0

I am trying to develop an Apache 2 module that, among other functions, should intercept certain POST variables, and then establish a PHP session underneath, setting all the relevant session variables.

One option I've considered was using cookie libraries to set the PHPSESSID in the request, and then insert all these values in the $_SESSION associative array.

Problem is I can't seem to find an API for the PHP, and my suspicions that these values actually lie underneath, in the Apache server itself, are currently unfounded.

Does anyone know if this is even possible? Or even if I am overlooking a simple workaround that would work?

ravemir
  • 1,153
  • 2
  • 13
  • 29
  • 2
    I think you need to be writing a PHP extension rather than an Apache module for what you want to do. If you hook into Apache early on in the request, PHP hasn't been invoked yet so there is no place to inject session variables. If you hook later on in the request, PHP will have already executed (and in the case of FastCGI) your Apache hook most likely won't even run. Check out [PHP at the Core](http://www.php.net/manual/en/internals2.php) for info on developing PHP extensions. – drew010 Aug 11 '12 at 19:46
  • Writing a PHP extension would mean also writing code for other web processing systems (like CGI), which, while not being impeditive in my case in particular, . – ravemir Aug 12 '12 at 18:39
  • I'm not sure I understand, the PHP extension shouldn't really be concerned with what server API is in use for what it sounds like you want to do. You would just add a hook for the request startup, check for your post variables, and start a session and inject the data in it. – drew010 Aug 12 '12 at 18:51
  • Sorry, I was editing the previous post, but the time ended up expiring. What I mean to say was that developing an extension might not be an option in this case, although I can try suggest it to the "client". But if I hooked the request after PHP processed it, it would be a good: I could start the session myself, fill in the attributes, and send the cookie over to the client. It's just like you suggested now, but the problem is, even if I parse the POST variables, I have no way to insert their values into a PHP session afterwards. – ravemir Aug 12 '12 at 19:39
  • I'm not expert at developing Apache modules, but I recently needed to make a module that would look at response headers from a PHP FastCGI response after PHP had finished processing, in the end I had to give up because once PHP (or more accurately mod_fcgid) handled the request, no more hooks would run so there was nothing I could do. I still see no way of creating a PHP session and adding data from an Apache module since that's all PHP related. There are just too many issues with the session settings. A CGI user could have their own custom `php.ini` file in their directory that affects PHP – drew010 Aug 12 '12 at 19:58
  • ...settings different from the server's php.ini file. If they had an existing PHP session cookie, you'd have to open the existing sessions. And all of this is moot if the CGI process runs on a remote server where you can't touch the session files. – drew010 Aug 12 '12 at 19:58
  • Wouldn't it be possible to do it by creating/changing the files PHP creates to store a session? – ravemir Aug 12 '12 at 22:25
  • 1
    Technically, just note that PHP session files are stored on the server in [serialized](http://php.net/serialize) format. The session files may be owned by the user that runs the server, or session files could be owned by the user that owns the `.php` files so you could run into permissions issues. PHP will also lock the session file during a request that calls `session_start()` for that particular session file so you'll have file locking to worry about as well. You'll also need to know the directory in which session files are stored and identify the user's session file based on the cookie. – drew010 Aug 12 '12 at 22:29
  • I see this solution is quite "hackish", so I think I'll go with the extension. – ravemir Aug 13 '12 at 09:04

1 Answers1

0

I eventually decided to write a PHP extension, alongside another handler on my Apache Module, since I prefer to parse some POST vars there.

The module will "chew" the data that needs to be saved to the session, and pass it off as new POST variables, after criptografically validating the data. The PHP extension will then start a new session, and set each item as a Session variable.

This assumes my module will run before the PHP module itself. In case that doesn't happen, I will have to handle the validation on PHP, or try to force the handler to run before PHP somehow.

ravemir
  • 1,153
  • 2
  • 13
  • 29