-1

I have a $token of a session.

How can I check if the current session belongs to this token without using cookies?

I tried some this:

$token = strip_tags($_GET['key']); // Here I obtain the token of a user
$session = new sfsession();
$session->setId($token);
$session->start();

In this point, I have to check if the current session belongs to the session with token $token.

Touki
  • 7,465
  • 3
  • 41
  • 63
user2794692
  • 361
  • 2
  • 10
  • 24
  • I think you definitely should read the [documentation](http://symfony.com/doc/current/book/index.html) about [sessions in symfony2](http://symfony.com/doc/current/book/security.html). You shouldn't need `$_GET` variable in a Symfony2 project, nor need to start the session manually. – Touki Sep 24 '13 at 15:12
  • Yes but I did this in php without framework, I get $token, and then start new session and check if this session is Logged. I need to do this with Symfony, but I don't know how do this. – user2794692 Sep 24 '13 at 15:41

1 Answers1

0

So you want to test if the session ID remains the same across browsers, if the key is included?

Aside from security concerns (such as session hijacking), you can't directly test the session token.

However, you can try setting another variable in the session, when initially generating the key that you're using in the URL:

$session->set("securityToken", $token);

then on the landing download page, after starting the session with the code from your question, you can add:

if ($session->get("securityToken") == $token) {

// user legit

}
Emilian Manolache
  • 414
  • 3
  • 8
  • No because If I use this, when I setId($Token), always the getId() is the same that this $token. – user2794692 Sep 24 '13 at 15:00
  • Yes, but if you're using setID($token) before $session->start, you will surely get the same id back. Can you please explain your contect? – Emilian Manolache Sep 24 '13 at 15:07
  • Yes of course, the problem is to get a "download link" that works fine in differents browsers. The link is generated with the token of the user logged. If I get this link and i used in another browser, this link have to works fine. This is my problem :) – user2794692 Sep 24 '13 at 15:12
  • I'm sorry, I still don't understand your question, at all. – Emilian Manolache Sep 24 '13 at 15:20
  • Ok, i'm try to explain it: I have a website with differents files to download. Only register users can download this files. The url to download use the token of the user, because if a private download. The target is can get the private link, and paste it in another browser without loggin before, and the download works fine. – user2794692 Sep 24 '13 at 15:28
  • Thanks, i'm going to test it. – user2794692 Sep 25 '13 at 15:49