Solved

PHP $_SESSION VARIABLES IN JAVASCRIPT USING AJAX

Posted on 2014-02-20
11
1,171 Views
Last Modified: 2014-02-20
Hi,

I have a session variable $_SESSION['priv'];

then i want to use the value store in this variable to use in a if else condition in javascript or jquery using ajax

for example something like that

if ($_SESSION['prig'] == 1) {

//some code

}else{

//some code

}
0
Comment
Question by:joyacv2
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39873577
Before you go too far down this path, please read this article and make sure you understand the role of the server in the client/server relationship.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html
0
 
LVL 82

Expert Comment

by:leakim971
ID: 39873583
<?php
    $prig = $_SESSION['prig'] * 1 === 1;
?>
<script type="text/javascript">

function foo(bar) {
   if(<?php echo $prig ?>) {
   //some code
   }else{
   //some code
   }  
}
</script>

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39873596
PHP runs on the server.  The PHP script is started by a request from a client.  PHP is used to prepare the HTML, CSS and JavaScript (together, the "document") that gets sent to the client.  Once PHP has prepared the document and sent it, PHP goes to sleep and nothing else happens until there is another client request that wakes the server up.

PHP can send the value of the $_SESSION['priv'] in the JavaScript.  The client, when running the JavaScript can test the value that gets sent.  But the if-else logic on the server has already happened.
0
 
LVL 1

Author Comment

by:joyacv2
ID: 39873625
Hi Ray,

This is my case, I have a login page in php, after user authentication then enters to other page, but in the other page i have a routine in javascript that needs to know the privileges of the user to decide what to do, i see a solution using AJAX that using another php page with an echo can give me back the value of the session variable and then i can store in my code, but if a user enters this php page separately then gives the session variable, any idea to work with that?
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39873627
Please see http://iconoun.com/demo/temp_joyacv2.php

<?php // temp_joyacv2.php
// SEE http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28369726.html
error_reporting(E_ALL);

// SOMETHING IN THE SESSION
session_start();
$_SESSION['priv'] = 'Hello World';

// CREATE OUR WEB PAGE IN HTML5 FORMAT
$htm = <<<HTML5
<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<head>
<meta charset="utf-8" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>HTML5 Page in UTF-8 Encoding</title>
</head>
<body>

<!-- INJECT SESSION DATA INTO JAVASCRIPT -->
<script>
var x = '{$_SESSION['priv']}';
alert(x);
</script>

</body>
</html>
HTML5;

// RENDER THE WEB PAGE
echo $htm;

Open in new window

If you can tell us a little more about what you're trying to accomplish in the interaction between the client and server we may be able to point you to a well-understood design pattern.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 24

Expert Comment

by:mankowitz
ID: 39873630
I agree with leakim, but just remember that javascript is user-editable and user-viewable, so I would do a security check on data when it comes back from the user. For example

in javascript
if ($("#password").value() === "<?=$SESSION['password']?>") {
// show password protected stuff
} else {
// Password rejected
}

Open in new window


in the above example, the cleartext password is available to the user if you show page source.
0
 
LVL 24

Expert Comment

by:mankowitz
ID: 39873642
Ray,

Also remember that a user can subvert javascript fairly easily when used for security. For example:

var privs = <?php echo $_SESSION['privs'] ?>;
if (privs.indexOf("superuser")) {
// allow user to do something
}

Now if you run that page with a debugger (F12) and edit the value of privs, you can have superuser access.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 39873643
Sounds like you could use this design pattern:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

OK, let me see if I can paraphrase.

You have a login page and a protected page.  The protected page needs to have information that was placed in the PHP session by the login page.  The protected page will use this information to create the correct JavaScript variables.

That's a pretty standard design pattern involving PHP client authentication.  In this design, the protected page would not run at all unless the login page had been run before and the client had been authenticated.
0
 
LVL 1

Author Comment

by:joyacv2
ID: 39873647
Hi,

is a secure procedure to do that?
0
 
LVL 1

Author Closing Comment

by:joyacv2
ID: 39873657
this provides me a guide to work with my code! Thanks!!!
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39873678
@mankowitz: I understand that you can subvert JavaScript.  It's axiomatic that all external data is tainted and must be filtered before it can be used.  

I think the confusion here is about what processing runs on the server and what runs on the client.  It doesn't matter what you change in the JavaScript variables, because they were prepared originally by the server and sent to the client.  The server has "gone away" by the time the client receives the data.  So no changes you might make on the client can have any effect on the server, until the client sends another request.  And like all client requests, the request data must be filtered.  In the case of user privileges, the client does not get to establish that information.  User privileges are a downstream consequence of the server-side client authentication process, not something that is passed around in the request variables.  (Unless you're the Obamacare web site, then who knows what's going on?)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

How to build a simple, quick and effective accordion menu using just 15 lines of jQuery and 2 css classes
This article discusses four methods for overlaying images in a container on a web page
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now