Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 472
  • Last Modified:

Domain Masking is canceling my php session variables

K so i have a php script, here it is minus the database info

<?PHP
session_start();
//require_once($_SERVER['DOCUMENT_ROOT'] . "/include/database.class.php");

//require("/home//public_html/include/database.class.php");

$username_lookup = rtrim($_SERVER['REDIRECT_URL'],'/');
preg_match('/\/[A-Za-z0-9_\- ]+$/', $_SERVER['REDIRECT_URL'], $matches);
$username_lookup = substr(trim($matches[0]),1);

if($username_lookup){
      //$db = new database();
      //$db = new database();
      //$db = new database();
      
      $ho =
   $us =
   $pa =
   $dbName =

   // connect and select the database
   $conn = mysql_connect($ho, $us, $pa) or die(mysql_error());
   $db = mysql_select_db($dbName, $conn) or die(mysql_error());
      //$db = new database

      unset($_SESSION["user"]);
$a = 1;
$b = 5;
      
      if($a<$b){
            $_SESSION["user"]["username"] = strtolower($username_lookup);
      }
      
      if($username_lookup == 'clearsession'){
            unset($_SESSION["user"]);
      }
}

if(!$_SESSION["user"]["username"]){
      header("Location: /real404.php");
}else{
      //header("Location: /index.php");
      include('index.php');
}

echo "<!--" . @$_SESSION["user"]["username"] . "-->";
?>


Basically it uses a 404 error when someone types in a web address say www.cool.com/4356 it searches the database to see if there is a 4356 and displays it as a replicated site if there is and returns a 404 error if it doesnt.  Everything works great.  People can put links into their site as well say www.cool.com/4356 .   Problem is people are getting there own domain names say www.irock.com and forward it with domain masking to www.cool.com/4356 .  In firefox it works fine but in IE it is not setting the session variables.  Has anyone heard of this bug before or any way around it?
0
Brant Snow
Asked:
Brant Snow
  • 2
1 Solution
 
Richard QuadlingSenior Software DeverloperCommented:
My first step would be to make sure you are using clean browsers - clear cache and cookies - obviously this isn't what you would want to do on your live machine, so a Virtual Machine is probably the real first step. By using a VM, you can present a 100% clean environment each time.

Secondly, I'd use WireShark to watch the requests and see what cookies are passed around to see if there is really an issue.

Also, make sure your header('Location: xxxx'); is a fully qualified address ... http://www.somesite.com/page.ext. That is the correct way. Sure, browsers accept relative addresses, but, just maybe, you've got an edge-case.

Bypass that possibility by obeying the standard.


With WireShark can you tell us what cookies are being received and sent?
0
 
Richard QuadlingSenior Software DeverloperCommented:
What was the solution?
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now