San Diego ExpressionEngine Message Board › Help with EE and PHP SESSIONS
San Marcos, CA
I am working on adding an email form to my EE 1.6.9 site and have hit a snag I was hoping someone in the group might help with. I'm trying to do a AJAX form that loads via some jQuery from the main navigation. There is no separate page loads or refreshes. For security, I have both client side and server side validation, plus data sanitization. I submit the form to PHP for processing and I am using a token to protect against Cross-Site Request Forgeries (CSRF). Everything is mostly working, but I have run into a problem with using the PHP $_SESSION which is used for the CSRF token. I have built a PHP class that generates the token (hash) and spits it out to a hidden input field for the form that is called from the EE page. At the time the token is generated it also places it in a $_SESSION variable to check later. When the form submits, it posts to PHP (outside EE) and checks the token from the form against the one in the $_SESSION. The issue I'm having is that I seem to end up with two different sessions. EE seems to have one with one session_id and then the PHP code has a different one. The token is stored in the original EE session, but on form submit the PHP page seems to look at the second session and of course finds no token. The good news is the code does what it is supposed to do and protects from what looks like a CSRF attack, but the bad news is that I can't seem to generate a successful post.
Has anyone every come across this? Basically i need to create a simple AJAX submitted contact form (name, email, message) with client side validation, input filtering, and CSRF protection. I looked at the built in contact form module, but it doesn't see to allow AJAX submit or client validation. I also am trying to avoid putting additional add-ons in out site as it is already heavily laden with those and that has made a planned EE 2 upgrade very difficult to say the least.
Any help/insight from the more experienced EE coders in this group would be appreciated.