No announcement yet.

App with no security still requires php session cookie?

  • Filter
  • Time
  • Show
Clear All
new posts

  • App with no security still requires php session cookie?

    Here is an interesting issue I've not seen before...

    I have used cron jobs for many years for email notifications and other tasks in scriptcase. I do this using an application with no security on it and a GET variable that acts as a password. All has been good for several years.

    I've just tried to set one up now and scriptcase is just returning a Javascript redirect to the home page. True - if I use a different browser with no cookies, then on first hit I can't open the application directly - it redirects me to the login application. However, once the php session cookie it set, then on the 2nd try it can load the specific application with no security, etc.

    So it appears that a recent addition to SC now requires a php session cookie in order to load an application? Bit of a pain for running cron jobs.

    Has anyone else run into this?

  • #2
    I wrote the above while waiting for SC to update from 9.03.0010 to 9.03.0011.

    It's now fixed. I love undocumented bug fixes



    • #3
      Nope, still not working for me. Is anyone else having the same issue?


      • #4

        Not sure if this is the same issue or not but my project uses security. I have tried today to create an individual control app in the same project which has use security set to No. When I deploy the app to our webserver I receive a "Your session has expired" message.

        I'm using Scriptcase 9.3.012.

        I think that this may be a bug.




        • #5
          Quite possible. I am still having this issue myself. Is anyone else able to weigh in on what might be the issue?

          A fresh incognito session. Grid application with no security. First time its loaded directly by URL I am redirected to the login page. That sets the session cookie. Then the second time I load it directly by URL it works.

          I need this to work for a cron job!!


          • #6
            The session cookie has nothing to do with security. It is used to maintain data between transactions where you have variables bound to a session. In a cron you don't need sessions as you have no transactions that need to save data, but just a regular flow that ends. It is very likely that scriptcase uses a session start in every application. If that is the case report the issue to bugs at scriptcase dot net.
            Albert Drent
            aducom software netherlands
            scriptcase partner, reseller, support and (turn-key) development


            • #7
              I have been going nuts over this for about a week now. I just found this post so I am not alone. I too cannot get a blank form to accept parameters even without security - again it gives the session expiration error. On deeper examination I have found no way round it. I want to pass data from Wordpress to SC, like a purchase from an online store, but even a blank form requires a session before it starts running the PHP. So if you add session_start() in there, it get to it too late, the error is already thrown. Even the @ which is supposed to supress errors does not work. So if there is a $wp_data=[wp_data] which would normally work as a url parameter, it will fail. The reason why it works the after either hitting the OK key or a refresh is that it will set a session, but if you delete the cookies (so as to be in the state of a new user), it does not work. I tried a workaround, using a cookie, but again it will not read the cookie until the session is set so there is no way round it. The severity of this bug/oversight is beginning to dawn on me. I cannot connect Wordpress to SC!! I cannot automate any kind of SC login or user setup, I cannot update sales to SC, I cannot communicate with it until the user logs in . And no, you cannot do your crons at the moment. A huge setback for me. So please can we push SC developers to fix this. I can break out of SC into standalone PHP for most of my things, but a smooth user regsitration process with Wordpress and SC at the same time seems impossible at the moment.


              • #8
                aducom Yes I'm well aware of that, I was just pointing out the issue I was having and the apparent cause of it that I was seeing. Are you running cron jobs through SC grid applications at all? Any issues?
                charlesfairbairn I'm sorry but I didn't really follow all of that. It sounds like you want single sign on between WP and SC. In any case, you may want to open a new thread to discuss that.

                For now I have been able to fix the issue/bug by setting the security redirect field to the same application. This means that the first time it loads and fails, it redirects to itself (plus a session cookie now) and then SC allows it. Cron works again and I'm not happy but moving forward at least. I hope this helps someone else.


                • #9
                  Example: Using grid app with cron
                  Name of app: grid_report1


                  Use Security: No
                  Url output of the security: grid_report1
                  Enable direct call by URL: Yes


                  • #10
                    That could be a good tip rperrett. I will give it a go. In my case it was more to do with the fact that in redirecting to SC from anywhere when it is in an iframe itself (in my case WP) was a problem . The choice was either to always redirect to the login, which means a new login each time, or redirect to the menu, which means that the user needed to have logged in once recently so as to have a session. If I set up a blank app with no security to choose where to send the user (if there was a session or not) that would fail because it needed a session itself. In other words all my solutions o ended in the dreaded expired session error. I will try yours.


                    • #11
                      OK I have tried the suggestion but I could not get it to work...maybe I missed something. On a regular dev system (no Wordpress, no iFrame for SC) , if I create a blank app no security with a Url output to itself in security and used sc_redir(''menu) as the Executed Code, when I run it the first thing it throws is a an Unauthorized User error with an OK button. If I OK it I then get redirected to login (the menu has been set in security to redirect to login if not authorized). It is this first error and OK button I am trying to bypass ....I just want to go to Login if I have no session and menu if I do.
                      Last edited by charlesfairbairn; 07-22-2019, 02:15 AM.


                      • #12
                        Yeah, it was still causing me issues too. I found it to work sometimes and other times not. I have had a bug report open for a long time but they are going no where so I just bit the bullet today and wrote my own php wrapper.

                        The following script will call your login application first and save the php session cookies to a local file. Then it calls the real application using the cookies that were set in your login app. Just set this up on your server and then call this wrapper script from cron.

                        // Cron wrapper for scriptcase
                        // Usage: cron.php?appname=** name of app to call **&var1=123&var2=123
                        // Example: cron.php?appname=email_daily&send=1
                        // Author: Rob Perrett
                        // Version 1.0
                        // 19-08-2019
                        // The base URL of production
                        $base_url = "";
                        // Name of your login application
                        $login = $base_url . "login/login.php";
                        // Get the application name
                        if (empty($_GET["appname"])) die("No application name set");
                        $app_name = htmlspecialchars($_GET["appname"]);
                        // Get all incoming variables
                        $get_string = htmlspecialchars($_SERVER["QUERY_STRING"]);
                        $app_url = $base_url . $app_name . "/" . $app_name . ".php?".$get_string;
                        echo curl_download($login);
                        echo curl_download($app_url);
                        function curl_download($Url){
                          echo $Url;
                          $ch = curl_init();
                          curl_setopt($ch, CURLOPT_URL, $Url);
                          //curl_setopt($ch, CURLOPT_NOBODY, true);
                          curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
                          curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
                          $http_headers = array(
                                            'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2',
                                            'Accept: */*',
                                            'Accept-Language: en-us,en;q=0.5',
                                            'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7',
                                            'Connection: keep-alive'
                          curl_setopt($ch, CURLOPT_HEADER, true);
                          curl_setopt($ch, CURLOPT_HTTPHEADER, $http_headers);
                          curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                          curl_setopt($ch, CURLOPT_TIMEOUT, 10);
                          //curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
                          //curl_setopt($ch, CURLOPT_VERBOSE, true);
                          $response = curl_exec($ch);
                          $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
                          $header = substr($response, 0, $header_size);
                          $body = substr($response, $header_size);
                          return $body;


                        • #13
                          I did actually get to create a blank app that avoided security. You have to do 2 things. One, you need to obviously not select security in the blank app. But two, in the security section you need to ensure that the blank app is set to be not accessible. So no x in the box Access in the Group/Applications menu (in my case) or anywhere in the security menus I suspect. Leaving a blank app accessible in the "back end" overrides the fact that you hve not selected security in the blank app itself. You need both for it to avoid a security check.

                          Having said that, your code looks mighty interesting. I have cron working for me using my simpler method though. Regular as clockwork, 100% reliable.