Session question

Status
Not open for further replies.
S

swordsinfo

New Member
Hi guys


I am trying to implement a session check but its throwing a warning as I am tec calling session_start() twice.


Basically I have a main.php page that has a ajax call to ajax.php page. I want to access the session in both the main.php page and ajax.php page however to do this I have to call session_start() in both pages which is throwing a warning: Warning: session_start(): Cannot send session cache....


I have suppressed it by using the @session_start() but anyone ideas to do this the "right way"


The session info is for CSRF check so the ajax page cannot be called either off site or directly - using 'xmlhttprequest' also just incase anyone suggests this
 
paul

paul

Ninja
it's a bit hard to say without seeing the code.

If you start a new session in the ajax.php then, well you'll have a new session ID and all that lark, why not access the $_SESSION variable ? PHP: $_SESSION - Manual
 
S

swordsinfo

New Member
Its not that I want to start a new session but I want to get the session information in the ajax page. Basically I create a csrf token and session in the main.php page and I want to check on the ajax page that the request came from the given page. To do this it states that I have to run the session.start(); but as I have already called it in the main.php I get the warning. Here is a snippit of the code:

for the ajax:

$.ajax({
beforeSend: function() { },
type: "POST",
url: "admin-infoload.php",
data: "appid="+$currentId+"&year="+$yearvar+"&csrf_token=<?= create_csrf_tag();?>",

//create_csrf_tag() creates a token tag and creates a session of the same name

then in the ajax page I do this:

<?@session_start();

if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {


if(request_is_post()) {


if(!csrf_token_is_valid() || !csrf_token_is_recent()) {

csrf_token_is_valid checks if the post item matches the session item and checks if it was created within 60 seconds. By adding the @ I am suppressing the warning message and code works fine but obviously I want to know the "right way" of doing this.

Thanks
Bryan
 
Status
Not open for further replies.
Top