...

View Full Version : Problem with Sessions



CurtWRC
03-06-2008, 12:57 PM
Hi,

I am having some problems with a login system. When the user enters in their username and password, if the username/password is incorrect then they are given an error message. This works fine, however when you choose the correct login details you are taken into the site but you are still asked to login. Below are some code snippets:


<?
session_start();
session_register("username");
session_register("password");
require_once("db_mysql.php");
$q = new DB_Sql;
if(isset($login))
{
$sql="select id from tbl_login where username='$username_frm' and password='$password_frm'";
$q->query($sql);
if ($q->next_record())
{
$username=$username_frm;
$password=$password_frm;
header("Location:admin.php");
exit();
}
else
{
header("Location:login.php?msg=Wrong+Username/Password");
exit();
}
}
?>


function validate($user,$pass) {
if(!isset($user)) {
header("location:login.php?msg=You+Session+has+expired");
}
}


<?session_start();
require_once("db_mysql.php");
$username = $_SESSION['username'];
$password = $_SESSION['password'];
validate($username,$password);
include_once("top_header.php");
$q = new DB_Sql;
?>

Does this make any sense to anyone?

Cheers,
Curt.

_Aerospace_Eng_
03-06-2008, 01:59 PM
Where is $login defined? It looks like you are relying on register globals which is a bad thing. Also session_start(); needs top be at the top of every page that you want to use sessions in.

CurtWRC
03-06-2008, 02:18 PM
The site has been updated to PHP5 from PHP4 and thats what has caused the problem. Previously the site used to work perfectly.

CFMaBiSmAd
03-06-2008, 03:02 PM
This is not a php4 vs php5 problem. It is a php setting problem. The code relies on register globals being on and they are simply not turned on in the new configuration.

You could turn on register globals as a temporary measure to get the code to work while you rewrite it to work without register globals. Register globals have been eliminated in php6. You will need to rewrite your code to not rely on register globals sooner rather than later if you expect it to work at all under php6.


Sadly, register globals are a security risk and were a huge blunder. They allow external get/post/cookie data to replace session data in program variables that are set due to the register globals action. If I know the name of a program variable in your code that you expect to be set from a session variable, I can visit your code and set that to any value, simply by visiting a page that expects a session variable to be set without first visiting the page that sets it and putting a parameter on the end of the url that sets it to the value I want. So, if your code is a login system, I could easily log in as an administrator without much effort.

Register globals were turned off by default in php4.2 in the year 2002. That was nearly six years ago. No new code, tutorials, books... should have been written after that point in time that relied on register globals being on.

The time for everyone to upgrade their code to not rely on register globals has gone past.

CurtWRC
03-06-2008, 03:10 PM
Thanks CFMaBiSmAd, thats a great help.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum