This site (which you are on now) is running Symfony 1.2.5. The ORM is Propel.
The user system is handled by sfGuardUserPlugin.
I have written a Clojure app which is given a PHP session id and needs to verify that id. On my server, the PHP sessions are kept here:
And the session files look like this:
If I sudo to root, then sometimes I can go:
ls -al /var/lib/php5/sess_nolm690lusonkuk4fa7wed2tc6
and I get:
-rw------- 1 www-data www-data 246 2012-10-29 11:49 /var/lib/php5/sess_nolm690lusonkuk4fa7wed2tc6
(I've altered the session id for security, but you get the idea)
I don't need much security here so merely checking to see if the file exists would be enough security for me.
If you are logged in, then check your browser right now (Firebug in FireFox in especially useful for this). Your browser should be sending an Ajax request to the server, with the session id and some other info.
Unfortunately, sometimes that session file does not exist. Sometimes the Ajax in my browser keeps sending that session_id yet the file on the server is not there.
So, why is that? Does Symfony store it in the database such that the session is no longer recorded in /var/lib/php5?
My question in its simplest form: where can I look to reliably verify that a session id is real? I have to be able to do this from outside of PHP. Though the site was originally written in PHP/Symfony, my long term plan is to re-write the whole thing in Clojure. For now, this means I have to get the Clojure and PHP to sometimes share information.
This just happened again. Someone's browser just sent in this session id, just a few seconds ago:
I saw this session id come in via the server. And, as root, I checked for it and found nothing:
[email protected]:/tmp# ls -al /var/lib/php5/sess_8hpvncvd7ahia95bnbe4o5wer7
ls: cannot access /var/lib/php5/sess_8hpvncvd7ahia95bnbe4o5wer7: No such file or directory
At the moment, all of the session ids seem to be false, even mine. But that is not possible. So where are the files?
Normally in PHP (including Symfony with sfGuardUser plugin and Propel ORM) you can find the session file like this:
echo session_id(); // returns something like hp2i2oabt9jc9fl1mm6mae5la7
echo ini_get('session.save_path'); // returns the location of the session file, e.g. /var/lib/php5/, so the session file is here: /var/lib/php5/sess_hp2i2oabt9jc9fl1mm6mae5la7
The content of the file would contain information such as:
Of course you can store any specific data in the session and then you can retrieve or just check if it exists it in the session directory without using PHP.
Hope this helps,
I am sorry if I wasn't clear. The application is being written in Clojure, not PHP. But the site is in PHP, and the user's create their sessions in PHP. Normally the session id info is stored in:
The file is as you describe.
The Clojure app is sent the session id via Ajax. At that point, it needs to figure out whether the session is real, or whether someone is lying.
I originally wrote this app thinking it would be enough to check and see if the file existed. But I am getting false negatives.
I am thinking perhaps sometimes Symfony stuffs this info into a database? Or the session id changes?
" or just check if it exists it in the session directory without using PHP."
That is the part I am having trouble with. In FireFox, I log into a site, and using FireBug I can see the Ajax calls that send my session id to the Clojure app. And at first the Clojure app can find a session file in /var/lib/php5 that matches my session id. But then later the file seems to disappear.
Regarding this problem <blockquote>...at first the Clojure app can find a session file in /var/lib/php5 that matches my session id. But then later the file seems to disappear.</blockquote> - please search in your project if you have any custom authentication related method that is calling this:
Okay, that is a good thought. I'm searching for anything that restarts the session.
<blockquote>But then later the file seems to disappear</blockquote>
Strange behavior. The file is supposed to be deleted when the session_id is regenerated with, say, session_regenerate_id() (I don't know if symfony performs this internally).
So, maybe the most clean way is to implement your PHP sessions in MySQL instead of plain files (the default).
Moreover, regarding PHP sessions you need to check some
session.gc* configuration options...
<blockquote>Your browser should be sending an Ajax request to the server, with the session id and some other info.</blockquote>
As a side note, if you ask me, I don't like to have my username, profile name "and some other info" to be transferred over plain HTTP through the wire. Just sayin'.
I agree that the info needs to be hidden. My goal was simply to get the app working this week. Next week I plan to switch to a more secure protocol. I don't like sending anyone's session_id over the plain wire as plain http.
Hmm, possibly the PHP session times out? Or...
It is hard to imagine where PHP would put the session if not in /var/lib/php5.
Though it occurs to me, I can have the PHP on the server ping the Clojure app directly, and tell it, directly, what PHP session ids are valid.
I think this will bring you close to the answer
"Uploadify (currently on version 3.1.0) has the option to send the session name and id to the upload script so you can secure the action handling this in Symfony"
I am already sending the session id without a problem. The problem is that the Clojure app does not always find a file in /var/lib/php5 that matches the session.