Session question

Discussion in 'Coding Help' started by swordsinfo, Dec 11, 2014.

  1. swordsinfo

    swordsinfo New Member

    Hi guys


    I am trying to implement a session check but its throwing a warning as I am tec calling session_start() twice.


    Basically I have a main.php page that has a ajax call to ajax.php page. I want to access the session in both the main.php page and ajax.php page however to do this I have to call session_start() in both pages which is throwing a warning: Warning: session_start(): Cannot send session cache....


    I have suppressed it by using the @session_start() but anyone ideas to do this the "right way"


    The session info is for CSRF check so the ajax page cannot be called either off site or directly - using 'xmlhttprequest' also just incase anyone suggests this
     
  2. paul

    paul Ninja

    it's a bit hard to say without seeing the code.

    If you start a new session in the ajax.php then, well you'll have a new session ID and all that lark, why not access the $_SESSION variable ? PHP: $_SESSION - Manual
     
  3. swordsinfo

    swordsinfo New Member

    Its not that I want to start a new session but I want to get the session information in the ajax page. Basically I create a csrf token and session in the main.php page and I want to check on the ajax page that the request came from the given page. To do this it states that I have to run the session.start(); but as I have already called it in the main.php I get the warning. Here is a snippit of the code:

    for the ajax:

    $.ajax({
    beforeSend: function() { },
    type: "POST",
    url: "admin-infoload.php",
    data: "appid="+$currentId+"&year="+$yearvar+"&csrf_token=<?= create_csrf_tag();?>",

    //create_csrf_tag() creates a token tag and creates a session of the same name

    then in the ajax page I do this:

    <?@session_start();

    if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {


    if(request_is_post()) {


    if(!csrf_token_is_valid() || !csrf_token_is_recent()) {

    csrf_token_is_valid checks if the post item matches the session item and checks if it was created within 60 seconds. By adding the @ I am suppressing the warning message and code works fine but obviously I want to know the "right way" of doing this.

    Thanks
    Bryan
     

Share This Page