• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1588
  • Last Modified:

PHP $_SESSION VARIABLES IN JAVASCRIPT USING AJAX

Hi,

I have a session variable $_SESSION['priv'];

then i want to use the value store in this variable to use in a if else condition in javascript or jquery using ajax

for example something like that

if ($_SESSION['prig'] == 1) {

//some code

}else{

//some code

}
0
joyacv2
Asked:
joyacv2
  • 5
  • 3
  • 2
  • +1
1 Solution
 
Ray PaseurCommented:
Before you go too far down this path, please read this article and make sure you understand the role of the server in the client/server relationship.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html
0
 
leakim971PluritechnicianCommented:
<?php
    $prig = $_SESSION['prig'] * 1 === 1;
?>
<script type="text/javascript">

function foo(bar) {
   if(<?php echo $prig ?>) {
   //some code
   }else{
   //some code
   }  
}
</script>

Open in new window

0
 
Ray PaseurCommented:
PHP runs on the server.  The PHP script is started by a request from a client.  PHP is used to prepare the HTML, CSS and JavaScript (together, the "document") that gets sent to the client.  Once PHP has prepared the document and sent it, PHP goes to sleep and nothing else happens until there is another client request that wakes the server up.

PHP can send the value of the $_SESSION['priv'] in the JavaScript.  The client, when running the JavaScript can test the value that gets sent.  But the if-else logic on the server has already happened.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
joyacv2Author Commented:
Hi Ray,

This is my case, I have a login page in php, after user authentication then enters to other page, but in the other page i have a routine in javascript that needs to know the privileges of the user to decide what to do, i see a solution using AJAX that using another php page with an echo can give me back the value of the session variable and then i can store in my code, but if a user enters this php page separately then gives the session variable, any idea to work with that?
0
 
Ray PaseurCommented:
Please see http://iconoun.com/demo/temp_joyacv2.php

<?php // temp_joyacv2.php
// SEE http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28369726.html
error_reporting(E_ALL);

// SOMETHING IN THE SESSION
session_start();
$_SESSION['priv'] = 'Hello World';

// CREATE OUR WEB PAGE IN HTML5 FORMAT
$htm = <<<HTML5
<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<head>
<meta charset="utf-8" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>HTML5 Page in UTF-8 Encoding</title>
</head>
<body>

<!-- INJECT SESSION DATA INTO JAVASCRIPT -->
<script>
var x = '{$_SESSION['priv']}';
alert(x);
</script>

</body>
</html>
HTML5;

// RENDER THE WEB PAGE
echo $htm;

Open in new window

If you can tell us a little more about what you're trying to accomplish in the interaction between the client and server we may be able to point you to a well-understood design pattern.
0
 
mankowitzCommented:
I agree with leakim, but just remember that javascript is user-editable and user-viewable, so I would do a security check on data when it comes back from the user. For example

in javascript
if ($("#password").value() === "<?=$SESSION['password']?>") {
// show password protected stuff
} else {
// Password rejected
}

Open in new window


in the above example, the cleartext password is available to the user if you show page source.
0
 
mankowitzCommented:
Ray,

Also remember that a user can subvert javascript fairly easily when used for security. For example:

var privs = <?php echo $_SESSION['privs'] ?>;
if (privs.indexOf("superuser")) {
// allow user to do something
}

Now if you run that page with a debugger (F12) and edit the value of privs, you can have superuser access.
0
 
Ray PaseurCommented:
Sounds like you could use this design pattern:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

OK, let me see if I can paraphrase.

You have a login page and a protected page.  The protected page needs to have information that was placed in the PHP session by the login page.  The protected page will use this information to create the correct JavaScript variables.

That's a pretty standard design pattern involving PHP client authentication.  In this design, the protected page would not run at all unless the login page had been run before and the client had been authenticated.
0
 
joyacv2Author Commented:
Hi,

is a secure procedure to do that?
0
 
joyacv2Author Commented:
this provides me a guide to work with my code! Thanks!!!
0
 
Ray PaseurCommented:
@mankowitz: I understand that you can subvert JavaScript.  It's axiomatic that all external data is tainted and must be filtered before it can be used.  

I think the confusion here is about what processing runs on the server and what runs on the client.  It doesn't matter what you change in the JavaScript variables, because they were prepared originally by the server and sent to the client.  The server has "gone away" by the time the client receives the data.  So no changes you might make on the client can have any effect on the server, until the client sends another request.  And like all client requests, the request data must be filtered.  In the case of user privileges, the client does not get to establish that information.  User privileges are a downstream consequence of the server-side client authentication process, not something that is passed around in the request variables.  (Unless you're the Obamacare web site, then who knows what's going on?)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now