CURL ignores $_SESSION???

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a security mechanism that checks that session variables are set,  
and if not, redirects. It seems, however, that CURL just ignores this  
statement and completely breaches my security.

Does anyone have any ideas how to avoid this?

Re: CURL ignores $_SESSION???

turnitup wrote:
Quoted text here. Click to load it

It seems that CURL ignores the redirect header. I had to put an exit  
after that statement. Sorted now. CAVEAT REDIRECTOR!!!

Re: CURL ignores $_SESSION???

Quoted text here. Click to load it
t,  =

Quoted text here. Click to load it

Quoted text here. Click to load it

Which is why redirecting should actually be done like this:

$target = ' ';
header("Location: $target");
print("You are being redirected to $target, click <a  =

href=3D\"$target\">here</a> if you don't get redirected.");

NOt only cURL, but all kinds of applications & browsers can choose not t=
o  =

directly follow your location headers. If you open pages with cURL, and =

you want to obey redirects from the header, use:
curl_setopt($curl,CURLOPT_FOLLOWLOCATION, true);
-- =

Rik Wasmus

Re: CURL ignores $_SESSION???

turnitup kirjoitti:
Quoted text here. Click to load it

You always have to put exit after redirection. And mind you this has  
nothing to do with CURL, it's just that PHP won't stop executing a  
script just because you set a header unless you say so. And remember  
that this is a good feature, not a bad. You just need to be aware of it.

"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirviö | Gedoon-S @ IRCnet | rot13(xvzzb@bhgbyrzcv.arg)

Re: CURL ignores $_SESSION???

Kimmo Laine wrote:

Quoted text here. Click to load it

Whatsmore, PHP doesn't send the headers to the client until you either
output some non-header content or your script exits.

Toby A Inkster BSc (Hons) ARCS
Contact Me ~
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

Re: CURL ignores $_SESSION???

Quoted text here. Click to load it

If you send sensitive data to the browser anyway when it fails
requirements for getting it, you have no security.  Never depend
on the browser to do what you want.  It could just be something
that sucks down the response and stores it in a file, or a telnet
client that logs the session.  Oh, yes, ordinary clients might cache
it where it can be found by a user, also.

One of the more likely clients to ignore your "security" mechanism
is a search engine.

Site Timeline