My idea for accessing zen cart sessions outside of zen...

[glenelkins]

hi

can you point out security holes that you notice already and ill fix them up

[glenelkins]

in fact i think i may have an idea to use the SOAP client and server with a new database table and the zen cart $_COOKIE['zenid']

If I modify the login of zen cart i#to insert info into a custom db table such as session_id, session and timeout i can actually pass the zen sesison id to the soap server and check the database for a) that session id exists b) that session hasnt timed out. If the timeout is set the same as the zen cart one it should work ok

also edit the logout routine to delete the session info from the custom table.

any ideas on this?

[A Hot Mess]

glenelkins...

Please don't take this as being antagonistic (I know people over here LOVE to threadcrap just so they can get a dig at someone thinking outside the box), but what will you be using this information for? I'm sure it's far beyond my own needs, but I'm always interested to see what others are doing.

[DrByte]

hi

can you point out security holes that you notice already and ill fix them up

My point was ... Calling something like /script_to_get_session.php?var=whatever to get the contents of ANY session var without validating who/what is making that request could easily disclose information that has no business being shared outside.

[glenelkins]

A Hot Mess... I cannot really tell you what this is used for its a confidential piece of work im doing ....at work lol. I work for a media company as a web developer and basically have been looking for a way to link Textpattern to Zen Carts login

I know allot of people have been trying to share session information outside zen cart. And iv been working to find a solution, the two main ways forward i see is AJAX or SOAP... the SOAP will be the best method if i can pass the session ID over!

DrByte...the vailidation is done on the textpattern side in this case!

[glenelkins]

The main thing is i cannot understand what zen cart does to stop session working outside of itself. Iv looked over the code and appart from a load of checks it does the sessions work just like any normal program..... and nobody seems to know why it does this.

Iv even tried loading up the same session name and ID in external applications, it still wont work. Pain in the ######!


Heres a question, how does Zen Cart actually control which pages are restricted access? There may be an option to completely re-do their silly login ( i say silly, its silly from a dev point of view, its not very versitile considering its open source )

[glenelkins]

sorry 1 more thing...

I know people over here LOVE to threadcrap just so they can get a dig at someone thinking outside the box

I always think outside the box! In programming, if you dont you get nowhere most of the time! Bollocks to people who put others down, i dont care i have a nicely paid job to think outside the box! lol

[CJPinder]

The main thing is i cannot understand what zen cart does to stop session working outside of itself.

It doesn't actively stop sessions working outside itself. Did you set up the session handler correctly? Most Zen Cart installations store the session information in the database and Zen Cart uses a custom session handler for this.

Regards,
Christian.

[glenelkins]

well in the login code it sets $_SESSION

but if you try accessing one of the var from a script outside the folder zen cart runs in, it does work. Its strange, every application iv ever written i can access my session vars in any folder i wish from any script file i wish

[CJPinder]

well in the login code it sets $_SESSION

but if you try accessing one of the var from a script outside the folder zen cart runs in, it does work. Its strange, every application iv ever written i can access my session vars in any folder i wish from any script file i wish

Zen Cart uses a custom session handler to store its session data. You cannot access the session data from $_SESSION until the data has been reloaded by the session handler. You'll need to read up on session_set_save_handler() and review the code in includes/functions/sessions.php .

Regards,
Christian.