开发者

Session array in injected PHP/JS

问答 作者:

Can somebody enlighten me as to the best way (or, if it's even possible) to access session data in a php/js file that is injected into the DOM?

Illustrative example, to be more clear:

index.php:

<?php
     session_start();
     $_SESSION['logged_in'] = true;
?>

<script type="text/javascript" src="http://www.domain.com/include.php"></script>

include.php:

<?php

session_start();
$logged_in =  $_SESSION['logged_in'];

?>

alert("<?php echo $logged_in; ?>");

The include.php script is one that, ideally, any client could drop into their header, not that that necessarily matters. I do have the ability to pass parameters in the script URL (i.e. http://www.domain.com/include.php?s=213409239323939) so I've thought about passing the session ID that way, but I'm unsure if there are inherent security risks in exposing the session ID. Any advice or thoughts are welcome.

** EDIT - I should make clear that the script开发者_JAVA百科 file (include.php) is a different domain name

You are always exposing the session ID in some way - either in the cookie, or a GET parameter. Carrying the session ID over is not a security risk in itself. (Edit: This is referring to same-domain links. Cross-server session propagation is a different issue, nicely outlined e.g. here).

However, if at all possible, consider doing all the dynamic bits of your script in the document itself:

<script>
MyDynamicData =
 { xyz:  "<?php echo $_SESSION["xyz"]; ?>",
   abc:  "<?php echo $_SESSION["abc"]; ?>"
 }
</script>

<script src="external_script.js"></script>

that would allow you to have the external JavaScript as a static resource, which is good because

  • It is easily cached because it has no dynamic bits
  • It can be compressed by the web server
  • It doesn't need a separate PHP process to serve.

You mean like this?

<script>
  var is_logged = <? echo $_SESSION['logged'] ? "true" : "false"; ?>;
</script> 
<!--other stuff and html here-->
<script>
if(is_logged){
 //do stuff
}
</script>

Maybe I'm wrong but isn't it possible to see your session Id, and cookie data in Firefox? If it is I see no security risk, to make it visible in the Url

继续阅读:javascriptphpsession

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9