0

I'm not able debug what is wrong with my code. Here is what I'm doing:

For Ajax queries, I have set a session variable: sessiontoken, and I encode and decode to make sure the request is from correct session/page as shown below, below code is present on every page, And then in the javascript I echo this variable and use in ajax call:

My problem is that while the script is working perfectly fine on every page on the local server(xampp), on the live server it is giving problem. When I login on live site, on home page the decoded value is correctly displayed in the javascript function, however when I click on the link to myprofile or go to any other page, the decoded sessiontoken value displays weird characters. Can you please let me know what could be the problem, as on local it is working just fine. thanx.

<?php
    session_start(); 
    if(!(isset($_SESSION['id']) && isset($_SESSION['username']))) {
            header("location: index.php");
            exit();
        }
    if(!isset($_SESSION['sessiontoken'])) {
            $thisRandNum = rand(999999,99999999);
            $_SESSION['sessiontoken'] = base64_encode($thisRandNum);
        } else {
            $thisRandNum = base64_decode($_SESSION['sessiontoken']);
        }
?>

<html>
   <head>
     <script type="text/javascript">
        function refreshWall() {
           $.post('scripts/refreshlist.php', {thistoken: <?php echo $thisRandNum ?>},
            function(data) {
           }, "json");
      }
     </script>
   </head>
   <body>
   </body>
</html>
vicked
  • 23
  • 3
  • 2
    Why do you encode the number in Base 64 in the first place? – kmkaplan Jan 02 '13 at 08:07
  • I think OP may well assume it makes it more secure =o\ – kittycat Jan 02 '13 at 08:08
  • @kmkaplan : well it was a practice used in some tutorials which said it will make it secure, so I continued using the same. – vicked Jan 02 '13 at 08:19
  • @vicked While this does not answer your question, just remove the Base 64 stuff. It will simplify your code and there is no security to be gained here with Base 64. – kmkaplan Jan 02 '13 at 08:21
  • ... and then never, ever visit the site containing that tutorial again. – Charles Jan 02 '13 at 08:27
  • 1
    Using a secret token in a form helps secure against [cross-site request forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29). However, as mentioned by @kmkaplan, encoding the token using Base64 doesn't help in any way. Also rather than using a random number, it may be better to use a [UUID](http://stackoverflow.com/questions/2040240/php-function-to-generate-v4-uuid) – My Head Hurts Jan 02 '13 at 08:30
  • What are the PHP versions on your local and remote computers? – kmkaplan Jan 02 '13 at 08:35
  • I will remove the encode,decode and try it again. @kmkaplan the version is 5.3.1 on localhost and 5.2.17 on live – vicked Jan 02 '13 at 08:46
  • It is working now, upgraded the PHP version to 5.3. will surely get rid of encode-decode, if they don't serve any purpose, in next build, though. thanx – vicked Jan 02 '13 at 09:35
  • @vicked add that as an answer (needed to upgrade PHP version) and you should be able to accept your own answer in a couple of days – My Head Hurts Jan 02 '13 at 09:42

1 Answers1

0

I upgraded the PHP version to 5.3 and it solved my problem.

vicked
  • 23
  • 3