PHP opens 2nd session unwanted

Question

Requirement: use QRBOT-app to scan a barcode on a mobile and give the number scanned to the website. Problem: I've a session open (1), from here I'm opening the app (see ScanBardcode.php), I scan and the app returns to the callback-URL including the required parameters. However I do expect it is re-using it's session, it creates a new one (2). Can someone help me? It does have both sessions active and both pages keep using it's own session. I can only test it on my cell phone, which I checked is using each time (the initiate-1 and the callback-2 the same browser) What I tried already: 1. Pass the sessionID in the callback URL (QRBOT doesn't allow parameters) 2. Set Session.auto_start to 1

ScanBarcode.php

<?php
   include_once('../../config.inc.php'); //contains DB connection details and other settings
   include_once($fullurl . '../../admin/includes/sessie.inc.php'); //generates session
    echo "SessionID=". session_id() . "!";
    $_SESSION['BarCode'] = "VoorraadTellen";
    echo "Wat gaan we doen? " . $_SESSION['BarCode'] . "</br></br>";
  //URL to open qrbot.
    echo "<a href=https://qrbot.net/x-callback-url/scan?x-success=https%3A%2F%2Filonashairstyling.nl/2016UAT/module/Ilonas_admin/ScanBarcodeCallBack.php?".">click</a>"
?>

ScanBarcodeCallBack.php

    <?php
     $source = $_GET['x-source'];
     $content = $_GET['content'];
     $format = $_GET['format'];
     include_once('../../config.inc.php');
     include_once($fullurl . '../../admin/includes/sessie.inc.php'); 
     echo "Wat gaan we doen? " . $_SESSION['BarCode'] . "</br></br>";
     echo "SessionID=". session_id() . "!";
     echo $source . $content . $format;

  // HERE I WRITE TO THE DB.
    ?>

sessie.inc.php

<?php
$a = session_id();
if(empty($a)) 
    {
        session_start();
    }

    if(isset($_SESSION['sgebruiker'])) 
    {
        $now = time();
        if($now - $_SESSION['stijd'] > $_SESSION['maxidle']) 
        {
            $_SESSION = array();
            session_destroy();
        } 
        else 
        {
            $_SESSION['stijd'] = $now;
        }
    } 
    elseif(isset($_COOKIE['login_cookie'])) 
        {
            //Check against db and set cookie.
        }
?>

Adding screenshot when I add the sessionId in the URL as a parameter: enter image description here

Update to ScanBarcode.php

`echo "<a href=https://qrbot.net/x-callback-url/scan?x-success=https%3A%2F%2Filonashairstyling.nl/2016UAT/module/Ilonas_admin`/ScanBarcodeCallBack.php?s=".htmlspecialchars(session_id()).">click</a>"

Sessions are tied to a specific application. The browser and the QRBOT application each have their own session cookie. — Barmar, Oct 14 '19 at 11:10
@Barmar Thank you for your reply. Do you have any recommendation how to overcome this issue? — Veldhuis, Oct 14 '19 at 11:15
I think passing the session ID as a URL parameter should work. Show how you tried to do that. Here's the [documentation](https://www.php.net/manual/en/session.idpassing.php) — Barmar, Oct 14 '19 at 11:20
@Barmar I've updated the URL in Barcode.php to echo "click". When I run a testI get an error in the app (it looks like it is trying to add parameters twice) — Veldhuis, Oct 14 '19 at 11:40
Put the code in the question so it will be formatted properly. — Barmar, Oct 14 '19 at 11:44

score 0 · Answer 1 · answered Oct 14 '19 at 11:15

0

as far as i know you don't need the whole check with session_id(). PHP Documentation for session_start() says:

session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.

this is also my experience. every time i used session_start() i just put it at the top of every file (or included it like you did)

answered Oct 14 '19 at 11:15

Tsia

21
4

Thank you for your reply - I did comment out some of the session-file and put the session_start() function without the check - it is indeed existing session if open, however it didn't resolve the problem I've. – Veldhuis Oct 14 '19 at 11:23
i'm sorry. i think i misunderstood the problem. – Tsia Oct 14 '19 at 11:48
have you tried to add the session id to the callback URL like this: echo ''; – Tsia Oct 14 '19 at 11:53
That solved the problem - I will clean up the code and post it as an answer. @Tsia – Veldhuis Oct 14 '19 at 14:47

score 0 · Answer 2 · answered Oct 14 '19 at 14:39

When you pass the session ID in the URL, you need to use the parameter to set the session ID before calling session_start(). Change sessie.inc.php to:

<?php
if (isset($_GET['s'])) {
    session_id($_GET['s']);
}
session_start();

if(isset($_SESSION['sgebruiker'])) 
{
    $now = time();
    if($now - $_SESSION['stijd'] > $_SESSION['maxidle']) 
    {
        $_SESSION = array();
        session_destroy();
    } 
    else 
    {
        $_SESSION['stijd'] = $now;
    }
} 
elseif(isset($_COOKIE['login_cookie'])) 
{
    //Check against db and set cookie.
}
?>

score 0 · Answer 3 · answered Oct 14 '19 at 15:00

Working with both @Tsai and @Barmar we found the solution. We fixed it by: - Encoding the URL by using urlencode-function - Take the sessionID from URL and apply that using session_id-function before initiating the start_session (see also).

The cleaned up code below; hopefully someone would be able to use it also.

ScanBarcode.php

<?php
   include_once('../../config.inc.php'); //contains DB connection details and other settings
   include_once($fullurl . '../../admin/includes/sessie.inc.php'); //generates session
    echo "SessionID=". session_id();
  //URL to open qrbot.
$CallbackUrl = "http://ilonashairstyling.nl/2016UAT/module/Ilonas_admin/ScanBarcodeCallBack.php?s=" . htmlspecialchars(session_id());
echo "<a href=https://qrbot.net/x-callback-url/scan?x-success=". urlencode($CallbackUrl) . ">click</a>"
?>

ScanBarcodeCallBack.php

<?php
  $source = $_GET['x-source'];
  $content = $_GET['content'];
  $format = $_GET['format'];

  include_once('../../config.inc.php');

  ini_set("session.use_cookies",0);
  ini_set("session.use_trans_sid",1);
  session_id($_GET['s']);
  //print_r($_SESSION); //You can test it with this code
  //print(session_id()); //You can test it with this code

  ini_set("session.use_cookies",1);
  ini_set("session.use_trans_sid",0);

  include_once($fullurl . '../../admin/includes/sessie.inc.php'); 

  echo "Wat gaan we doen? " . $_SESSION['BarCode'] . "</br></br>";
  echo "SessionID=". session_id() . "!";
  echo $source . $content . $format;

  // HERE I WRITE TO THE DB.
?>

sessie.inc.php is unchanged

PHP opens 2nd session unwanted

3 Answers3