajax request. In this main file I create a session with some data that I want to keep more secure and not be visible and others for confirmations.

Example: index.php

<?php
// exemplo da sessão
$_SESSION['EXAMPLE'] = [
    'token' => '123456abcExample',// SEMPRE UM NOVO E ÚNICO TOKEN É GERADO AO CARREGAR A PÁGINA index.php
    'other' => 'stringEtc'
];
?>
...
<script>
// exemplo da requisição ajax - no mesmo site
// página "http://example.com/url/index.php" e a outra "http://example.com/url/request.php"

$.post('http://example.com/url/request.php', {
    'example' => 'string',
    'token' => $_SESSION['EXAMPLE']['token']
}, function (response) {
    // code
}, 'json');
</script>

You have a second page request.php , where I send the ajax request with JSON return. On this second page I check if the token is the same as the AJAX request , and just being the same to continue the code.

Example: request.php

<?php if ($_SESSION['EXAMPLE']['token'] == $_POST['token']) {...}

However, on the second page the session token arrives different than it was before. Let's say that in the main index.php page the token created in the session was 12345abcExampleToken , it is also passed in AJAX's date , but on the second page it arrives as "789452hjkhToken" , or another totally different one, as if index.php had been started again and a new token was created.

Well, I'd like to know why this might be happening. And if there is a more secure solution ("if this way I'm using is really safe"), could you please share me?

  

Note - The token is generated through a Static Class function, I found it good to inform,

class Example
{
    public static function getToken(): string
    {
        return 'createToken';
    }
}

and I use this in the session:

$_SESSION['EXAMPLE'] = [
    'token' => Example::getToken(),
    'other' => 'stringEtc'
];
    
asked by anonymous 12.08.2017 / 21:21

2 answers

0

I discovered what was causing it! I do not know why this happens, but it was an HTML element which had the style attribute with background empty as follows:

<section class="..." style="background: url('') center;"></section>

Maybe it's because he's calling the page again

    
02.09.2017 / 01:42
0

Let's illustrate that this code would be your index.php

session_start();
$_SESSION['TOKEN'] = md5(time()); // Gera o Token e salva na sessão
echo "O TOKEN É: " . $_SESSION['TOKEN']; // imprime a Sessão Token na tela
  

Here would be your request.php , if it is including    index.php will automatically generate another Token and overwrite the $ _ SESSION ['TOKEN']

include "index.php";
if ($_SESSION['TOKEN'] == $_POST['TOKEN']) {
    // isso daria errado, porque ? porque fez o include da index.php
}

My recommendation, is you create a new file, example: resquest2.php and perform only data verification

if ($_SESSION['TOKEN'] == $_POST['TOKEN']) {
    // isso daria certo, porque ? porque não fez o include da index.php
}

Abservation:

  

If you call the getToken () method that is in the Example   in your index.php you can not call this method again in your    request.php , as it will overwrite the previous TOKEN.

Example:

Example::getToken(); // Estaria sobrescrevendo a $_SESSION['TOKEN']
if ($_SESSION['TOKEN'] == $_POST['TOKEN']) {
    // isso daria errado.
}
    
19.08.2017 / 04:52