The way session works in MODx

Hi everybody!
I am getting an external resource browser to work with my front-end manager. For security reasons it needs to read $_SESSION[’mgrValidated’] variable. I found out then that those MODx session vars cannot be seen from external pages. And! externally set session vars cannot be seen from within MODx.

Is there a way for exchanging session vars between MODx and external php-scripts?

Thanks, Max

Your external resource browser would need to use the MODx config file and call the startCMSSession() function in order to share session data.

Thanks very much Jason, i’ll give that a try

Jason! it worked like a charm:

I have an external script that needs to read $_SESSION[’webValidated’] and $_SESSION[’webInternalKey’].
Before finding this thread, I stumbled upon startCMSSession() which seemed to work beautifully, until I realized that the session variables are only available if I’m logged into the manager (backend).

Is there any way of finding $_SESSION[’webInternalKey’] from an external script when logged into the frontend only?

have you checked out the modxapi library?
http://modxcms.com/MODxAPI-Library-865.html

To see your available &_SESSION varaiables, make a new snippet named "Session_Info" with the following code:


Add the call [!Session_Info!] to the bottom of any document on the front end of your site. Whenever you are logged in as a webuser, it will print out all the $_SESSION. (note that if you are logged in as a manager, it will print those too, but only if you are logged as a webuser.)

I’ve solved the problem, but I still don’t understand it.
My test script using the modxapi library was this:

In this case my script was in a subdirectory. The custom snippet and database query worked as expected, but the $_SESSION array was empty.

Placing the same script in the root directory (only changing ’../modxapi.php’ to ’./modxapi.php’) and $_SESSION now contains the webInternalKey, webShortname, etc as I wanted.

So the solution was simply to move the script into the root directory (no idea why!)

Because PHP sessions cookies are identified by a domain and path; so they are only valid for the path specified, and scripts in each path that have a session cookie are in control of their own unique session data.

Indeed.

I had a problem where i’d allow a user to edit some of her/his details on the web site. Displaying the user’s data worked just fine,
however posting the data would ( for some users) result in loss of their session data.

Took several hours to hunt the problem down ( didn’t occur on my end, so happy hunting ) Turned out i had the ’edit my data’
form post to mysite.com whereas the users suffering from ’the bug’ were entering using www.mysite.com.

Posting this just to save others the frustration when running into the same problem. Always post to the exact same url as the
one used by the visitor when he/she logged in.

I’m gonna stick an icepick into my eye for a while now...