TIP: Use Markdown or, <pre> for multi line code blocks / <code> for inline code.
These forums are read-only and for archival purposes only!
Please join our new forums at discourse.kohanaframework.org
Set Session ID
  • Hi guys.

    How can i manually set the session ID? I need this cause im using fancyupload (flash+js+ajax fileupload) and i gotta send the session_id manually via GET.

    If i do session_id($_GET['session']) and then call Session::instance(); it does not work;

    it would be nice if i could pass the session ID via parameter to instance() method.

    Any tips?
  • you always can manualy edit the session cookie's value, then do a redirect.

    Tyrael
  • @newcar, out of interest. Is passing of the session ID your design, or are you integrating with someone elses code. I only ask because a token based system (independent of session ID) is usually better for these scenarios. Session ID certainly shouldn't be used for authorisation.
  • @samsoir, I don"t thin it's a token solution or something elese. It's just that Flash upload + PHP just mess up with the session id and cookies

    Flash-request forgets cookies and session ID: Flash FileReference is not an intelligent upload class, the request will not have the browser cookies, Flash saves his own cookies. When you have sessions, append them as get-data to the the URL (e.g. “upload.php?SESSID=123456789abcdef”). Of course your session-name can be different.


    @newcar, why don't you get the current session id with $this->session->id ?
  • @spirit I wasn't saying it is a token solution, I was asking why a session ID was need in the first place... and personally, I wouldn't use a session ID in transmission as it's open to abuse.
  • If i do session_id($_GET['session']) and then call Session::instance(); it does not work;

    The session ID is stored in the session config file. You can manually edit it there, or you can use Kohana::config_set() to change it before you call Session::instance().

  • Well, let me explain better:

    Suppose i have a controller with 2 methods (new, upload) plus __construct. __construct checks to see if user is logged, if not it redirects. new shows the user the form with the fancyupload component. fancyupload sends the files to upload method BUT i never actually gets there cause when fancyupload makes the request it gets redirected by __construct method that checks that the user is not logged in.

    The user appears as not logged cause when fancyupload makes the request it doesn't send the session cookies, as pointed by @spirit.

    So i tried to make fancyupload send the session_id via get to upload method and the __construct method checks to see if $_GET['session_id'] is set, if it is it should alter the session_id to $_GET['session_id'] and the session would be loaded and everything would be fine.

    If i was using only native PHP session, not even Kohana Session Lib, i would do this on the __construct:
    session_id($_GET['session_id'])
    session_name('whatever');
    session_start();

    and it would work. BUT im using Kohana Session Lib and i cant make it work anyway.

    So, what should we change in Kohana Session Lib to allow mannualy setting the session ID.

    @zombor: you are saying for me to change the session name on config right? That is not what i want.
  • Session ID would be the unique random string and session name would be kohanasession. The session name is controlled via the session config file.
  • Posted By: NickUK

    Session ID would be the unique random string and session name would be kohanasession. The session name is controlled via the session config file.



    Yeah, and i need to set session ID.

    No one?
  • Posted By: newcar
    Posted By: NickUK

    Session ID would be the unique random string and session name would be kohanasession. The session name is controlled via the session config file.

    Yeah, and i need to set session ID.

    No one?


    Looking in the Session library session_id() is called with no parameters when creating session IDs so the only way around it is to extend it and add the ability to pass in the session ID.

    Line 163 and 160 would probably have to be removed and replaced with:

    if (isset($_GET['kohanasession'])) {
    session_id($_GET['kohanasession']));
    }

    session_start();

    Obviously this is totally insecure and quick and dirty.
  • @NickUK: i think that will do it, ill try and ill post the results here.

    if it works i will submit a patch so you can set session ID somewhere else cause otherwise ill have to copy the whole create method in the extend class and its not nice case its almost the whole class...

    Thx for now!
  • So, i edited Session_Core:

    Added: public static $force_id = NULL;

    and on line 163 added:

    // If id is forced, use it
    if (self::$force_id !== NULL)
    session_id(self::$force_id);

    And its not working, damn, i thnk ill have to use DB driver, cause with native session its messed up...
  • Well, i cant make it work any way, tried it all,event changed to DB driver and edited DB class, i give up...

    If anyone can make it work please tell me how.

    Damn, got finish this project in 2 days and its the only thing missing...
  • Newcar - Have you tried echoing out self::$force_id to see if it's actually set in your Session class? Also did you put session_start() after your check?
  • newcar, I will work with FancyUpload soon. I'll keep you in touch if I find a workaround.
  • Posted By: NickUKk?

    Yes, i logged it with kohana and the session_id is being set to a real value.

    Posted By: Delapouite

    newcar, I will work with FancyUpload soon. I'll keep you in touch if I find a workaround.


    The solution i found for now is to create an hash for the object that is the father of the upload (like a post that have_many uploads) and i send the hash via get and check to see if its equal the object hash). It works for this project but its not a nice option, i´d rather have sessions working. When i have some time ill make some tests with native sessions and see if i can get it to work.
  • Have you tried detecting the user agent "shockwave flash" see a possible solution here http://anotherflava.com/?p=272
  • We had the same issue with a system that required something similiar. After trying to find a solution I came up with this. It seems to work so I hope it helps others: For some reason if your config/session.php has driver set as cookie it will not allow you to have a session set manually. I changed that to 'native'. The other issue you'd have with a flash plugin or any other such 3rd party system doing calls is that the validate setting in the config would fail as that is by default set to user_agent. I changed that to expiration, ip, or both of them; or blank just to test if it works actually works

    Did not want to change the core code so created a hook in my project to set the session if passed. I then just append sessionid to a link that will be used by the 3rd party using session_id() php function.

    class Sessionset { public static function setSession() { if(isset($_GET['sessionid'])) { session_id($_GET['sessionid']);
    } } } Event::add('system.routing', array('Sessionset', 'setSession'));

    Hope that helps anyone else that might have this sort of issue.

  • Thanks for the fix, vmweb! Kohana is still throwing an error when it calls session_destroy() though.
    An error was detected which prevented the loading of this page. If this problem persists, please contact the website administrator.
    /Users/dleavitt/Sites/vegas10/deploy/system/libraries/Session.php [265]:
    session_destroy() [function.session-destroy]: Trying to destroy uninitialized session


    Easy enough to fix, just wondering if anyone else had this problem and/or there's some simple workaround that doesn't involve editing core files.
  • Obviously you can't call session_destroy() if you never called session_start(). You must be doing something bizarre or that wouldn't be happening.

  • I was indeed, there was a problem with my hook.
  • Specifically - Kohana checks session_id() and if it's empty calls session_destroy(). If you've set a session id but not started a session, you'll get an error.

    Still can't get that hook to work though.

  • The 2.4 Session lib supports this it was only a few minor changes I believe - but they should give you and idea what to do if you can dig out the commit..
  • I have been battling with this same issue for the last few days and found a few posts that hint at doing the same as vmweb and dleavitt's suggestions above.

    http://anotherflava.com/2009/02/17/flash-10-uploads-with-kohana/
    http://uploadify.com/forum/viewtopic.php?f=5&t=43

    I've tried them all (using native session, user agent to expiration etc) I am getting the sessionID through from flash correctly and then setting the ID of the session as follows:


    $this->session = Session::instance();

    if (isset($_POST['session_id'])) {
    kohana::log('error', '***** CHANGING SESSION ID FROM ' . session_id() . ' TO ' . $_POST['session_id'] . ' *****');
    session_id($_POST['session_id']);
    }


    But then if I do a kohana::debug on my $_SESSION it does not contain all my kohana variables (eg. authentication etc.) and just looks like a brand new session. I also note that despite the session_id() function being called successfully kohana::debug reports that within session the session_id is still the old sessionID.

    Has anyone found a solution for this?
  • try this:

    application/hooks/hook.php


    <?php

    class Sessionchange {

    public function ChangetoPostvalue()
    {
    $session_name=Kohana::Config('session.name');

    if( !isset($_COOKIE[$session_name]) && Input::instance()->post($session_name) )
    {
    $_COOKIE[$session_name]= Input::instance()->post($session_name);
    }
    }

    }
    Event::add('system.ready', array('Sessionchange', 'ChangetoPostvalue'));

    ?>
  • Chris, I owe you a massive thanks for this one.

  • HELP, please. how run this code in KO 3.1?

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion