8

I've got a python/WSGI app which needs to check to see if a user has logged on to a PHP web app. The problem is that the PHP app checks if a user has logged on by comparing a value in the $_SESSION variable to a value in the cookie from the user's browser. I would prefer to avoid changing the behavior of the php app if at all possible.

My questions:

  1. Is there anyway I can access the session variables from within python? Where should I start to look?

  2. Are there any obvious security/performance issues I should be aware of when taking this approach?

Teddy
  • 6,013
  • 3
  • 26
  • 38
Bill Zimmerman
  • 113
  • 1
  • 4

3 Answers3

4

  1. yep. session (in default) is a regular file. so all what you need is look over session directory and find file with name of session cookie value. then - you have to implement php-like serialize/unserialize and do whatever you want.

  2. nope

zerkms
  • 249,484
  • 69
  • 436
  • 539
  • 2
    The link in David's comment is broken. Instead I've found this gist: https://gist.github.com/scragg0x/3894835 – skarap May 27 '13 at 12:45
1

Depends on the PHP app, if it's keeping session data in a database (MySQL maybe) you can just connect to the database and get the data, if it's using native PHP sessions you should look to the session.save_path config setting in php.ini, that's the place where the runtime saves files with the session data.

Once you have the data you can parse it to get it unserialized, take a look at how serialize() and unserialize() work in PHP.

Daniel Dinu
  • 1,783
  • 12
  • 16
  • I recommend and use this solution. It's actually very simple to write a mysql-based session manager - and using the custom session methods you can also store the session data as JSON, which makes it universally accessible. – Alfred Bratterud Sep 12 '12 at 07:47
0

I'm currently in the process of trying to run a python server side by side with an existing Apache/php one. A custom solution I arrived at was to save the $_SESSION as an encrypted cookie, letting the php authentication operate as before, then share a private key between the two servers.

Two issues:

  • Up to you how to handle session expiry stuff.
  • I haven't bothered with an Initialization Vector, assuming the time stamp from my expiry stuff is enough. See https://stackoverflow.com/a/12486940/4495503 for why I might be being too security lax...

Anyway, my php encrypted cookie function:

session_start();
    $encryptToCookie = function($varToEncode,$cookieName,$privateKey){
        $iv = $privateKey;
        $pass = $privateKey;
        $method = 'aes-128-cbc';
        $encryptedString = openssl_encrypt(json_encode($varToEncode), $method, $pass, true, $iv);
        setcookie($cookieName,bin2hex($encryptedString));
    };

$encryptToCookie($_SESSION,"sessionEncrypted","yohoyohoyohoyoho"); // private key must be 16bit

And my python side decryption:

from subprocess import Popen, PIPE
import binascii

def decrypt(encryptedString,privateKey):
    encryptedString = binascii.unhexlify(encryptedString)  
    pathToOpenSSL = 'C:\pysrc\openssl\openssl.exe' # MODIFY THIS!! 

    openssl = Popen([pathToOpenSSL,
                     'enc','-aes-128-cbc','-d',
                     '-nosalt','-nopad','-K',
                     privateKey.encode('hex'),
                     '-iv',
                     privateKey.encode('hex')],
                     stdin=PIPE,stdout=PIPE)
    decryptedString = openssl.communicate(encryptedString)[0].replace('\x04','')
    return decryptedString

decrypt(encryptedString,'yohoyohoyohoyoho')

Hope this is of help to someone, remember all the usual stuff about generating private keys and then being careful with them!

Community
  • 1
  • 1
leontrolski
  • 29
  • 1