I am struggling with race protection in PHP.
My application is written in symfony 1.4 and PHP blocks session data until the page finishes processing. I have a long (~ 10 seconds) login script, and I want to display a progress bar showing the user what is being done while they wait. (I want to actually show what is being done, and not use the standard [faux] download bar.)
Whenever a script calls session_start(), PHP blocks the user session data until the script exits. This prevents my checking the status of ajax calls from returning anything until the longer running script. (My question is why my ajax calls were not asynchronous, here .)
I have developed a way to do this, but I want to make sure that this method is safe enough for general purposes (i.e. this is not a banking application).
My idea:
- When authenticating the username and password (before starting a long login to the script system), a unique cookie with a unique identifier is installed on the client computer.
- The same unique identifier is written to a file on the server along with the client's IP address.
- While the script is logging in for a long time, it will update this file with the status of the login process.
- Checking the status ajax will check the server on a special page that does not use
session_start(). This page will receive the cookie value and client IP address and check the server side file for any status updates.
Are there any obvious problems with this solution?
Again, from a security point of view, even if someone hacked it, all they got was a number representing the state of the login process.
source
share