Forum Discussion

Walter_Kacynski's avatar
Walter_Kacynski
Icon for Cirrostratus rankCirrostratus
Feb 05, 2015

PHP and session variable substitution

I want to evaluate the content of a session variable during logon page processing. session.server.landinguri=/?pw=0

This doesn't work

    $landingUri = '%{session.server.landinguri}';
    $pos = strpos($landingUri, 'pw');
    if ($pos !== false) { ?>
        true

This works!

    $landingUri = '/?pw=0';
    $pos = strpos($landingUri, 'pw');
    if ($pos !== false) { ?>
        true

Does anyone know how APM and PHP interact that would cause this problem? I assume that there is an issue with how special characters from the session variable are substituted during runtime. I have tried using double quotes with no luck.

BIG-IP Access Policy Manager (APM)
customization
design
php
security
  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Feb 05, 2015

    In my experience of trying to do this, what I think is going on is this...

    • Make customization including session variable 
      $landingUri = '%{session.server.landinguri}';
    • PHP executes when page is accessed, setting landingUri to the string
      %{session.server.landinguri}
      .
    • As the processed HTML goes down the pipe to the client after PHP has executed, APM rewrites 
      %{session.server.landinguri}
      to the 
      /?pw=0
      (or whatever the value should be).
      • So if you were to 
        echo
        the variable in PHP, the resulting HTML from the PHP perspective would be 
        %{session.server.landinguri}
        , but further down the line, APM rewrites that within the HTML to the actual value.

    All that to say, when you do the 

    strpos
    , it's testing against the value 
    %{session.server.landinguri}
    , not the expected value 
    /?pw=0
    .

    For me, the only way to overcome this kind of thing was to do testing within javascript instead, which may not be feasible depending on what you want to do.

    Another option might be to use a policy agent event in the VPE to do some work and set a custom session variable you want to echo on the page and then use that instead.

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Feb 05, 2015

    Hey Walter,

     

    I have been able to reproduce the issue you describe but I cannot find any reason it will not work as expected. Can you give a little bit of insight into what you are trying to do and maybe we can help with a workaround?

     

    -Seth

     

  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Feb 06, 2015

    Hmm, interesting, I would have thought the PHP and APM process the page at the same time or that APM ran first and then PHP second so that you have the full power of server side logic at your disposal.

     

    I want to be able to tell where the login page came from an external system so I'm using a query string to identify the original system. I want to use this to display a success or failure message on the banner of my login page.

     

    This can be done client side in JavaScript, but logically it's easier to write in PHP when the HTML can be turned on or off. I'll just get with my JavaScript development team to write up the necessary code.

     

    Thanks for the prompt replies.