PHP $_SESSION VARIABLES IN JAVASCRIPT USING AJAX
Hi,
I have a session variable $_SESSION['priv'];
then i want to use the value store in this variable to use in a if else condition in javascript or jquery using ajax
for example something like that
if ($_SESSION['prig'] == 1) {
//some code
}else{
//some code
}
I have a session variable $_SESSION['priv'];
then i want to use the value store in this variable to use in a if else condition in javascript or jquery using ajax
for example something like that
if ($_SESSION['prig'] == 1) {
//some code
}else{
//some code
}
<?php
$prig = $_SESSION['prig'] * 1 === 1;
?>
<script type="text/javascript">
function foo(bar) {
if(<?php echo $prig ?>) {
//some code
}else{
//some code
}
}
</script>
PHP runs on the server. The PHP script is started by a request from a client. PHP is used to prepare the HTML, CSS and JavaScript (together, the "document") that gets sent to the client. Once PHP has prepared the document and sent it, PHP goes to sleep and nothing else happens until there is another client request that wakes the server up.
PHP can send the value of the $_SESSION['priv'] in the JavaScript. The client, when running the JavaScript can test the value that gets sent. But the if-else logic on the server has already happened.
PHP can send the value of the $_SESSION['priv'] in the JavaScript. The client, when running the JavaScript can test the value that gets sent. But the if-else logic on the server has already happened.
ASKER
Hi Ray,
This is my case, I have a login page in php, after user authentication then enters to other page, but in the other page i have a routine in javascript that needs to know the privileges of the user to decide what to do, i see a solution using AJAX that using another php page with an echo can give me back the value of the session variable and then i can store in my code, but if a user enters this php page separately then gives the session variable, any idea to work with that?
This is my case, I have a login page in php, after user authentication then enters to other page, but in the other page i have a routine in javascript that needs to know the privileges of the user to decide what to do, i see a solution using AJAX that using another php page with an echo can give me back the value of the session variable and then i can store in my code, but if a user enters this php page separately then gives the session variable, any idea to work with that?
Please see http://iconoun.com/demo/temp_joyacv2.php
<?php // temp_joyacv2.php
// SEE http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28369726.html
error_reporting(E_ALL);
// SOMETHING IN THE SESSION
session_start();
$_SESSION['priv'] = 'Hello World';
// CREATE OUR WEB PAGE IN HTML5 FORMAT
$htm = <<<HTML5
<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<head>
<meta charset="utf-8" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>HTML5 Page in UTF-8 Encoding</title>
</head>
<body>
<!-- INJECT SESSION DATA INTO JAVASCRIPT -->
<script>
var x = '{$_SESSION['priv']}';
alert(x);
</script>
</body>
</html>
HTML5;
// RENDER THE WEB PAGE
echo $htm;
I agree with leakim, but just remember that javascript is user-editable and user-viewable, so I would do a security check on data when it comes back from the user. For example
in javascript
in the above example, the cleartext password is available to the user if you show page source.
in javascript
if ($("#password").value() === "<?=$SESSION['password']?>") {
// show password protected stuff
} else {
// Password rejected
}in the above example, the cleartext password is available to the user if you show page source.
Ray,
Also remember that a user can subvert javascript fairly easily when used for security. For example:
var privs = <?php echo $_SESSION['privs'] ?>;
if (privs.indexOf("superuser"
// allow user to do something
}
Now if you run that page with a debugger (F12) and edit the value of privs, you can have superuser access.
Also remember that a user can subvert javascript fairly easily when used for security. For example:
var privs = <?php echo $_SESSION['privs'] ?>;
if (privs.indexOf("superuser"
// allow user to do something
}
Now if you run that page with a debugger (F12) and edit the value of privs, you can have superuser access.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
is a secure procedure to do that?
is a secure procedure to do that?
ASKER
this provides me a guide to work with my code! Thanks!!!
@mankowitz: I understand that you can subvert JavaScript. It's axiomatic that all external data is tainted and must be filtered before it can be used.
I think the confusion here is about what processing runs on the server and what runs on the client. It doesn't matter what you change in the JavaScript variables, because they were prepared originally by the server and sent to the client. The server has "gone away" by the time the client receives the data. So no changes you might make on the client can have any effect on the server, until the client sends another request. And like all client requests, the request data must be filtered. In the case of user privileges, the client does not get to establish that information. User privileges are a downstream consequence of the server-side client authentication process, not something that is passed around in the request variables. (Unless you're the Obamacare web site, then who knows what's going on?)
I think the confusion here is about what processing runs on the server and what runs on the client. It doesn't matter what you change in the JavaScript variables, because they were prepared originally by the server and sent to the client. The server has "gone away" by the time the client receives the data. So no changes you might make on the client can have any effect on the server, until the client sends another request. And like all client requests, the request data must be filtered. In the case of user privileges, the client does not get to establish that information. User privileges are a downstream consequence of the server-side client authentication process, not something that is passed around in the request variables. (Unless you're the Obamacare web site, then who knows what's going on?)
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html