Topic: Absolute paths break cookies

Hello,

I'm currently working on building a website off of PunBB 1.2.10. However, because relative paths across the /forum folder and others don't seem to want to cooperate on including pages with variables being passed through the URL ("include 'rightbar.php';" works fine, "include 'rightbar.php?pg=index';" does not, but get this: "include 'http://www.domain.com/rightbar.php?pg=index';" does the trick), I've given up and begun to use absolute paths (starting from "http://"). The problem here is that this method of includes seems to break cookie reading. Directly reading the pages will produce the right information, but including them from another page using a full URL will make me appear as a guest.

Is there anything I can do to read cookies from pages with absolute URLs, or will I be forced to stop using URL variables in included pages altogether?

P.S. I've tried the "base" header tag, but it didn't fix the problem.

2 (edited by ontap 2006-01-22 02:30)

Re: Absolute paths break cookies

I've been battling the same problem all day. Finally came up with a workaround -- probably not the best or most efficient way to do this but it will solve the problem.

Like you, I found that if I try to include extern.php with a relative path (ie: include"/forums/extern.php?action=news") it always failed. If I took off the query part (everything after the ?) it would pull the file but obviously show no results. If I use the absolute path (include"http://www.mysite.com/boards/extern.php etc.") then all is good... except that the global $pun_user info. isn't available to extern.php and neither is the cookie info. I wanted to be able to use that info. to conditionally display info. via extern.php -- like only showing the number of times a certain post has been viewed to admins and staff, not all visitors.

So, here's what I ended up doing:

In the calling page, for example index.php, I added the following lines to turn the $pun_user array into two strings, one with the names of each variable (like username, group_id) and one with the associated values (like joeblow, 2):
$keys=array_keys($pun_user);
$keys=implode(",",$keys);
$pun_user = implode(",",$pun_user);
$append = "&keys=".$keys."&pun_user=".$pun_user;

Then I pass that info. to extern.php by tagging $append onto the include like so:
include "http://www.mysite.com/forums/extern.php … amp;fid=14".$append;

Then I added some lines in extern.php to convert that info. back into the $pun_user array so that I can access them just like anywhere else.

$a="";
$b="";
$values="";
if(isset($_GET['keys'])) $a = $_GET['keys'];
if(isset($_GET['pun_user'])) $b = $_GET['pun_user'];
$a = explode (",",$a);
$b = explode (",",$b);
$num_var=count($b);
$c=array_chunk($a, $num_var);
$a=$c['0'];
$keys=array_values($a);
$values=array_values($b);
$pun_user = array();
for ($i = 0; $i < $num_var; $i++) {
$pun_user[$keys[$i]] = $values[$i]; }

What I'm doing here is first setting the variables we're going to use and checking to see if we have passed the $append info. (you might have instances of extern.php where you don't need that info. and this will prevent you from getting errors because extern.php is expecting $append).
$a="";
$b="";
$values="";
if(isset($_GET['keys'])) $a = $_GET['keys'];
if(isset($_GET['pun_user'])) $b = $_GET['pun_user'];

If $keys and $pun_user are set, I then turn them back into arrays via the explode() function.
$a = explode (",",$a);
$b = explode (",",$b);

Unless all of your users have filled out every possible field of user info. you're always going to end up with more field keys than field info -- as in, I didn't put in any IM or ICQ info. so those field names will be in the $keys array but will have no corresponding value in the $pun_user array. So I count the array that has your user values ($b) and then use the array_chunk() function to cut the $keys array to the same size:
$num_var=count($b);
$c=array_chunk($a, $num_var);
$a=$c['0'];

Finally, I'm using PHP4 so I don't have the array_combine() function available so the next lines were my workaround. Basically I just do a loop to add values to the array $pun_user.
$keys=array_values($a);
$values=array_values($b);
$pun_user = array();
for ($i = 0; $i < $num_var; $i++) {
$pun_user[$keys[$i]] = $values[$i]; }

There you go. Probably not the most elegant way to handle this and I don't know if there are any security implications (you are passing all of this info. via a $_GET), but it's working for me. After that access any of the $pun_user variables within extern.php just like you use them elsewhere.

Re: Absolute paths break cookies

Thanks for the tremendous reply. I think I'm going to split up my files instead, to avoid using $_GET variables -- your method seems a little insecure. An enterprising member (or even a guest) could easily make himself an admin from the perspective of the included page if he knew what he was doing.

What we really need is for someone to shed some light on why pages aren't being found with URL variables. Perhaps it's a common mistake on our part.

4

Re: Absolute paths break cookies

That's what I was wondering -- if someone could somehow take advantage of this set up. I couldn't figure out exactly how you would do it though, since to the outside world you wouldn't have any way (or would you?) of knowing that this was pulling from a PunBB include. On my particular setup I made a few mods to the extern file so that news on my front page jumps to dedicated pages for those topics, not back to the boards -- basically just using a staff only Forum in the boards as a quick and easy way to post to other sections of the site. So if we've got a particular event, we can post a notice on the front page that jumps to www.mysite.com/event_name, which displays that main page post plus any other posts from that Forum.

Re: Absolute paths break cookies

http://us2.php.net/manual/en/function.include.php

Take a look at "Example 16-7. include() through HTTP"

There isn't a way around that wink

Re: Absolute paths break cookies

That's a bit of a letdown. Thanks, Smartys.

ontap wrote:

That's what I was wondering -- if someone could somehow take advantage of this set up. I couldn't figure out exactly how you would do it though, since to the outside world you wouldn't have any way (or would you?) of knowing that this was pulling from a PunBB include.

Not unless I'm missing something. I just feel a little nervous about admin functions being available to anyone through a carefully written URL, even a hidden one.

7

Re: Absolute paths break cookies

Gotcha. I guess in that case the best thing to do is just pull the piece of extern.php you want as a regular function on your site and skip the include route. That's what I'll probably do at some point as well.