All geek questions in one place

Access php $ _SESSION from python (wsgi) - is this possible?

I have a python / WSGI application that needs to be checked to see if the user has logged into the PHP web application. The problem is that the PHP application checks to see if the user is logged in by comparing the value in the $ _SESSION variable with the value in the cookie from the user’s browser. I would prefer not to change the behavior of the php application, if at all possible.

My questions:

  • Anyway, can I access session variables from within python? Where should I start looking?

  • Are there any obvious security / performance issues that I should know when taking this approach?

+4
source share
3 answers

  • Yeah. session (default) is a regular file. therefore all you need to do is browse the session directory and find the file with the name of the session cookie value. then you should implement a php-like serialize / unserialize and do whatever you want.

  • No

+3
source

It depends on the PHP application, if it stores the session data in a database (possibly MySQL), you can just connect to the database and get the data, if they use their own PHP sessions, you should look at the session.save_path config php setting. ini, the place where the runtime saves files with session data.

Once you have the data, you can analyze it to get it uneserialized, take a look at how serialize() and unserialize() work in PHP.

+1
source

I am currently trying to start a python server side by side with existing Apache / php. The special solution I came up with was to save $ _SESSION as an encrypted cookie, letting php authentication work as before, and then share the private key between the two servers.

Two questions:

  • It's up to you how to handle session expiration events.
  • I did not bother with the Initialization vector, believing that the timestamp from my expiration is enough. See fooobar.com/questions/7346 / ... why I might be too weak ...

Anyway, my encrypted cookie function php:

 session_start(); $encryptToCookie = function($varToEncode,$cookieName,$privateKey){ $iv = $privateKey; $pass = $privateKey; $method = 'aes-128-cbc'; $encryptedString = openssl_encrypt(json_encode($varToEncode), $method, $pass, true, $iv); setcookie($cookieName,bin2hex($encryptedString)); }; $encryptToCookie($_SESSION,"sessionEncrypted","yohoyohoyohoyoho"); // private key must be 16bit

And my python side decryption:

 from subprocess import Popen, PIPE import binascii def decrypt(encryptedString,privateKey): encryptedString = binascii.unhexlify(encryptedString) pathToOpenSSL = 'C:\pysrc\openssl\openssl.exe' # MODIFY THIS!! openssl = Popen([pathToOpenSSL, 'enc','-aes-128-cbc','-d', '-nosalt','-nopad','-K', privateKey.encode('hex'), '-iv', privateKey.encode('hex')], stdin=PIPE,stdout=PIPE) decryptedString = openssl.communicate(encryptedString)[0].replace('\x04','') return decryptedString decrypt(encryptedString,'yohoyohoyohoyoho')

Hope this helps someone, remember all the usual things about creating private keys, and then be careful with them!

+1
source

Source: https://habr.com/ru/post/1305386/

More articles:


All Articles