SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Quebec, Canada
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    mod_rewrite interfering with PHP sessions?

    Hi!
    I've got a simple login script to which I've added a anti-CSRF method. Basically the insertion of a token in the login form and also in a session variable called "token". When the login is validated, it checks the session variable with the hidden token and if they match then no attack was done. After that, the session variable is destroyed.

    That part worked fine until I've used mod_rewrite to have nice urls. The rewrite code is the following :
    Code:
    RewriteEngine on
    RewriteBase /
    RewriteRule ^page/(.*) /index.php?module=Osmose&class=Affichage&nom_page_mod_rewrite=$1
    RewriteRule ^edition/(.*) /index.php?module=Osmose&class=Edition&nom_page_mod_rewrite=$1
    Pretty simple. If I use the long URL format (i.e. /index.php?module=Affichage&nom_page_mod_rewrite=mypage), the login works fine and the CSRF check passes. But when I'm on a page with a nice URL like /page/mypage and do a login from there, seems the session variable is all screwy and never matches the token generated. Any idea why this happens? Thanks!

  2. #2
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Does the session id remain the same between both url styles? Make sure the session cookie has an appropriate value for path. For example, just /

    Aside from that, you could insert some code which logs debugging info to a file near the code which generates the token.

  3. #3
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Quebec, Canada
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's a good idea to write to a log file. I had a hard time printing the session info on screen since it stops the headers from being written in some places and makes the values hard to track. Thanks!

  4. #4
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Quebec, Canada
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, I've checked what's happening. The sessionID is actually staying the same throughout, so this is not the issue.

    What I discovered is that if I type mysite.com, the scripts is run only once, and only one token is generated.

    But if I call a page using mod_rewrite, like mysite.com/page/home, the script is run twice and thus generates a token for the form, but generates another one right after and so overwrites the session variable (and only the session variable!) and the login automatically fails.

    I don't have anything in the code that would loop it twice, that's for sure. So my thinking is that the mod_rewrite code would be calling the script twice??? I can't wrap my head around this one. Maybe it's basic, but I can't see it.

    And even if the script was called twice, I can't figure out why the session variable would be set twice but the token inserted in the form only once. If anyone sees something strange in the mod_rewrite code, please let me know. I'm not very good with mod_rewrite end parameters, so maybe something's missing that calls the script twice? Thanks!

  5. #5
    PHP Guru lampcms.com's Avatar
    Join Date
    Jan 2009
    Posts
    921
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by merlin9876 View Post
    Ok, I've checked what's happening. The sessionID is actually staying the same throughout, so this is not the issue.

    What I discovered is that if I type mysite.com, the scripts is run only once, and only one token is generated.

    But if I call a page using mod_rewrite, like mysite.com/page/home, the script is run twice and thus generates a token for the form, but generates another one right after and so overwrites the session variable (and only the session variable!) and the login automatically fails.

    I don't have anything in the code that would loop it twice, that's for sure. So my thinking is that the mod_rewrite code would be calling the script twice??? I can't wrap my head around this one. Maybe it's basic, but I can't see it.

    And even if the script was called twice, I can't figure out why the session variable would be set twice but the token inserted in the form only once. If anyone sees something strange in the mod_rewrite code, please let me know. I'm not very good with mod_rewrite end parameters, so maybe something's missing that calls the script twice? Thanks!
    Try to add [L] at the end of rewrite rule:
    RewriteRule ^page/(.*) /index.php?module=Osmose&class=Affichage&nom_page_mod_rewrite=$1 [L]

    and remove RewriteBase /
    See if that helps

  6. #6
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Validate/inspect your html. The browser might be getting confused and trying to load an image or something from the wrong place, causing a request to the script. You could log more stuff to the file(request headers, etc...). You could also use a packet sniffer, or a browser plugin that lets you view http requests sent(firebug or live http headers for firefox)

  7. #7
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Quebec, Canada
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sharedlog.com : Thanks but it didn't work, unfortunately.

    crmalibu : I'll try that, it could be the case. Thanks!

  8. #8
    PHP Guru lampcms.com's Avatar
    Join Date
    Jan 2009
    Posts
    921
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by merlin9876 View Post
    Sharedlog.com : Thanks but it didn't work, unfortunately.

    crmalibu : I'll try that, it could be the case. Thanks!
    What is the exact url of your page before the rewrite? I mean what is the static-looking url?

  9. #9
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Quebec, Canada
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow, I think I have something! If the page loads the external css, Firebug tells me 2 requests made to the page. But if I remove the css file from the head section, it goes back to 1 request! I'll check in the css and verify the paths for the images/backgrounds/etc, that might be it! Thanks!

  10. #10
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Quebec, Canada
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Got it!!! I was doing some str_replace in the head section of the html template and it seems i was loading the css file twice... So it called the script twice thus the wrong value for the token in the login form. Wow, am I glad I resolved this with everyone's help. Thanks!!!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •