views:

472

answers:

4

Hi everyone, I have encountered a situation where I need to pass $_SESSION variables from one domain to an iFrame page from another domain. I have spent the last 16 days trying various methods to no avail. I think that the only logical way would be to encode the variables in the url that calls the iFrame and decode them in th iFrame page. I am not sure how to go about this and I am looking for any samples, assistance etc that I can find.

Thanks for any and all suggestions.

Here is an example of what I am trying to do...

Example:

<!-- Note only using hidden as I didn't want to build the form at test phase-->
<form name="test" method="post" action="iframe_test.php">
<input type="submit" name="Submit" />
<input type="hidden" name="fName" value="abc" />
<input type="hidden" name="lName" value="def" />
<input type="hidden" name="address1" value="ghi" />
<input type="hidden" name="address2" value="jkl" />
<input type="hidden" name="country" value="mno" />
<input type="hidden" name="postal_code" value="pqr" />
<input type="hidden" name="city" value="stu" />
<input type="hidden" name="retUrl" value="vwx">
<input type="hidden" name="decUrl" value="yz">

So from here I am hitting the iframe_test.php and doing the following: PHP Code: function StripSpecChar($val) { return (preg_replace('/[^a-zA-Z0-9" "-.@\:\/_]/','', $val)); }

foreach ($_POST as $key => $val) { 
$_SESSION[$key] = StripSpecChar($val);   
} 

and I get a session array that looks like this: Code:

Array
(
    [fName] => abc
    [lName] => def
    [address1] => ghi
    [address2] => jkl
    [country] => mno
    [postal_code] => pqr
    [city] => stu
    [retUrl] => vwx
    [decUrl] => yz
)

Still all good so far....call the iFrame

Code:

<body>
Some page stuff here

<div align="center"><span class="style1"><strong>This is the iFrame Page</strong></span>
</div>
<div align="center">
<iframe src="https://www.other_domain.org/iframe/reserve.php" width="500" height="350" frameBorder="0"></iframe>
</div>

</body>

So HOW do I take...

$_SESSION['fName']['abc']; 
$_SESSION['lName']['def']; 
$_SESSION['address1']['ghi']; 
$_SESSION['address2']['jkl']; 
$_SESSION['country']['mno']; 
$_SESSION['postal_code']['pqr']; 
$_SESSION['city']['stu']; 
$_SESSION['retUrl']['vwx']; 
$_SESSION['decUrl']['yz']; 

and turn it into the encoded url that I am looking for? Further once that is done how to I get the session vars back as session vars on that new domain iFrame page...

A: 

You can take an assoicative array and convert it to a query string with the function http_build_query

Note: the second array you posted is not the correct output of a session array.

On the receiving page/domain, just take the query string and place/sanitize the expected parameters into your $_SESSION array (or whatever you need to do with it).

This is safer than using something like serialize/unserialize as only arrays are being used.

webbiedave
+1  A: 

Serialize the sessiondata array and send it as a parameter and then deserialize it http://www.php.net/manual/en/function.serialize.php

Jonas B
man that's just terrible
Col. Shrapnel
He asked for ways to do it and seemed kinda desperate, I gave my input on the subject and leave it at that. If it is good practise or not is up to him.
Jonas B
+1  A: 

Use serialize() and then base64_encode() to pass the data without corrupting it and (mostly) maintaining its structure.

It's not a good practice, because then anyone who figures out how it works can inject arbitrary data, but if that's what you want to do, it will work.

abrahamvegh
Always wondered, why bother to post "not so good answer"
Col. Shrapnel
@abrahamvegh +1
Jacob Relkin
@Col. Shrapnel I'm answering how something can be done, and then providing the warning and reasoning for why it should not be done. I won't lie and say I haven't used a similar method myself in the past. :D Everyone needs to make mistakes in order to learn.
abrahamvegh
Also its worth to note that there is no bad ways there are only bad implementations.. oh the heracy code i've written in my days but yet worked flawlessly for what it was intened to do.
Jonas B
A: 

Why not just send the session id to the otehr domain (and assuming they can read the same session storage substrate) use that as the session id there, e.g.

<?php
// catch remote session id, validate and reassociate
if (md5($_GET['exported_sessid'], $shared_secret) == $_GET['check_hash']) {
      // (basic CSRF check
      session_id($_GET['exported_sessid']);
}
session_start();
....

C.

symcbean
Not tested this - you may to to force the value into $_COOKIE[session_name()] before calling session_start()
symcbean