...

View Full Version : Session Suggestions?



Crisp
03-05-2009, 01:40 AM
Hey.
I'm making it where when you login, it's a normal session (I already have it)
And when you login to the ACP it is a different session. (Makes it harder to hack)
And I was wondering if anyone new what "kind" of session I should use for this.

I'm kind of stuck on this. It needs to be different then my login session, I know. But I mean, what else can I do? xD


Thanks.

kokjj87
03-05-2009, 04:41 AM
Perhaps you might want to change the session_id on each page request().
So when a hacker get your session cookie id would also be quite useless, as you would have a new id on every request.


session_regenerate_id(TRUE); //put it after the session_start();

http://php.net/session_regenerate_id

masterofollies
03-05-2009, 05:07 AM
I didn't know you can hack a session. Never use cookies they are hackable. But sessions? hmm

kokjj87
03-05-2009, 08:07 AM
A session is tied to the user cookie!
Most php site store the 'session cookie' as PHPSESSID, which contain your session id

Whenever you make a request to the server, your cookie are been sent via the http header to the server as well(that is why the server can read the cookie value).

When you are using session, the server would look for the user cookie, in my example PHPSESSID(can change in the php.ini).... And see if there is a matching session in the tmp directory of the server. If there is you are able to access the content of the session($_SESSION).

So if a user manage to have the same 'session cookie' as you, he would be able to access the webpage as the privilege of yours.

You can try yourself too..
-create a login page(using session)..
-login
-copy the cookie info
-open a different browser
-put the cookie info from the first browser to this
-go to the login page(and you would be login!!)

RanK2007
03-07-2009, 03:03 PM
Hi, i am also using session based login but i dont want to store in cookies

I havent made the session part yet but could someone take a look and se if i can make improvments. It`s also important for med to not just store that the user is logged in but also a user role.

I woud appretiate any help :)


<?php
require("config.inc.php");
$con = mysql_connect($DBhost,$DBusername,$DBpassw);
if (!$con)
{
die('Kan ikke koble til mysql: ' . mysql_error());
}
mysql_select_db($db, $con);
// SQL Setting
$sql = 'SELECT user_roles.role, username, password'
. ' FROM users, user_roles'
. ' WHERE users.username = "' . $_POST['username'] . '" and users.role_id = user_roles.role_id';
$result = mysql_query($sql);
while($row = mysql_fetch_array($result))
{
$role = $row['user_roles.role'];
$username = $row['username'];
$password = $row['password'];
}
if($password = $_POST['password']){
//SESSION START ETC
}
else{
echo "Login denied!";
}
mysql_close($con);

?>

kokjj87
03-07-2009, 04:06 PM
There is no choice, either the session id is store in your cookie(default) or in your url(not that safe)..

You have one missing equal sign, 1 equal sign is for assigning, 2 equal sign is for comparison


//wrong
if($password = $_POST['password']){
//correct
if($password == $_POST['password']){

this id how you use session

//Before you can use session, you need to start first
//to start a session, make sure it is before any output
session_start();

//to assign a value to session
if($password == $_POST['password'])
{
$_SESSION['login'] = true;
}

//to check for value in session
if($_SESSION['login'] == true)
{
echo "You are login";
}
else
{
echo "You are not login";
}

RanK2007
03-08-2009, 04:52 PM
Thanks for your reply.

What about storing session id in a db? And making a function to check if the session id is the same, you could even store the session id with md5 og sha1. Then you could call that function whenever the user does a request for a site?

kokjj87
03-08-2009, 05:29 PM
To store the session in the database is very easy, take a look here:
http://php.net/session-set-save-handler



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum