Turns out my php.ini file wasn't configured properly. With fatcow (my host) you have to change the .ini file to specify the directory where you are saving session date and include
session.save_path=("directory"); prior to session_start();.
You guys were absolutely right. This has been a great learning experience.
I am having trouble with sessions.
On my first page I have declared session variables properly I know because I can print them with in the php file that I declared them in. On the page which the user is forwarded to with my header I try to do the following but nothing prints. Its as if the session_start(); does nothing. I tried Print_R(); and it just prints Array ( ). Here is my code from the page specified in the header- it is a .phtml file.
//HTML code up here
<?
session_start();
echo $_SESSION['dentist_first_name'];
Print_r ($_SESSION);
?>
//HTML code down here
Is there anything I have to do on the landing page to make sure that the session is continued? I used session_start(); on the original page.
Really confused that my variables aren't getting picked up.
session_start() must be called before you output any HTML
<?
session_start();
?>
//HTML code up here
<?php
echo $_SESSION['dentist_first_name'];
Print_r ($_SESSION);
?>
//HTML code down here
session_start(); has to be before you output HTML
if that's the case you mention the header forwards users. Is the header forwarding the user before it gets to the $_SESSION declaration in the page?
If you do any output before session_start(), this won't work.
Even a withespace before php open tag is an output:
<?
session_start();
?>
Do this:
<?
session_start();
?>
Related
server.conf: https://dpaste.org/6Zgn
This is Apache's config in OpenServer.
Problem:
As far as I understand, it has somethins with Access-Control-Allow-Origin
I wrote:
Header set Access-Control-Allow-Origin "*"
It has not helped. I have either written to a wrong place of rsomething.
Could you help me?
this is because the server is blocking the frontend to make requests.
I faced the same error for a long time
The only possible solution for this situation is to allow the host from the server-side.
Whichever backend you are using, search for a way to somehow allow the domain host from there.
for eg, for PHP
<?php
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
header('Access-Control-Allow-Origin: *');
die();
}
// some other code
?>
more resource: Cross-Origin Request Headers(CORS) with PHP headers
I need to set auth on few pages and forward user back in case not authorized. For now, it display destination page with error.
Unauthorized
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g.,
bad password), or your browser doesn't understand how to supply the
credentials required.
I have 0 knowledges in basic auth and apache conf. I have google deep and didn't find any solution, please advice.
Thank you
SetEnvIf Request_URI ^/en auth=1
AuthName "Please login to access english part"
AuthType Basic
AuthUserFile "/path/to/my/.htpasswd"
# first, allow everybody
Order Allow,Deny
Satisfy any
Allow from all
Require valid-user
# then, deny only if required
Deny from env=auth
This is really a limitation of HTTP Basic Authentication.
However, you could customise the 401 response (which I assume is what you are seeing, as opposed to a 403) the server would otherwise send back. You could directly redirect from the custom 401, however, that would result in the client receiving a 3xx response, rather than a 401, which is not as informative and confusing for users. Or, you present a "friendly" message, with a link back to where they came from.
The additional problem is knowing which page to send the user back to. Unless you are storing this information in the session, then you'll need to examine the Referer HTTP request header, which might not be set at all.
For example... at the top of your .htaccess file, define your custom error document for the 401 response:
ErrorDocument 401 /errordocs/e401.php
In /errordocs/e401.php, you would have something like:
<?php
/**
* 401 Unauthorized - Error Document
*/
// Get the HTTP Referer (if set at all)
$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : null;
// Immediately redirect back to the referring page if known
// But the client then sees a 3xx response, without any error, which could be confusing for users
if (!empty($referer)) {
header('Location: '.$referer,true,302);
exit;
}
?>
<!DOCTYPE html>
<html>
<head>
<title>401 Unauthorized</title>
</head>
<body>
<h1>401 Unauthorized</h1>
<p>Sorry, you do not have permission to view that resource.</p>
<p>
<?php if (empty($referer)): ?>
Go back to the home page
<?php else: ?>
Go back to <?=$referer?>
<?php endif; ?>
</p>
</body>
</html>
To "automate" this, you could perhaps implement a meta refresh (or JS "redirect") back to the referring page (if set) after so many seconds.
In localhost i have given baseurl in yii like this
<?php echo Yii::app()->baseUrl;?>
It is working in local but not working in live.
please give your opinion
You missed the request part in between -
<?php echo Yii::app()->request->baseUrl;?>
<?php echo yii::app()->getBaseUrl(true);?>
output:http://www.example.com
<?php echo yii::app()->getBaseUrl(false);?>
output:www.example.com
Is it possible to have the directory listing in apache return json instead of html?
I'm completely unexperienced with Apache, but I've browsed the documentation for IndexOptions and mod_autoindex. It seems like there's no built in way to configure the output.
I looked at the code in apache source in modules/generators/mod_autoindex.c and the HTML generation is static. You could rewrite this to output JSON, simply search for all the ap_rputs and ap_rvputs function calls and replace the HTML with the appropriate JSON. That's seems like a lot of work though.
I think I would do this instead...
In the Apache configuration for this site, change to...
DirectoryIndex ls_json.php index.php index.html
And then place ls_json.php script into the any directory for which you want a JSON encoded listing:
// grab the files
$files = scandir(dirname(__FILE__));
// remove "." and ".." (and anything else you might not want)
$output = [];
foreach ($files as $file)
if (!in_array($file, [".", ".."]))
$output[] = $file;
// out we go
header("Content-type: application/json");
echo json_encode($output);
You could use mod_dir as follows - create a php script and list your directories how you want (set content-type as appropriate).
I looking for a way to make the msg information of the rule (which rule had been triggered) to appears in the error and/or audit log files and sent back to the client in response headers.
I understand that there is phase "msg" but it doesn't sent back to the client in response headers the information so it's doesn't help me.
I want to see the information of the log in the error page in html, what can I do?
thank you for help,
Vladi.
It's a bad idea to let the client know what exactly went wrong. A hacker could use that to work around your security framework. A much better approach is a combination of mod_unique_id and customized error pages. Steps to follow:
enable mod_unique_id with your apache configuration
create customized error pages for the http return codes you're interested in (example below)
enable those in your apache config (ErrorDocument 403 /<url_path_to>/403.php for this example)
Here's an example for a 403 error page, let's call it 403.php (and no, a pure static page won't work):
<?php
$protocol = $_SERVER['SERVER_PROTOCOL'];
header("$protocol 403 Forbidden");
header("Status: 403 Forbidden");
header("Connection: close");
$msg = $_SERVER["UNIQUE_ID"];
?>
<HTML><HEAD>
<TITLE>You have no access to this resource (403)</TITLE>
</HEAD><BODY>
<P>An error occured. Please tell the admin the error code: <?php echo $msg; ?></P>
</BODY></HTML>
That's just a very abbreviated variant with no styling etc (you might want to enhance this), but I incidentally kept it simple for understanding. The $msg will print a unique code. The client can tell you this code, and you can use it to look up the exact line in your error log, where you will see which rule triggered it etc.
If you don't want to use external stuff (mod_perl, mod_php, etc) because, for example, you are on a front end reverse proxy and you don't want to expose a larger attack surface, you can use SSI (Server Side Include), since apache supports SSI internally with mod_include.
Just load mod_include, then add this to your virtualhosts:
# Custom 403 HTML error with base64 encoded date + uniqueid on response
<Directory /var/www/html/common/_Errors>
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Directory>
ErrorDocument 403 /common/_Errors/403.shtml
<Location "/common/_Errors/403.shtml">
# don't block redirected error page due rule to correlation
SecRuleRemoveById 980130
</Location>
Then, create a HTML file /var/www/html/common/_Errors/403.shtml containing something like this:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>Your request was denied.</p>
<!--#config timefmt="%Y-%m-%d %H:%M:%S" -->
<p><pre><!--#set var="ERR" value="${DATE_LOCAL} - ${UNIQUE_ID}" --></pre></p>
<p><pre><!--#echo encoding="base64" var="ERR" --></pre></p>
</body></html>
If you want you can change #config timefmt to fit your date time format.
SSI on mod_include will create a HTML response expanding the ERR variable with DATE_LOCAL and UNIQUE_ID and will encode the output as a base64 string. Just enough for me to get the uniqueid for the rule that was fired and its date.