Joomla!
http://forum.joomla.org/

Getting a database session through url?
http://forum.joomla.org/viewtopic.php?f=304&t=235166		 Page 1 of 1
Author:  phreakys [ Tue Nov 20, 2007 1:05 am ]
Post subject:  Getting a database session through url?
Hello,

I have a problem continuing a session that's stored in the session table. Here is the situation: I have a component that takes HEADER and POST information from a secondlife object, and does some origin/security checks. When this is done, it sends back the current Session ID with:
$session = $this->main->getSession();
$sid = $session->getId();
//and then authentication info+session-id is parsed back to the view, to return to the sl-object.

Now the object knows the sessionid that joomla uses for this request. When a next request goes from the secondlife object, it doesn't send the original POST-information(containing userinfo), but the session-id. Since Secondlife-servers don't store cookies, it should entirely depend on the database for session-info. Somehow when a second request is made, it also makes an entirely new session.

So, here it is: Would it be possible to retrieve a session like this?
index.php?option=com_mycomponent&view=foo&controller=bar&sid=mycurrentsessionid

I searched all forums, and the API for a solution, but can't find any. I hope someone more experienced can help me out. Thanks.

Phrearch Miles/Jeroen van Veen
Author:  Ty2u [ Tue Nov 20, 2007 2:30 am ]
Post subject:  Re: Getting a database session through url?
I don't know if this exists for Joomla myself but I am not completely familiar with Joomla 1.5 yet which is what I believe you are using.  But in your component you should be able to pick up the param from the url then, shouldn't you?  I don't ever remember seeing a sessionid or sid param for Joomla 1.0 in my time with it so maybe there is not one for Joomla 1.5... yet...

Then maybe you could use this class maybe to read it from the database and make sure its valid and whatnot:

http://api.joomla.org/__filesource/fsou ... p.html#a63
Author:  phreakys [ Tue Nov 20, 2007 2:42 am ]
Post subject:  Re: Getting a database session through url?
hey,

yea, you're right. that's the class that should make it happen. Weird thing is that when I open the component through a browser, the same session is used automagically. I have no clue how to make joomla force to use a certain session. Maybe some useful info can be held from comparing session-info? Normal one looks like:
__default|a:7:{
s:15:"session.counter";i:2;
s:19:"session.timer.start";
i:1195525767;
s:18:"session.timer.last";
i:1195525767;
s:17:"session.timer.now";
i:1195525776;
s:22:"session.client.browser";
s:82:"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.9) Gecko/20071103 BonEcho/2.0.0.9";
s:8:"registry";
O:9:"JRegistry":3:{s:17:"_defaultNameSpace";s:7:"session";s:9:"_registry";
a:1:{s:7:"session";
a:1:{s:4:"data";
O:8:"stdClass":0:{}}}s:7:"_errors";
a:0:{}}s:4:"user";
O:5:"JUser":19:{s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";
N;s:8:"usertype";N;s:5:"block";N;s:9:"sendEmail";i:1;s:3:"gid";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;
s:10:"activation";N;s:6:"params";N;s:3:"aid";i:0;s:5:"guest";i:1;s:7:"_params";
O:10:"JParameter":7:{s:4:"_raw";s:0:"";s:4:"_xml";N;s:9:"_elements";a:0:{}s:12:"_elementPath";
a:1:{i:0;s:78:"/home/httpd/html/development/joomla1.5/libraries/joomla/html/parameter/element";}
s:17:"_defaultNameSpace";s:8:"_default";s:9:"_registry";
a:1:{s:8:"_default";a:1:{s:4:"data";O:8:"stdClass":0:{}}}s:7:"_errors";a:0:{}}s:9:"_errorMsg";N;s:7:"clearPW";s:0:"";
s:7:"_errors";a:0:{}}}


Now after every new request from the secondlife-terminal, a new session is created. The session-info from a sl-request that is created looks like:
__default|a:8:
{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1195525853;s:18:"session.timer.last";i:1195525853;s:17:"session.timer.now";
i:1195525853;
s:24:"session.client.forwarded";
s:9:"127.0.0.1";
s:22:"session.client.browser";
s:53:"Second Life LSL/1.18.5(73200) (http://secondlife.com)";
s:8:"registry";
O:9:"JRegistry":3:{s:17:"_defaultNameSpace";s:7:"session";s:9:"_registry";a:1:{s:7:"session";a:1:{s:4:"data";
O:8:"stdClass":0:{}}}s:7:"_errors";a:0:{}}s:4:"user";
O:5:"JUser":19:{s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";N;s:8:"usertype";
N;s:5:"block";N;s:9:"sendEmail";i:1;s:3:"gid";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";
N;s:6:"params";N;s:3:"aid";i:0;s:5:"guest";i:1;s:7:"_params";
O:10:"JParameter":7:{s:4:"_raw";s:0:"";s:4:"_xml";N;s:9:"_elements";a:0:{}s:12:"_elementPath";
a:1:{i:0;s:78:"/home/httpd/html/development/joomla1.5/libraries/joomla/html/parameter/element";}s:17:"_defaultNameSpace";
s:8:"_default";s:9:"_registry";a:1:{s:8:"_default";a:1:{s:4:"data";O:8:"stdClass":0:{}}}s:7:"_errors";a:0:{}}s:9:"_errorMsg";
N;s:7:"clearPW";s:0:"";s:7:"_errors";a:0:{}}}

Not sure if something in this second database-session keeps Joomla from remembering which object made the request  ???
Author:  Ty2u [ Tue Nov 20, 2007 3:28 am ]
Post subject:  Re: Getting a database session through url?
Hmm...  that does seem odd.  Has it always done that?

It looks like from second life Joomla recognizes it is coming through a proxy or something with this extra bit:

"session.client.forward";s:9:"127.0.0.1";s:22:

In the code in /libraries/joomla/session/session.php it has:

Code:
// record proxy forwarded for in the session in case we need it later
if( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
   $this->set( 'session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);
}



Well I thinking maybe somehow Secondlife just doesn't use the same session path each time then.  Maybe it routes each request through a different server or something... and the webserver has no way to know its the same session?

Maybe there would have to be some other way to identify the sessions in SL if that is the case.  I know that when a region is restarted it probably won't be on the same server anymore so it would probably have a different IP so you probably couldn't tell Joomla to look at IPs reliably.  But maybe a region name which SL sends... HTTP_X_SECONDLIFE_REGION

Maybe some other SL developers have had similar session problems and have a solution on the SL forums or somewhere in SL even.

Or maybe you have it fixed by now =)
Author:  phreakys [ Tue Nov 20, 2007 3:41 am ]
Post subject:  Re: Getting a database session through url?
Not really. Still stuck with the problem  :laugh:.
gethostbyaddr($_SERVER['REMOTE_ADDR']) returns sim2941.agni.lindenlab.com(resolves to 64.129.43.183)
Any way to use that for session-info? ps. Im still using RC2...

The solution as given by some experienced lsl-scripters was to send the session-id over the line in the url. So, what the script does right now is:
- sending the whole userinfo as GET-params
- Return the authentication-state + the Joomla session id(from session table)
- Send the session-id with every next request

But then when I make this next request, it creates just another session. I thought of destroying the current new session, getting the session-id from the url, and continue with that session. Feels pretty much as a dirty hack, if even possible  :pop
Some info from another created session from sl:
__default|a:8:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1195529345;s:18:"session.timer.last";i:1195529345;
s:17:"session.timer.now";i:1195529345;s:24:"session.client.forwarded";s:9:"127.0.0.1";s:22:"session.client.browser";
s:53:"Second Life LSL/1.18.5(73200) (http://secondlife.com)";s:8:"registry";O:9:"JRegistry":3:{s:17:"_defaultNameSpace";s:7:"session";s:9:"_registry";a:1:
{s:7:"session";a:1:{s:4:"data";O:8:"stdClass":0:{}}}s:7:"_errors";a:0:{}}s:4:"user";O:5:"JUser":19:
{s:2:"id";i:0;s:4:"name";N;s:8:"username";N;s:5:"email";N;s:8:"password";N;s:8:"usertype";N;s:5:"block";N;s:9:"sendEmail";i:1;
s:3:"gid";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";N;s:6:"params";N;s:3:"aid";i:0;s:5:"guest";i:1;
s:7:"_params";O:10:"JParameter":7:{s:4:"_raw";s:0:"";s:4:"_xml";N;s:9:"_elements";a:0:{}s:12:"_elementPath";
a:1:{i:0;s:78:"/home/httpd/html/development/joomla1.5/libraries/joomla/html/parameter/element";}s:17:"_defaultNameSpace";
s:8:"_default";s:9:"_registry";a:1:{s:8:"_default";a:1:{s:4:"data";O:8:"stdClass":0:{}}}s:7:"_errors";a:0:{}}s:9:"_errorMsg";N;
s:7:"clearPW";s:0:"";s:7:"_errors";a:0:{}}}
Author:  phreakys [ Tue Nov 20, 2007 5:32 am ]
Post subject:  Re: Getting a database session through url?
upgraded the component to RC3. Same problem though  :'(
Reading until I find a solution...
Author:  phreakys [ Tue Nov 20, 2007 6:35 am ]
Post subject:  Re: Getting a database session through url?
hm, something changed. Changed this:
Code:
var $_security = array( 'fix_browser');

To:
Code:
var $_security = array( 'fix_browser','fix_adress' );


Now it has a real address. Not sure if this is getting me a step close. Still stuck... :-\

__default|a:10:{s:15:"session.counter";i:1;s:19:"session.timer.start";i:1195539988;s:18:"session.timer.last";i:1195539988;
s:17:"session.timer.now";i:1195539988;s:24:"session.client.forwarded";s:9:"127.0.0.1";s:22:"session.client.address";
s:13:"64.129.43.183";s:22:"session.client.browser";s:53:"Second Life LSL/1.18.5(73200) (http://secondlife.com)";s:8:"registry";O:9:"JRegistry":3:{s:17:"_defaultNameSpace";s:7:"session";s:9:"_registry";a:1:
{s:7:"session";a:1:{s:4:"data";O:8:"stdClass":0:{}}}s:7:"_errors";a:0:{}}s:4:"user";O:5:"JUser":19:{s:2:"id";i:0;s:4:"name";N;
s:8:"username";N;s:5:"email";N;s:8:"password";N;s:14:"password_clear";s:0:"";s:8:"usertype";N;s:5:"block";N;
s:9:"sendEmail";i:1;s:3:"gid";i:0;s:12:"registerDate";N;s:13:"lastvisitDate";N;s:10:"activation";N;s:6:"params";N;s:3:"aid";i:0;
s:5:"guest";i:1;s:7:"_params";O:10:"JParameter":7:{s:4:"_raw";s:0:"";s:4:"_xml";N;s:9:"_elements";a:0:{}s:12:"_elementPath";
a:1:{i:0;s:81:"/home/httpd/html/development/joomla1.5rc3/libraries/joomla/html/parameter/element";}s:17:"_defaultNameSpace";
s:8:"_default";s:9:"_registry";a:1:{s:8:"_default";a:1:{s:4:"data";O:8:"stdClass":0:{}}}s:7:"_errors";a:0:{}}s:9:"_errorMsg";
N;s:7:"_errors";a:0:{}}s:13:"session.token";s:32:"7afa4e5d77e731df4f708d8e9e6b1a43";}

Maybe this is related to it?
http://www.travelblog.com/2007/index.php?bid=future
http://www.joomla.org/component/option,com_jd-wp/Itemid,33/p,28/
http://api.joomla.org/Joomla-Framework/Table/JTableSession.html

Allthough the session client address remains 64.129.43.183 all the time  ???
I guess the real question is: how does Joomla "know" when to continue with a session? Is it through a cookie with a token, or what?
I'm really losing my mind here  ??? ???

Hm, just checked my cookies, and it looks like it's stored indeed as a cookie. Name=someunknownhash, value=thesessionid, host=myhost , So...I dont want to use cookies to store the session. checking it out.

I'm not sure, but I may have found something. Is it possible that it's a php.ini setting, in which some cookie magic must be done?
Like "session.cookie_lifetime = 0" kills the cookie when the browser closes(one request from lsl imitates close browser event?)

Hm, When i set session storage to none, its filling NULL fields, but it's getting a new session on every request allright. So the problem is not the content of the session DB, but rather...something else  :laugh: :laugh: :laugh:
Author:  Ty2u [ Tue Nov 20, 2007 1:50 pm ]
Post subject:  Re: Getting a database session through url?
If the ip isn't changing then maybe that isn't how SL does requests then.

On the next page of the one link you gave: http://www.travelblog.com/2007/index.php?p=1&bid=future
Quote:
When they have thousands of users going through them, they have to use banks of proxy servers to handle the load. Users who are behind these banks of proxy servers can potentially have a different ip address with every single page request. Since Joomla authenticates its sessions by ip address, these users look like first time page requests every time their ip address changes.


Then it goes on to explain some potential solutions.  It seems the AOL users behind these types of proxy could stay logged in when clicking the Remember me button but would cause inflated session values and reported users online but maybe that would be a start.  But then on another page it said that the AOL connections worked fine when they didn't use the AOL browser and used IE instead.

It also explains some other things that maybe would be useful.  I don't know if Joomla 1.5 even does the same type of thing with sessions.  It looks like in /libraries/joomla/session/session.php there are some extra functions like fork that might be useful or _start

http://www.php.net/session

In the last comment there is a person who thought they have found some session bug with some code... maybe that would be useful?

Another comment on there says:
Quote:
If your session are not retrieving correctly make sure that session.cookie_secure is to set to 'Off' if you are NOT going through https. Everytime you navigate the site your session data will not be retrieved and your sessionid will change. It may be obvious but I spent two days trying to figuring this out. Hope it helps someone.


Maybe that is it...
Author:  phreakys [ Tue Nov 20, 2007 4:07 pm ]
Post subject:  Re: Getting a database session through url?
Hi Ty2u,

thank you for your reply.
Quote:
It seems the AOL users behind these types of proxy could stay logged in when clicking the Remember me button but would cause inflated session values and reported users online but maybe that would be a start.

That's exactly what happens right now. Because by every request, a new serverside session-cookie is made, the "guest"-online count raises quickly in a couple of minutes. I checked, and apache nicely creates a new session file for each request in it's tmp directory.


Quote:
It also explains some other things that maybe would be useful.  I don't know if Joomla 1.5 even does the same type of thing with sessions.  It looks like in /libraries/joomla/session/session.php there are some extra functions like fork that might be useful or _start

Yea, that looks interesting. I'm not sure though, but maybe the only way is to let the old session be destroyed, and fork a new one. I think the administrator-part allready does something like that to prevend "session fixation" attacks.
http://issues.civicrm.org/jira/browse/CRM-2148
Quote:
Administrative sessions will now be destroyed and recreated with each request in order to prevent session fixation and session hijacking attacks.


So basically I should do something like this:
  • Let the new session with empty data be created(already happening now)
  • Copy the content of the previous session(not sure how to detect which session to copy) to the new one
  • Destroy the old session
Anyway, the most important thing is why it happens. Maybe it's because Joomla can't create a clientside cookie at the LL-server?
I've checked my php-settings. session.cookie-secure is set to off. Here are my php session settings:

Code:
session.auto_start   Off   Off
session.bug_compat_42   Off   Off
session.bug_compat_warn   On   On
session.cache_expire   180   180
session.cache_limiter   nocache   nocache
session.cookie_domain   no value   no value
session.cookie_httponly   Off   Off
session.cookie_lifetime   3600   3600
session.cookie_path   /   /
session.cookie_secure   Off   Off
session.entropy_file   no value   no value
session.entropy_length   0   0
session.gc_divisor   1000   1000
session.gc_maxlifetime   1440   1440
session.gc_probability   1   1
session.hash_bits_per_character   5   5
session.hash_function   0   0
session.name   PHPSESSID   PHPSESSID
session.referer_check   no value   no value
session.save_handler   files   files
session.save_path   /tmp   /tmp
session.serialize_handler   php   php
session.use_cookies   On   On
session.use_only_cookies   Off   Off
session.use_trans_sid   0   0


In session.php session.use_trans_sid is set to 0, before some cookie work is done. Here is some info about it:
http://www.mtdev.com/2002/06/why-you-should-disable-phps-session-use_trans_sid

So: Joomla creates a serverside and a clientside cookie to determin if a session is new, or in use.
Quote:
Without this feature you can usually choose between sending cookies to the visitor and modifying the URLs, with cookies being the default setting. Cookies do no harm (most of the time) but appending a query string to all URLs is quite different.


So, I guess somehow the sessionid needs to be send along with the url, in order to get this session running. Not sure if that's natively supported by joomla.
Author:  phreakys [ Tue Nov 20, 2007 5:20 pm ]
Post subject:  Re: Getting a database session through url?
Ok, trying to remove the session on each request.
When I call $session->destroy(); the data is set to NULL in the session table, but the session itself remains.
How can I use JTableSession to remove it? edit: Hm, think this is a new thread
Author:  Ty2u [ Sat Dec 01, 2007 4:10 pm ]
Post subject:  Re: Getting a database session through url?
Hey there  :D

How are things working out with this now?  I have been a little busy lately but I would love to help test things out if you need someone to test or whatever.  Not sure how useful I can be but anything that can help make this project work perfectly would be wonderful in my books.

Ryan

P.S.
I tried opensim and liked it too =)  I have been watching the svn and they seem to be making continual updates to it.  It appears to be coming along fairly quickly from what I am seeing.  When I first tried it there wasn't even any lsl abilities yet but now there are quite a few it seems.  I am excited to see the sort of interface you describe about adding and removing sims and whatnot.
Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/