Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Session Question

  • 11-12-2014 11:00am
    #1
    Registered Users, Registered Users 2 Posts: 263 ✭✭


    Hi guys

    I am trying to implement a session check but its throwing a warning as I am tec calling session_start() twice.

    Basically I have a main.php page that has a ajax call to ajax.php page. I want to access the session in both the main.php page and ajax.php page however to do this I have to call session_start() in both pages which is throwing a warning: Warning: session_start(): Cannot send session cache....

    I have suppressed it by using the @session_start() but anyone ideas to do this the "right way"

    The session info is for CSRF check so the ajax page cannot be called either off site or directly - using 'xmlhttprequest' also just incase anyone suggests this


Comments

  • Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭daymobrew


    According to a thread on StackExchange it is okay to call session_start() multiple times, though it does generate an E_NOTICE warning.

    Maybe you could call session_id() before session_start(). If it returns an empty string no session exists and you can call session_start().

    I have not tried this, just read the docs.


  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    I suppose the question is what is the correct way - I have posted this up on iwf too.

    on the main.php page I call this:

    $.ajax({
    beforeSend: function() { },
    type: "POST",
    url: "admin-infoload.php",
    data: "appid="+$currentId+"&year="+$yearvar+"&csrf_token=<?= create_csrf_tag();?>",

    create_csrf_tag() creates both the form item and a session variable

    then in the ajax page

    <?@session_start();

    if(!empty($_SERVER) && strtolower($_SERVER) == 'xmlhttprequest') {



    if(request_is_post()) {

    if(!csrf_token_is_valid() || !csrf_token_is_recent()) {

    I check if its an ajax call then check if the csrf is valid by comparing the form post csrf item with the session item.

    session.start() is needed on both of these pages from what I have read so the q is how to do it the "right way"

    The @session.start suppresses the warning message and the code works fine.


  • Registered Users, Registered Users 2 Posts: 241 ✭✭fcrossen


    if (!session_id()) {     session_start(); }
    


  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    ok but on the ajax page the session wouldnt have started so it will work fine one that page - however when it get pulls into the main.php page which is calling it the "environment" changes so the double call would exist no?? (im going to try your code now anyhow!!!)


  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    unfortunately no go:

    Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/eurotime/public_html/xxxxx/admin/admin-infoload.php:1) in


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 241 ✭✭fcrossen


    You must call session_start() before you send anything to the browser.

    If you have code that runs on every page (for example to connect to the database) then that is the place to put it.


  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    its being called in the ajax page though? so I have a whole page before it?


  • Registered Users, Registered Users 2 Posts: 241 ✭✭fcrossen


    swordsinfo wrote: »
    its being called in the ajax page though? so I have a whole page before it?

    In your PHP file (the one that the ajax call posts to), place the session code right at the top of the page, before any other code.


  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    It is so in main.php its the first line of code then I call ajax at end of page and this ajax.php page has it at the top to get the session variable that was created in the main.php page. So when the main.php page calls the ajax page there is suddenly two calls and hence the error. Without making the session.start call on the ajax page I cannot get the info from the session.


  • Registered Users, Registered Users 2 Posts: 241 ✭✭fcrossen


    swordsinfo wrote: »
    It is so in main.php its the first line of code then I call ajax at end of page and this ajax.php page has it at the top to get the session variable that was created in the main.php page. So when the main.php page calls the ajax page there is suddenly two calls and hence the error. Without making the session.start call on the ajax page I cannot get the info from the session.

    In any PHP file where you want to retrieve session variables, you must use session_start() first. The code I posted earlier checks whether a session has been started and only calls session_start() if necessary.

    That will prevent the E_NOTICE error.

    Does this answer your question?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    So if I need it in both the main.php and the ajax.php how do you code it correctly? as I have tried the above and still throws the error. Realistically I want to know the best practice or right way to do it. As I think I will use this type of coding for a few of my online applications. I can suppress the error but I would to do it the "right way". Is there a command I should run before the ajax call maybe??


  • Registered Users, Registered Users 2 Posts: 241 ✭✭fcrossen


    swordsinfo wrote: »
    So if I need it in both the main.php and the ajax.php how do you code it correctly? as I have tried the above and still throws the error. Realistically I want to know the best practice or right way to do it. As I think I will use this type of coding for a few of my online applications. I can suppress the error but I would to do it the "right way". Is there a command I should run before the ajax call maybe??
    I would include a file in main.php and ajax.php which contains the session code.

    That way it is being called only once.

    However the code
    if (!session_id()) { session_start(); }should not throw an error.

    And you are right - suppressing errors is a bad thing.

    Can you post up your code - or the relevant snippets?


  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    If I was able just to call it at the top of the main.php it would be fine but the fact that I need it in both is the prob

    ob_start();
    define ( "OBSERVERSHIP_APP", 1 );
    /*
    * Set up a constant to your main application path
    */
    few defines and include functions here

    sec_session_start();

    in this function this is what is called:

    $session_name = 'sec_session_id'; // Set a custom session name

    $httponly = true;

    if (ini_set('session.use_only_cookies', 1) === FALSE) {
    header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
    exit();
    }

    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"],
    $cookieParams["path"],
    $cookieParams["domain"],
    $secure,
    $httponly);

    session_name($session_name);
    session_start();
    session_regenerate_id();

    then loads of general code then in the script at the bottom there is this call in a script:

    var t = setTimeout( function() {
    $.ajax({
    beforeSend: function() { },
    type: "POST",
    url: "admin-infoload.php",
    data: "appid="+$currentId+"&year="+$yearvar+"&csrf_token=<?= create_csrf_tag();?>",

    the create_csrf_tag() adds a field to the submission but also creates this value in a session.
    the follow page then looks at the same function above and checks if the csrf is valid

    Ps. thanks for the time you are taking on this much appreciate the input


  • Registered Users, Registered Users 2 Posts: 241 ✭✭fcrossen


    (Wrap your code in CODE tags to increase readability.)

    You have quite a bit going on in your session handling code... and I am not sure it is all needed.

    I would do something like:
    require_once('session_start.php');
    
    at the top of main.php, admin-infoload.php and ajax.php, before any other includes. Then in that file you can call sec_session_start().

    You probably are calling sec_session_start() more than once in your code and hence are getting the E_NOTICE error.

    If the create_csrf_tag() function is in an included file, make sure your session is started first.

    And you're welcome.


  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    THats where the conflict is - once the ajax is called its bringing in the admin-inload.php(this is the ajax file). And on top of that is the session.start(); as it exists already page goes bananas. I cannot figure out how to use the session in the page and the ajax as essentially I'm bringing in the ajax page into the main.php page. Maybe I need to look at the code on my ajax.php page to see if too much content is coming back over as it seems the session call is being brought back if that makes sence


  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    Also to note changing the ajax file to just

    if (!session_id()) { session_start(); }

    still throws the error


  • Registered Users, Registered Users 2 Posts: 241 ✭✭fcrossen


    swordsinfo wrote: »
    THats where the conflict is - once the ajax is called its bringing in the admin-inload.php(this is the ajax file). And on top of that is the session.start(); as it exists already page goes bananas. I cannot figure out how to use the session in the page and the ajax as essentially I'm bringing in the ajax page into the main.php page. Maybe I need to look at the code on my ajax.php page to see if too much content is coming back over as it seems the session call is being brought back if that makes sence
    I'm afraid it doesn't make sense to me. :-)
    Post the errors - E_BANANAS is not a type I am familiar with. ;-)
    Seriously though, you are probably including the same file several times and hence getting your error. The code I posted should not generate an error - does the error refer to that line of code?


  • Registered Users, Registered Users 2 Posts: 263 ✭✭swordsinfo


    I put that one line of code into the ajax file - and got the following - bar in mind there is nothing else in the file except the session check:

    Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/eurotime/public_html/xxx/admin/admin-infoload.php:1) in /home/eurotime/public_html/xxx/admin/admin-infoload.php on line 1

    So this is purely coming from the ajax file there is no other code on its page. the main page that calls the ajax file has loads of text out before it looks to run the ajax function to run the above page


  • Registered Users, Registered Users 2 Posts: 241 ✭✭fcrossen


    swordsinfo wrote: »
    Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/eurotime/public_html/xxx/admin/admin-infoload.php:1) in /home/eurotime/public_html/xxx/admin/admin-infoload.php on line 1

    So this is purely coming from the ajax file there is no other code on its page. the main page that calls the ajax file has loads of text out before it looks to run the ajax function to run the above page
    OK. You have text being sent to the browser before calling session_start().

    Do you have any whitespace in admin-infoload.php before the opening <?php tag?


  • Registered Users, Registered Users 2 Posts: 912 ✭✭✭chakotha


    I usually use this.
    if (session_status() == PHP_SESSION_NONE) {
    session_start();
    }


  • Advertisement
Advertisement