1

So I have a page where I'm requesting users to enter a key via an <input> tag. I would like to store this information in $_SESSION['sessionKey'] when the user clicks a button. Since I'm trying to keep the key moderately secure, I want to avoid passing this information via GET or POST.

Most of what I've found online shows this done by using GET/POST and I'm having difficulty finding information on a method that would not use this approach. I did find this question, which suggests to put JavaScript in a file that has an extension of .php, and from there, use the PHP tags to obtain the $_SESSION variables. I followed this approach like so...

javascript.php

<?php
require ("common/startandvalidate.php");
?>

$(document).ready(function() {
    $("#submitButton").click(function(){
        <?php $_SESSION['sessionKey']?> = $("#sessionKeyInput").value;
    });
});

mainPage.php

<head>
   <script src="javascript.php"></script>
   <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
</head>

<input id="sessionKeyInput" placeholder="Session Key" />
<input id="submitButton" value="Submit" type="button" />

When I look at the page through Inspector (in Chrome) I see the error message: 

Undefined index: sessionKey

the require("common/startandvalidate.php"); contains session_start(), so the session is being initiated...

I think it's not working because $_SESSION['sessionKey'] has never been declared before, so even though I want to assign a value to it, it's trying to see the variable contents, which is undefined. How could I go about assigning this value to the $_SESSION variable?

Sorry if this is a simple question, any resources are appreciated!

Community
  • 1
  • 1
Mattiavelli
  • 888
  • 2
  • 9
  • 22
  • 1
    HTTP only handles GET, POST, HEAD, there is nothing else. Also keep in mind that PHP-generated files (CSS, JS, whatever) are not cached by the browser and are re-deownloaded and re-parsed everytime you reload the page. – Virus721 Jul 16 '13 at 13:59
  • 1
    Perhaps some sort of encryption before passing it? http://stackoverflow.com/questions/3486465/is-there-a-way-to-encrypt-in-jquery – Melbourne2991 Jul 16 '13 at 14:00
  • `$_SESSION` is a PHP array, you cannot set it on the client side via javascript. The value has to be sent to the server to be stored in the array. – Drahcir Jul 16 '13 at 14:01
  • If you don't want to POST or GET the data then the only other alternative is to use cookies to store the data. –  Jul 16 '13 at 14:04
  • If you want security then add an ssl cert to your server and ensure that the client is connected via https....Then GET and POST all day. – Orangepill Jul 16 '13 at 14:07
  • I'll probably add SSL in the future, this is more of a "proof-of-concept" build though. Thanks everyone for the suggestions and clarification, I think I'll just go with encryption + salt via POST route. – Mattiavelli Jul 16 '13 at 14:10
  • In addition to the other comments, you may want to rethink why you are creating this user-defined session key. The server side session context is kept secure by php internals using a cookie, there is no need to differentiate each session manually. – Rick Suggs Jul 16 '13 at 14:16
  • @ricksuggs Yes this key is not the same as the PHPSESSID cookie. It's along the lines (conceptually) of a chatroom, where users must enter a valid name a key to gain access. Thanks though! – Mattiavelli Jul 16 '13 at 14:18

2 Answers2

3

$_SESSION is a PHP array, you cannot set it on the client side via Javascript. The value has to be sent to the server to be stored in the array.

The question you pointed to shows how you can retrieve the data from $_SESSION, but it won't work for storing data.

The error you see in the console "Undefined index: sessionKey" simply means that the Javascript array named $_SESSION has no key named "sessionKey".

Community
  • 1
  • 1
Drahcir
  • 11,772
  • 24
  • 86
  • 128
  • This is what I was looking for. I wasn't exactly sure how it would work storing the data, thanks for clearing that up though! I think I'll go with some other suggestions and encrypt it with a salt before sending it via POST. Appreciate it! – Mattiavelli Jul 16 '13 at 14:07
2

Javascript runs on the client and doesn't have access to the server, and therefore the session. If you want to put a user-entered value in the session, you need to pass it to the server. The most secure way to do that is an SSL-protected HTTP POST.

Jason P
  • 26,984
  • 3
  • 31
  • 45