0

Can somebody enlighten me as to the best way (or, if it's even possible) to access session data in a php/js file that is injected into the DOM?

Illustrative example, to be more clear:

index.php:

<?php
     session_start();
     $_SESSION['logged_in'] = true;
?>

<script type="text/javascript" src="http://www.domain.com/include.php"></script>

include.php:

<?php

session_start();
$logged_in =  $_SESSION['logged_in'];

?>

alert("<?php echo $logged_in; ?>");

The include.php script is one that, ideally, any client could drop into their header, not that that necessarily matters. I do have the ability to pass parameters in the script URL (i.e. http://www.domain.com/include.php?s=213409239323939) so I've thought about passing the session ID that way, but I'm unsure if there are inherent security risks in exposing the session ID. Any advice or thoughts are welcome.

** EDIT - I should make clear that the script file (include.php) is a different domain name

Improve this question
7
  • there is definitely a risk of session hijacking if you're passing session IDs via URL if you're not disposing of the sessions properly. Commented Feb 17, 2011 at 16:13
  • Re your edit, is the different domain on a different server as well? Commented Feb 17, 2011 at 16:16
  • @Pekka - It will vary from client to client. Some are internally hosted and others aren't, so the solution needs to work regardless of the domain/server. Commented Feb 17, 2011 at 16:18
  • @Mike but then your real issue is propagating a session to a 3rd party server, which is not trivial and a different thing. However, it shouldn't be necessary in the first place: Setting a JavaScript loggedin variable in the original document might already be enough Commented Feb 17, 2011 at 16:22
  • @Pekka - Your answer below is working pretty well, I may just go with that. If you have any links handy re your mention of propagating to a 3rd party server I'd be interested in reading more about that... Commented Feb 17, 2011 at 16:28

3 Answers 3

Reset to default
3

You are always exposing the session ID in some way - either in the cookie, or a GET parameter. Carrying the session ID over is not a security risk in itself. (Edit: This is referring to same-domain links. Cross-server session propagation is a different issue, nicely outlined e.g. here).

However, if at all possible, consider doing all the dynamic bits of your script in the document itself:

<script>
MyDynamicData =
 { xyz:  "<?php echo $_SESSION["xyz"]; ?>",
   abc:  "<?php echo $_SESSION["abc"]; ?>"
 }
</script>

<script src="external_script.js"></script>

that would allow you to have the external JavaScript as a static resource, which is good because

  • It is easily cached because it has no dynamic bits
  • It can be compressed by the web server
  • It doesn't need a separate PHP process to serve.
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I suppose this method is certainly an option. One of the key points I need to keep in mind is keeping the code that the client needs to add to their site to a minimum. I could keep it to two lines with this method, which isn't bad.
0

You mean like this?

<script>
  var is_logged = <? echo $_SESSION['logged'] ? "true" : "false"; ?>;
</script> 
<!--other stuff and html here-->
<script>
if(is_logged){
 //do stuff
}
</script>
Improve this answer

Comments

0

Maybe I'm wrong but isn't it possible to see your session Id, and cookie data in Firefox? If it is I see no security risk, to make it visible in the Url

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.