• Replies 0 replies
  • Subscribers 245 subscribers
  • Views 20 views
  • Users 0 members are here
Related

How to create and update a web API session in PHP

Former Member
Former Member $organization

For almost any page that calls a web API method, you will need to have a Tessitura session key. The Tessitura session key determines whether or not the constituent is logged in, and it must be updated per page request to maintain the shopping cart.

The following function gets or updates the constituent's Tessitura session key, storing it in a PHP session variable. It also guards against session fixation (hijacking). It may be good practice to call this function once per page, early in the process.


    function prepareSession()
    {
        if(!session_id()) session_start();

        // If a "session fixation" attack is suspected

        if (!$this->refererIsApproved() ||
            $_SERVER['REMOTE_ADDR'] !== $_SESSION['PREVIOUS_REMOTE_ADDR'] ||
            $_SERVER['HTTP_USER_AGENT'] !== $_SESSION['PREVIOUS_HTTP_USER_AGENT'])
        {

            // Restart the session and destroy the previous session's data
            $this->destroySession();
            session_start();
        }

        // Update the session for security

        session_regenerate_id();
        $_SESSION['PREVIOUS_HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
        $_SESSION['PREVIOUS_REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
        if(!isset($_SESSION['userAgentType'])) $this->determineUserAgentType();

        // Generate or update the Tessitura session
        $tessClient = $this->createTessituraClient();
        if($_SESSION['tessSessionKey'])
        {
            try
            {
                $tessClient->UpdateLastAccessTime(array(
                    'sSessionKey' => $_SESSION['tessSessionKey'],
                    'sNow'        => date('n-j-Y G:i:s.000') ));
            }
            catch(SoapFault $exception)
            {
                // Insert code here to handle the potential failure of the SOAP call.
            }
        }
        else
        {
            try
            {
                $response = $tessClient->GetNewSessionKeyEx(array(
                    'sIP'           => $_SERVER['REMOTE_ADDR'],
                    'iBusinessUnit' => 1 ));
            }
            catch(SoapFault $exception)
            {
                // Insert code here to handle the potential failure of the SOAP call.
            }
            $_SESSION['tessSessionKey'] = $response->GetNewSessionKeyExResult;
        }
    }

Please note the call to referrerIsApproved(). This function may be customized to make sure that a session has originated in your organization. Here is an example of the function:


    function refererIsApproved()
    {
        $approved = false;
        if(isset($_SERVER['HTTP_REFERER']))
        {
            $currentReferer = strtolower($_SERVER['HTTP_REFERER']);

            // I set the constant, APPROVED_REFERERS, in an external settings file.
            // It contains a comma-separated list of domains and subdomains.
            // For example: publictheater.org, www.publictheater.org
            $referers = explode(",", str_replace(" ","",APPROVED_REFERERS));
            $totalReferers = count($referers);
            for ($refererNum = 0;
                 $refererNum < $totalReferers && $approved == false;
                 ++$refererNum)
            {
                if(strpos($currentReferer, "http://" .
                       strtolower($referers[$refererNum])) === 0 ||
                   strpos($currentReferer, "https://" .
                       strtolower($referers[$refererNum])) === 0)
                    $approved = true;
            }
        }
        else $approved = true;
        return $approved;
    }