BABYLON.SceneLoader.Load restarts my session :(

[ozRocker]

I've been trying to build a contact form on my website which uses tokens to authenticate its origin.  It broke when I added a Babylon.js scene.  The original session did not match the session from the contact form. Through the process of elimination I discovered that the call BABYLON.SceneLoader.Load creates a completely new session on completion.  Is there a way to stop Babylon.js from changing the session?

[GameMonetize]

Hello...I'm not sure to understand. Load only initiates a XHR

[ozRocker]

45 minutes ago, Deltakosh said:

Hello...I'm not sure to understand. Load only initiates a XHR

I have two files: session1.php and session2.php and I use those to compare the session.

 

session1.php - this is the web page that I will bring up on the browser

<?php
    session_start();
    $token = md5(uniqid(microtime(), true));  
    $_SESSION['token'] = $token; 
?>
<html>
    <head>
        <script src="lib/jquery-latest.min.js"></script>
        <script src="lib/babylon.2.3.core.js"></script>
        <script type="text/javascript">
            console.log("Token from session1.php: <?=$token?>");
            function ajax(title) {
                $.get("session2.php", function(data) {
                    console.log(title+" - Token from session2.php: "+data);
                });            
            }
        </script>            
    </head>
    <body>
        <canvas id="canvas"></canvas>
        <script type="text/javascript">
            var canvas = document.getElementById("canvas");
            var engine = new BABYLON.Engine(canvas, true);
            
            ajax("Before load");
            BABYLON.SceneLoader.Load("title/3D/", "title.babylon", engine, function (newScene) {        
                ajax("After load");
            });
    </script>
    </body>
</html>

session2.php - this is to be called via AJAX

<?php
    session_start();
    echo $_SESSION['token'];
?>

When I run session1.php my console output is this:

Token from session1.php: 1f5d4d890ef757cede71f6f31f8a9f6b
BJS - [02:21:16]: Babylon.js engine (v2.3.0) launched
Before load - Token from session2.php: 1f5d4d890ef757cede71f6f31f8a9f6b
After load - Token from session2.php: fd337e15839258c22c937a6cd79ac02d

 

Something happens in SceneLoader.Load that restarts the session.

 

[Dad72]

You can try adding a condition that checks if the $_SESSION[ 'token'] is not created. if it is, it does not recreate.

<?php
    session_start();
    $token = md5(uniqid(microtime(), true));  
    if($_SESSION['token'] == false) $_SESSION['token'] = $token; 
?>

I think XHR reloads the page and thus recreate the session

[ozRocker]

7 hours ago, Dad72 said:

You can try adding a condition that checks if the $_SESSION[ 'token'] is not created. if it is, it does not recreate.

<?php
    session_start();
    $token = md5(uniqid(microtime(), true));  
    if($_SESSION['token'] == false) $_SESSION['token'] = $token; 
?>

I think XHR reloads the page and thus recreate the session

That doesn't do anything because its irrelevant where the initial session key came from.

XHR itself shouldn't reload the page or change the session (hence DeltaKosh's confusion).  The jquery function $.get() that I'm calling above is XHR.  I can call that a hundred times and it won't change the session.  There has to be some code in SceneLoader.Load that's changing the session.

[GameMonetize]

I'm not used to php but I can guarantee you that we are only doing XHR calls in Load function:

https://github.com/BabylonJS/Babylon.js/blob/master/src/Tools/babylon.tools.ts#L340

[ozRocker]

1 hour ago, Deltakosh said:

I'm not used to php but I can guarantee you that we are only doing XHR calls in Load function:

https://github.com/BabylonJS/Babylon.js/blob/master/src/Tools/babylon.tools.ts#L340

How do I include the babylon.tools.ts or babylon.tools.js file in my project so I can try and isolate the problem?  What other files do I need to include?

[ozRocker]

Actually, don't worry about it.  A PHP session is just a cookie called PHPSESSID.  What I did was manually create my own cookie called sessionID and used that.  It works.

session1.php

<?php
    session_start();
    $token = md5(uniqid(microtime(), true));  
    setcookie("sessionID",$token);
?>

session2.php

<?php
    session_start();
    echo $_COOKIE['sessionID'];
?>

My "contact form sent from website instead of hacker" verification now works.  YAY!

[Dad72]

I have never had a problem with the $_SESSION PHP, but I always use it on the inside of a condition, such as for example login form with a redirect. I already use session with Babylon, and I have not seen this problem change sesssion

In your $ .get function, it is because the page is called session2.php. This page does not change the SESSION, so no problem with the XMLHTTPREQUEST. As against the SceneLoader.Load function is called on the same page as the creation of the Session and therefore XMLHTTPREQUEST called page itself and recreate the session.

I am pretty sure that with a condition on the creation of the Session the problem was resolved. But maybe he should destroy the session manually with session_destroy () on a page other before testing.

If you want to secure COOKIES:

$delais = time() + 365*24*3600;
setcookie('pseudo', $token, $delais, null, null, false, true);

and this is no longer necessary with the use of COOKIE:

session_start ();

[ozRocker]

11 hours ago, Dad72 said:

I have never had a problem with the $_SESSION PHP, but I always use it on the inside of a condition, such as for example login form with a redirect. I already use session with Babylon, and I have not seen this problem change sesssion

Thank you for your help Dad72 I think this is a PHP problem, or maybe a problem with the way I have PHP configured.  I can't see why Babylon.js would have anything to do with a cookie called PHPSESSID.  Chances are no one else is having his problem and its just me