Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Matijn Woudt]

On Sun, Feb 10, 2013 at 12:19 AM, Stephen  wrote:

> On 13-02-09 04:11 PM, Matijn Woudt wrote:
>
>> On Sat, Feb 9, 2013 at 9:59 PM, Tedd Sperling  wrote:
>>
>>
>> Jonathan:
>>
>> No offense to your routine, but you may want to review this:
>>
>> http://sperling.com/php/**authorization/log-on.php
>>
>> If anyone finds an error, please post.
>>
>> Cheers,
>>
>> tedd
>>
>> Well, I hope you're not actually storing passwords plain text in real life
>> examples.
>> Other than that, this method allows session hijacking.
>>
>> - Matijn
>>
>>  Can you explain how a session could be hijacked?
>
> Thank you!
>
> --
> Stephen
>
>
Sure,

Just basic session stuff first:
When you start a session, PHP sends a cookie header in return to the
client. This cookie header includes a session id. On next requests your
browser will send this same session id back to the server. Now the server
knows which session belongs to this client.
Now to the session hijack stuff:
I assume we are on a normal http server (not https), then this session id
will be send plain text in the http headers. Now, assume we are both
connected to a hotspot, then I will be able to read all traffic that passes
on to this hotspot, a so called man-in-the-middle attack. Once you have
logged in, I can get the cookie that contains the session id. Now I can
request the private part if I send that same cookie with it.

There are more forms of this attack, but they are more complicated. An SSL
secured connection solves most, but even with https, it is possible to do
this kind of attack.

For more info I'd like to refer to google;)

- Matijn

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Jonathan Eagle]

> Most likely they end up in the logs instead of the screen. Try check
> the logs (on linux, they are usually in /var/log/apache).

This is being hosted on 1and1.com, so I don't think I direct access to
those directories, but I have found a 'logs' folder off of the root.
Looking through that I see what seems to be a bunch of error log files.
I will look through those and see what I can find.

Thanks again,

Jonathan

,

On 2/9/2013 4:14 PM, Matijn Woudt wrote:
> On Sat, Feb 9, 2013 at 10:08 PM, Jonathan Eagle wrote:
> 
>> My 'display_errors' is "ON" and my 'error_reporting' is "22517".  I'm
>> not sure what that means but it looks as if I should be getting error
>> messages somewhere.
>>
>> Jonathan
>>
>>
> Most likely they end up in the logs instead of the screen. Try check the
> logs (on linux, they are usually in /var/log/apache).
> 
> 
> A general note (this also applies to tedd):
> The HTTP specification notes that the Location header should be followed by
> an absolute URI only. Even though probably every browser accepts relative
> URIs too, it's incorrect. You should replace it with
> http://myserver.com/login.php, or preferable, https://myserver.com/login.php
> .
> 
> - Matijn
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Matijn Woudt]

On Sat, Feb 9, 2013 at 10:08 PM, Jonathan Eagle wrote:

> My 'display_errors' is "ON" and my 'error_reporting' is "22517".  I'm
> not sure what that means but it looks as if I should be getting error
> messages somewhere.
>
> Jonathan
>
>
Most likely they end up in the logs instead of the screen. Try check the
logs (on linux, they are usually in /var/log/apache).


A general note (this also applies to tedd):
The HTTP specification notes that the Location header should be followed by
an absolute URI only. Even though probably every browser accepts relative
URIs too, it's incorrect. You should replace it with
http://myserver.com/login.php, or preferable, https://myserver.com/login.php
.

- Matijn

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Matijn Woudt]

On Sat, Feb 9, 2013 at 9:59 PM, Tedd Sperling  wrote:

> On Feb 9, 2013, at 2:00 PM, Jonathan Eagle  wrote:
>
> > I'm having a problem with a very straightforward routine;
>
>
> Jonathan:
>
> No offense to your routine, but you may want to review this:
>
> http://sperling.com/php/authorization/log-on.php
>
> If anyone finds an error, please post.
>
> Cheers,
>
> tedd


Well, I hope you're not actually storing passwords plain text in real life
examples.
Other than that, this method allows session hijacking.

- Matijn

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Jonathan Eagle]

My 'display_errors' is "ON" and my 'error_reporting' is "22517".  I'm
not sure what that means but it looks as if I should be getting error
messages somewhere.

Jonathan

On 2/9/2013 4:02 PM, Stuart Dallas wrote:
> On 9 Feb 2013, at 21:00, Jonathan Eagle  wrote:
> 
>> Stuart,
>>
>> Thanks for getting back to me  you were right - I had misread the
>> headers_sent() Return Value statement.  When I went back and tested
>> it turns out that the 'initialize' routine is somehow prematurely
>> sending output out.   So, now I have to figure out which of the ten
>> called routines and classes/objects in the initialize script are the
>> culprit.
>>
>> I greatly appreciate the assistance,
> 
> The error message that should be being displayed tells you where output was 
> started. Check your error_reporting and display_errors settings to make sure 
> errors are being displayed and you should be able to save a lot of time.
> 
> -Stuart
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Jonathan Eagle]

Matijn,

Thanks for the suggestion.  Your suspicions were correct. I am now
tracking down the culprit.

Jonathan

On 2/9/2013 2:34 PM, Matijn Woudt wrote:
> On Sat, Feb 9, 2013 at 8:00 PM, Jonathan Eagle  wrote:
> 
>>
>>
>> I'm having a problem with a very straightforward routine; one that works
>> in one PHP installation but not on the other. The only difference that I
>> can see between the working version and the non-working version is that
>> the one that doesn't work is running on the later version of PHP. The
>> following basic log-in routine works fine on my personal development
>> server, running PHP 5.3.3, but doesn't work on the production server,
>> hosted by 1&1.com that is running PHP 5.4.11.
>>
>> > require_once('../includes/initialize.php');  //<== $session object
>>init'd and set to false
>>
>> if(!$session->is_logged_in())
>> {
>> header("Location: login.php");
>> exit;
>> }
>> ?>
>>
>> login.php is in the same directory as the file that has this code at the
>> very top of the file.
>>
>> Everything works as expected right up to the 'exit;' line.
>>   * $session->is_logged_in() is false
>>   * when tested immediately after the 'header("Loc...)' statement,
>>'headers_sent()' reports true.
>>   * no error messages result (like: 'header already sent', etc.)
>>
>> Instead of the program flow moving to 'login.php', the URL indicates
>> that the destination is the original file, except that the file is empty
>> - zero bytes.  I've tried accessing the routine via three different
>> computers, all running different MS operating systems from XP to Win7
>> and they all behave identically.  The behavior is also consistent
>> between browsers (i.e., FireFox, Chrome, and Windows Explorer).
>>
> 
> It seems like the header is not actually send, maybe because the headers
> are already sent.
> You can check what your server returned with the Developer tools in Chrome,
> or Firebug in Firefox. It should have that header in its return, but I
> doubt it's there.
> 
>>
>> I also did a $_SERVER variable dump immediately before and after the
>> 'header(...' line, expecting to see a difference in at least one of the
>> 'REDIRECT_*' elements, but both outputs where identical with the
>> exception that the $_SERVER ouput after the header statement was
>> executed was missing the following line:
>>
> 
> $_SERVER refers to headers that were send from client to server, the
> redirect header you set is with the headers sent from server to client.
> 
> 
> I would try a file like this first:
> 
>  header("Location: login.php");
> ?>
> 
> and see if that works. Then you can investigate further.
> 
> - Matijn
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Stuart Dallas]

On 9 Feb 2013, at 21:00, Jonathan Eagle  wrote:

> Stuart,
> 
> Thanks for getting back to me  you were right - I had misread the
> headers_sent() Return Value statement.  When I went back and tested
> it turns out that the 'initialize' routine is somehow prematurely
> sending output out.   So, now I have to figure out which of the ten
> called routines and classes/objects in the initialize script are the
> culprit.
> 
> I greatly appreciate the assistance,

The error message that should be being displayed tells you where output was 
started. Check your error_reporting and display_errors settings to make sure 
errors are being displayed and you should be able to save a lot of time.

-Stuart

-- 
Stuart Dallas
3ft9 Ltd
http://3ft9.com/


> On 2/9/2013 2:34 PM, Stuart Dallas wrote:
>> On 9 Feb 2013, at 19:00, Jonathan Eagle  wrote:
>> 
>>> I'm having a problem with a very straightforward routine; one that works
>>> in one PHP installation but not on the other. The only difference that I
>>> can see between the working version and the non-working version is that
>>> the one that doesn't work is running on the later version of PHP. The
>>> following basic log-in routine works fine on my personal development
>>> server, running PHP 5.3.3, but doesn't work on the production server,
>>> hosted by 1&1.com that is running PHP 5.4.11.
>>> 
>>> >> require_once('../includes/initialize.php');  //<== $session object
>>>  init'd and set to false
>>> 
>>> if(!$session->is_logged_in())
>>> {
>>>   header("Location: login.php");
>>>   exit;
>>> }
>>> ?>
>>> 
>>> login.php is in the same directory as the file that has this code at the
>>> very top of the file.
>>> 
>>> Everything works as expected right up to the 'exit;' line.
>>> * $session->is_logged_in() is false
>>> * when tested immediately after the 'header("Loc...)' statement,
>>>  'headers_sent()' reports true.
>>> * no error messages result (like: 'header already sent', etc.)
>>> 
>>> Instead of the program flow moving to 'login.php', the URL indicates
>>> that the destination is the original file, except that the file is empty
>>> - zero bytes.  I've tried accessing the routine via three different
>>> computers, all running different MS operating systems from XP to Win7
>>> and they all behave identically.  The behavior is also consistent
>>> between browsers (i.e., FireFox, Chrome, and Windows Explorer).
>>> 
>>> I also did a $_SERVER variable dump immediately before and after the
>>> 'header(...' line, expecting to see a difference in at least one of the
>>> 'REDIRECT_*' elements, but both outputs where identical with the
>>> exception that the $_SERVER ouput after the header statement was
>>> executed was missing the following line:
>>> 
>>> ["HTTP_CACHE_CONTROL"]=> "max-age=0"
>>> 
>>> It doesn't look relevant to me, but I include it to be thorough.
>>> 
>>> I looked through the PHP changelog pages, but I don't see mention of the
>>> problem (of course, that might just be due to my ignorance).  The ISP
>>> for the production version of PHP indicated that I should come here for
>>> help, so here I am.
>>> 
>>> Can anyone shed some light as to what is (or might be) going on?
>>> 
>>> Any help or guidance that can be offered will be greatly appreciated.
>> 
>> 
>> Check the output buffering settings. You say no errors are displayed, but 
>> are you sure that errors are set to be displayed?
>> 
>> You mention the headers_sent() result immediately after the header() 
>> function call is true. If the header() function call had worked it would not 
>> be true, it would be false. You have output being sent to the client before 
>> that header() function call.
>> 
>> -Stuart
>> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Jonathan Eagle]

Stuart,

Thanks for getting back to me  you were right - I had misread the
headers_sent() Return Value statement.  When I went back and tested
it turns out that the 'initialize' routine is somehow prematurely
sending output out.   So, now I have to figure out which of the ten
called routines and classes/objects in the initialize script are the
culprit.

I greatly appreciate the assistance,

Jonathan

On 2/9/2013 2:34 PM, Stuart Dallas wrote:
> On 9 Feb 2013, at 19:00, Jonathan Eagle  wrote:
> 
>> I'm having a problem with a very straightforward routine; one that works
>> in one PHP installation but not on the other. The only difference that I
>> can see between the working version and the non-working version is that
>> the one that doesn't work is running on the later version of PHP. The
>> following basic log-in routine works fine on my personal development
>> server, running PHP 5.3.3, but doesn't work on the production server,
>> hosted by 1&1.com that is running PHP 5.4.11.
>>
>> > require_once('../includes/initialize.php');  //<== $session object
>>   init'd and set to false
>>
>> if(!$session->is_logged_in())
>> {
>>header("Location: login.php");
>>exit;
>> }
>> ?>
>>
>> login.php is in the same directory as the file that has this code at the
>> very top of the file.
>>
>> Everything works as expected right up to the 'exit;' line.
>>  * $session->is_logged_in() is false
>>  * when tested immediately after the 'header("Loc...)' statement,
>>   'headers_sent()' reports true.
>>  * no error messages result (like: 'header already sent', etc.)
>>
>> Instead of the program flow moving to 'login.php', the URL indicates
>> that the destination is the original file, except that the file is empty
>> - zero bytes.  I've tried accessing the routine via three different
>> computers, all running different MS operating systems from XP to Win7
>> and they all behave identically.  The behavior is also consistent
>> between browsers (i.e., FireFox, Chrome, and Windows Explorer).
>>
>> I also did a $_SERVER variable dump immediately before and after the
>> 'header(...' line, expecting to see a difference in at least one of the
>> 'REDIRECT_*' elements, but both outputs where identical with the
>> exception that the $_SERVER ouput after the header statement was
>> executed was missing the following line:
>>
>>  ["HTTP_CACHE_CONTROL"]=> "max-age=0"
>>
>> It doesn't look relevant to me, but I include it to be thorough.
>>
>> I looked through the PHP changelog pages, but I don't see mention of the
>> problem (of course, that might just be due to my ignorance).  The ISP
>> for the production version of PHP indicated that I should come here for
>> help, so here I am.
>>
>> Can anyone shed some light as to what is (or might be) going on?
>>
>> Any help or guidance that can be offered will be greatly appreciated.
> 
> 
> Check the output buffering settings. You say no errors are displayed, but are 
> you sure that errors are set to be displayed?
> 
> You mention the headers_sent() result immediately after the header() function 
> call is true. If the header() function call had worked it would not be true, 
> it would be false. You have output being sent to the client before that 
> header() function call.
> 
> -Stuart
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Tedd Sperling]

On Feb 9, 2013, at 2:00 PM, Jonathan Eagle  wrote:

> I'm having a problem with a very straightforward routine; 


Jonathan:

No offense to your routine, but you may want to review this:

http://sperling.com/php/authorization/log-on.php

If anyone finds an error, please post.

Cheers,

tedd

_
t...@sperling.com
http://sperling.com




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Stuart Dallas]

On 9 Feb 2013, at 19:00, Jonathan Eagle  wrote:

> I'm having a problem with a very straightforward routine; one that works
> in one PHP installation but not on the other. The only difference that I
> can see between the working version and the non-working version is that
> the one that doesn't work is running on the later version of PHP. The
> following basic log-in routine works fine on my personal development
> server, running PHP 5.3.3, but doesn't work on the production server,
> hosted by 1&1.com that is running PHP 5.4.11.
> 
>  require_once('../includes/initialize.php');  //<== $session object
>   init'd and set to false
> 
> if(!$session->is_logged_in())
> {
>header("Location: login.php");
>exit;
> }
> ?>
> 
> login.php is in the same directory as the file that has this code at the
> very top of the file.
> 
> Everything works as expected right up to the 'exit;' line.
>  * $session->is_logged_in() is false
>  * when tested immediately after the 'header("Loc...)' statement,
>   'headers_sent()' reports true.
>  * no error messages result (like: 'header already sent', etc.)
> 
> Instead of the program flow moving to 'login.php', the URL indicates
> that the destination is the original file, except that the file is empty
> - zero bytes.  I've tried accessing the routine via three different
> computers, all running different MS operating systems from XP to Win7
> and they all behave identically.  The behavior is also consistent
> between browsers (i.e., FireFox, Chrome, and Windows Explorer).
> 
> I also did a $_SERVER variable dump immediately before and after the
> 'header(...' line, expecting to see a difference in at least one of the
> 'REDIRECT_*' elements, but both outputs where identical with the
> exception that the $_SERVER ouput after the header statement was
> executed was missing the following line:
> 
>  ["HTTP_CACHE_CONTROL"]=> "max-age=0"
> 
> It doesn't look relevant to me, but I include it to be thorough.
> 
> I looked through the PHP changelog pages, but I don't see mention of the
> problem (of course, that might just be due to my ignorance).  The ISP
> for the production version of PHP indicated that I should come here for
> help, so here I am.
> 
> Can anyone shed some light as to what is (or might be) going on?
> 
> Any help or guidance that can be offered will be greatly appreciated.


Check the output buffering settings. You say no errors are displayed, but are 
you sure that errors are set to be displayed?

You mention the headers_sent() result immediately after the header() function 
call is true. If the header() function call had worked it would not be true, it 
would be false. You have output being sent to the client before that header() 
function call.

-Stuart

-- 
Stuart Dallas
3ft9 Ltd
http://3ft9.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Is header() malfunction due to PHP5.3.3 -> 5.4.11 transition?

[Matijn Woudt]

On Sat, Feb 9, 2013 at 8:00 PM, Jonathan Eagle  wrote:

>
>
> I'm having a problem with a very straightforward routine; one that works
> in one PHP installation but not on the other. The only difference that I
> can see between the working version and the non-working version is that
> the one that doesn't work is running on the later version of PHP. The
> following basic log-in routine works fine on my personal development
> server, running PHP 5.3.3, but doesn't work on the production server,
> hosted by 1&1.com that is running PHP 5.4.11.
>
>  require_once('../includes/initialize.php');  //<== $session object
>init'd and set to false
>
> if(!$session->is_logged_in())
> {
> header("Location: login.php");
> exit;
> }
> ?>
>
> login.php is in the same directory as the file that has this code at the
> very top of the file.
>
> Everything works as expected right up to the 'exit;' line.
>   * $session->is_logged_in() is false
>   * when tested immediately after the 'header("Loc...)' statement,
>'headers_sent()' reports true.
>   * no error messages result (like: 'header already sent', etc.)
>
> Instead of the program flow moving to 'login.php', the URL indicates
> that the destination is the original file, except that the file is empty
> - zero bytes.  I've tried accessing the routine via three different
> computers, all running different MS operating systems from XP to Win7
> and they all behave identically.  The behavior is also consistent
> between browsers (i.e., FireFox, Chrome, and Windows Explorer).
>

It seems like the header is not actually send, maybe because the headers
are already sent.
You can check what your server returned with the Developer tools in Chrome,
or Firebug in Firefox. It should have that header in its return, but I
doubt it's there.

>
> I also did a $_SERVER variable dump immediately before and after the
> 'header(...' line, expecting to see a difference in at least one of the
> 'REDIRECT_*' elements, but both outputs where identical with the
> exception that the $_SERVER ouput after the header statement was
> executed was missing the following line:
>

$_SERVER refers to headers that were send from client to server, the
redirect header you set is with the headers sent from server to client.


I would try a file like this first:



and see if that works. Then you can investigate further.

- Matijn