My idea for accessing zen cart sessions outside of zen...

[DrByte]

hi

can you point out security holes that you notice already and ill fix them up

My point was ... Calling something like /script_to_get_session.php?var=whatever to get the contents of ANY session var without validating who/what is making that request could easily disclose information that has no business being shared outside.

[glenelkins]

A Hot Mess... I cannot really tell you what this is used for its a confidential piece of work im doing ....at work lol. I work for a media company as a web developer and basically have been looking for a way to link Textpattern to Zen Carts login

I know allot of people have been trying to share session information outside zen cart. And iv been working to find a solution, the two main ways forward i see is AJAX or SOAP... the SOAP will be the best method if i can pass the session ID over!

DrByte...the vailidation is done on the textpattern side in this case!

[glenelkins]

The main thing is i cannot understand what zen cart does to stop session working outside of itself. Iv looked over the code and appart from a load of checks it does the sessions work just like any normal program..... and nobody seems to know why it does this.

Iv even tried loading up the same session name and ID in external applications, it still wont work. Pain in the ######!


Heres a question, how does Zen Cart actually control which pages are restricted access? There may be an option to completely re-do their silly login ( i say silly, its silly from a dev point of view, its not very versitile considering its open source )

[glenelkins]

sorry 1 more thing...

I know people over here LOVE to threadcrap just so they can get a dig at someone thinking outside the box

I always think outside the box! In programming, if you dont you get nowhere most of the time! Bollocks to people who put others down, i dont care i have a nicely paid job to think outside the box! lol

[CJPinder]

The main thing is i cannot understand what zen cart does to stop session working outside of itself.

It doesn't actively stop sessions working outside itself. Did you set up the session handler correctly? Most Zen Cart installations store the session information in the database and Zen Cart uses a custom session handler for this.

Regards,
Christian.

[glenelkins]

well in the login code it sets $_SESSION

but if you try accessing one of the var from a script outside the folder zen cart runs in, it does work. Its strange, every application iv ever written i can access my session vars in any folder i wish from any script file i wish

[CJPinder]

well in the login code it sets $_SESSION

but if you try accessing one of the var from a script outside the folder zen cart runs in, it does work. Its strange, every application iv ever written i can access my session vars in any folder i wish from any script file i wish

Zen Cart uses a custom session handler to store its session data. You cannot access the session data from $_SESSION until the data has been reloaded by the session handler. You'll need to read up on session_set_save_handler() and review the code in includes/functions/sessions.php .

Regards,
Christian.

[glenelkins]

The _sess_read() function has a value $key that it uses. What is this? And im not sure how this parses the $key value if you look here:

session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');


Where in this line does it parse data to the _sess_read function?

[glenelkins]

iv actually gone for storing session in files it works very well by getting the session id from $_COOKIE['zenid']; then unserializing the session file and checking for customer_id

[glenelkins]

So it works like this:

Set zen cart to store sessions as files.

Code:

$sess_id = $_COOKIE['zenid'];

$session_file = "/PATH/TO/ZEN/CACHE/sess_" . $sess_id;

$session_data = @file_get_contents ( $session_file );

$data = CUSTOM_UNSERIALIZE_FUNCTION ( $session_data );

foreach ( $data as $k => $v ) {

    if ( $k == "customer_id" && !empty ( $v ) ) {

        // USER IS LOGGED IN
        $customer_id = $v;

    }

}

Seems to work pretty nicely!