View Full Version : Session Suggestions?

03-05-2009, 01:40 AM
I'm making it where when you login, it's a normal session (I already have it)
And when you login to the ACP it is a different session. (Makes it harder to hack)
And I was wondering if anyone new what "kind" of session I should use for this.

I'm kind of stuck on this. It needs to be different then my login session, I know. But I mean, what else can I do? xD


03-05-2009, 04:41 AM
Perhaps you might want to change the session_id on each page request().
So when a hacker get your session cookie id would also be quite useless, as you would have a new id on every request.

session_regenerate_id(TRUE); //put it after the session_start();


03-05-2009, 05:07 AM
I didn't know you can hack a session. Never use cookies they are hackable. But sessions? hmm

03-05-2009, 08:07 AM
A session is tied to the user cookie!
Most php site store the 'session cookie' as PHPSESSID, which contain your session id

Whenever you make a request to the server, your cookie are been sent via the http header to the server as well(that is why the server can read the cookie value).

When you are using session, the server would look for the user cookie, in my example PHPSESSID(can change in the php.ini).... And see if there is a matching session in the tmp directory of the server. If there is you are able to access the content of the session($_SESSION).

So if a user manage to have the same 'session cookie' as you, he would be able to access the webpage as the privilege of yours.

You can try yourself too..
-create a login page(using session)..
-copy the cookie info
-open a different browser
-put the cookie info from the first browser to this
-go to the login page(and you would be login!!)

03-07-2009, 03:03 PM
Hi, i am also using session based login but i dont want to store in cookies

I havent made the session part yet but could someone take a look and se if i can make improvments. It`s also important for med to not just store that the user is logged in but also a user role.

I woud appretiate any help :)

$con = mysql_connect($DBhost,$DBusername,$DBpassw);
if (!$con)
die('Kan ikke koble til mysql: ' . mysql_error());
mysql_select_db($db, $con);
// SQL Setting
$sql = 'SELECT user_roles.role, username, password'
. ' FROM users, user_roles'
. ' WHERE users.username = "' . $_POST['username'] . '" and users.role_id = user_roles.role_id';
$result = mysql_query($sql);
while($row = mysql_fetch_array($result))
$role = $row['user_roles.role'];
$username = $row['username'];
$password = $row['password'];
if($password = $_POST['password']){
echo "Login denied!";


03-07-2009, 04:06 PM
There is no choice, either the session id is store in your cookie(default) or in your url(not that safe)..

You have one missing equal sign, 1 equal sign is for assigning, 2 equal sign is for comparison

if($password = $_POST['password']){
if($password == $_POST['password']){

this id how you use session

//Before you can use session, you need to start first
//to start a session, make sure it is before any output

//to assign a value to session
if($password == $_POST['password'])
$_SESSION['login'] = true;

//to check for value in session
if($_SESSION['login'] == true)
echo "You are login";
echo "You are not login";

03-08-2009, 04:52 PM
Thanks for your reply.

What about storing session id in a db? And making a function to check if the session id is the same, you could even store the session id with md5 og sha1. Then you could call that function whenever the user does a request for a site?

03-08-2009, 05:29 PM
To store the session in the database is very easy, take a look here: