0

Can somebody enlighten me as to the best way (or, if it's even possible) to access session data in a php/js file that is injected into the DOM?

Illustrative example, to be more clear:

index.php:

<?php
     session_start();
     $_SESSION['logged_in'] = true;
?>

<script type="text/javascript" src="http://www.domain.com/include.php"></script>

include.php:

<?php

session_start();
$logged_in =  $_SESSION['logged_in'];

?>

alert("<?php echo $logged_in; ?>");

The include.php script is one that, ideally, any client could drop into their header, not that that necessarily matters. I do have the ability to pass parameters in the script URL (i.e. http://www.domain.com/include.php?s=213409239323939) so I've thought about passing the session ID that way, but I'm unsure if there are inherent security risks in exposing the session ID. Any advice or thoughts are welcome.

** EDIT - I should make clear that the script file (include.php) is a different domain name

Mike
  • 3,331
  • 2
  • 18
  • 22
  • there is definitely a risk of session hijacking if you're passing session IDs via URL if you're not disposing of the sessions properly. – Brian Driscoll Feb 17 '11 at 16:13
  • Re your edit, is the different domain on a different server as well? – Pekka Feb 17 '11 at 16:16
  • @Pekka - It will vary from client to client. Some are internally hosted and others aren't, so the solution needs to work regardless of the domain/server. – Mike Feb 17 '11 at 16:18
  • @Mike but then your real issue is propagating a session to a 3rd party server, which is not trivial and a different thing. However, it shouldn't be necessary in the first place: Setting a JavaScript `loggedin` variable in the original document might already be enough – Pekka Feb 17 '11 at 16:22
  • @Pekka - Your answer below is working pretty well, I may just go with that. If you have any links handy re your mention of propagating to a 3rd party server I'd be interested in reading more about that... – Mike Feb 17 '11 at 16:28
  • @Mike yeah. The concept is called "Single sign on" and fairly complex, but it looks like you indeed won't need it, as you can set anything relevant in the HTML document. Anyway, here is one good reference question on the issue: http://stackoverflow.com/questions/342378/cross-domain-login-how-to-login-a-user-automatically-when-transfered-from-one-d – Pekka Feb 17 '11 at 16:32
  • @Pekka - Ah yes. Ok, I've heard the term before and I'm pretty sure we just implemented that in another system here. Definitely don't need that for this. Thanks for the link, good bookmark. – Mike Feb 17 '11 at 16:43

3 Answers3

3

You are always exposing the session ID in some way - either in the cookie, or a GET parameter. Carrying the session ID over is not a security risk in itself. (Edit: This is referring to same-domain links. Cross-server session propagation is a different issue, nicely outlined e.g. here).

However, if at all possible, consider doing all the dynamic bits of your script in the document itself:

<script>
MyDynamicData =
 { xyz:  "<?php echo $_SESSION["xyz"]; ?>",
   abc:  "<?php echo $_SESSION["abc"]; ?>"
 }
</script>

<script src="external_script.js"></script>

that would allow you to have the external JavaScript as a static resource, which is good because

  • It is easily cached because it has no dynamic bits
  • It can be compressed by the web server
  • It doesn't need a separate PHP process to serve.
Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • I suppose this method is certainly an option. One of the key points I need to keep in mind is keeping the code that the client needs to add to their site to a minimum. I could keep it to two lines with this method, which isn't bad. – Mike Feb 17 '11 at 16:20
0

You mean like this?

<script>
  var is_logged = <? echo $_SESSION['logged'] ? "true" : "false"; ?>;
</script> 
<!--other stuff and html here-->
<script>
if(is_logged){
 //do stuff
}
</script>
Mārtiņš Briedis
  • 17,396
  • 5
  • 54
  • 76
0

Maybe I'm wrong but isn't it possible to see your session Id, and cookie data in Firefox? If it is I see no security risk, to make it visible in the Url

Rafael T
  • 15,401
  • 15
  • 83
  • 144