can I use a $_SESSION variable in a third party script on the same server?

marcnyc

Hello, I am struggling with this problem.
I wrote some code with an authentication routine. When a user is logged in $SESSION['auth'] is set to seomthing and when no user is authenticated $SESSION['auth'] does not exist.

I now installed CKEditor and CKFinder on my server to make the text input prettier and easier for my authenticated users.
The problem is that CKFinder needs to check for authentication and that is where I am struggling.

In the /ckfinder/config.php file there is this:

function CheckAuthentication()
{
	//WARNING : DO NOT simply return "true". By doing so, you are allowing
	//"anyone" to upload and list the files in your server. You must implement
	//some kind of session validation here. Even something very simple as...

// return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];

//... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
//user logs in your system.
	return false;
}

If I simply set 'return true;' then CKFinder works but anyone can hack into the site and delete files uploaded by my authenticated users.

What I attempted to do is this:

function CheckAuthentication()
{
	global $_SESSION;
	if ( isset($_SESSION['auth']) )
		return true;
	else
		return false;
}

but I keep not being being authenticated by CKFinder.
What am I doing wrong?

Can I not use a session variable in a third-party script on the same server? Isn't the session variable available server-wide? I don't understand...

Thanks for pointing me in the right direction.

Neville1985

There is no point in globalizing a $_SESSION variable because its already a system global.

Secondly, if the third party script has its own authentication system, which from what information you've given is what I'm assuming, you need to make sure that its using your system. It might be using a session variable but a different key. Have a look in the script and maybe paste it here so we have more information to work with.

My suggestion: Take the time to program your own, then use CSS and alike to make it more 'colorful', doing it this way takes a little longer, but it will be worth it in the end, cause you will know whats going on at any one time.

I've never really liked third party auth systems for a few reasons. 1/ They are 'open' source (scripts can be changed) thus they are a lot more prone to security issues, 2/ to change/add/remove something takes more effort.

cahva

The

if ( isset($_SESSION['auth']) )

..should work if the script is on the same domain that your site is. Did you check that session is started with session_start() in the script where you are using CKEditor/CKFinder? That would be the obvious reason for it not to work.

marcnyc

CKFinder is not a third party authentication system it is a third party file browser and it does not have an authentication system of its own, which is why they recommend adding a check to make sure only authenticated users can use the browser.

Globalizing was only a last resort desperate attempt while I was trying different things... I don't understand why it doesn't work because it should, even without the global line.

The session is started in my own script because the authentication does work so I don't know why it doesn't work.
There is no include of my own script in CKfinder, therefore CKfinder doesn't have a session_start() of its own, could this be the problem?

cahva

I downloaded the CKFinder to see wheres the problem and I was right. Session is not started. Hint: check line 110 of config.php 😉

marcnyc

Wow thank you so much cahva, I appreciate you took the time to download ckfinder and read my post and help me out. I very much do!
I didn't realize I had to start the session in that script in order to use the session variables from the other session... THANK YOU