addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1light-bulblinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

ExpressionEngine Los Angeles Message Board › Troubleshooting PHP SESSIONS in EE

Troubleshooting PHP SESSIONS in EE

Adam C.
San Marcos, CA
Post #: 10
I'm new to this group and I hope it's OK to post this type of question. Basically I have hit a snag in a project I'm working on and I was hoping someone in the group might be able to help. I'm trying to do a AJAX form that loads via some jQuery from the main navigation. There is no separate page loads or refreshes. For security, I have both client side and server side validation, plus data sanitization. I submit the form to PHP for processing and I am using a token to protect against Cross-Site Request Forgeries (CSRF). Everything is mostly working, but I have run into a problem with using the PHP $_SESSION which is used for the CSRF token. I have built a PHP class that generates the token (hash) and spits it out to a hidden input field for the form that is called from the EE page. At the time the token is generated it also places it in a $_SESSION variable to check later. When the form submits, it posts to PHP (outside EE) and checks the token from the form against the one in the $_SESSION. The issue I'm having is that I seem to end up with two different sessions. EE seems to have one with one session_id and then the PHP code has a different one. The token is stored in the original EE session, but on form submit the PHP page seems to look at the second session and of course finds no token. The good news is the code does what it is supposed to do and protects from what looks like a CSRF attack, but the bad news is that I can't seem to generate a successful post.

Has anyone every come across this? Basically i need to create a simple AJAX submitted contact form (name, email, message) with client side validation, input filtering, and CSRF protection. I looked at the built in contact form module, but it doesn't see to allow AJAX submit or client validation. I also am trying to avoid putting additional add-ons in out site as it is already heavily laden with those and that has made a planned EE 2 upgrade very difficult to say the least.

Any help/insight from the more experienced EE coders in this group would be appreciated.
Powered by mvnForum

Our Sponsors

  • kleverdog coworking

    Venue for Meetups/Events and a Collaborative Workspace.

  • Codesly

    Codesly is a leading web design and development agency in Los Angeles.

  • mithra62

    A proud developer of enterprise grade ExpressionEngine add-ons.

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy