...

View Full Version : Login script help



four0four
01-15-2010, 05:23 AM
I'm creating a basic login script that redirects a user based on whether they've paid or not.

For example, when a user logs in it checks their status from the database and if the status shows "paid" it takes them to the member's area, and if the status shows "unpaid" it takes them to a payment page.

My question is how do I properly (and securely) create sessions to accomplish this?

Would I just create a new session when a paid user logs in with:



$_SESSION['paid'] = $token1;


And for unpaid users that try to log in create a new session with:



$_SESSION['unpaid'] = $token2;


Thanks!

rfresh
01-15-2010, 06:00 AM
I would use one variable and just set it's status to one or the other, such as



$_SESSION["paid_status"] = 'paid';
// or
$_SESSION["paid_status"] = 'unpaid';


Then you can use it anywhere you need to check the paid status:



if ($_SESSION["paid_status"] == 'paid')
{
// do this paid or go here paid
}
else
{
// do this unpaid or go here unpaid
}

four0four
01-15-2010, 09:27 PM
I would use one variable and just set it's status to one or the other, such as



$_SESSION["paid_status"] = 'paid';
// or
$_SESSION["paid_status"] = 'unpaid';


Then you can use it anywhere you need to check the paid status:



if ($_SESSION["paid_status"] == 'paid')
{
// do this paid or go here paid
}
else
{
// do this unpaid or go here unpaid
}


Thanks! That works, but I'm using a hashed value for the session data.

For example, I'm using the user agent and a random string to generate the session data:



$useragent = $_SERVER['HTTP_USER_AGENT'];

$random = 'some_random_string';

$token = hash('sha512',$useragent . $random);

$_SESSION['paid'] = $token;


How can I get this working?

Thanks!

ninnypants
01-15-2010, 10:57 PM
Why are you using hashed data? It doesn't really seem like you're using a hash to protect anything, it's most likely just making things harder for you.

Rowsdower!
01-15-2010, 11:03 PM
I'm confused. If $_SESSION['paid'] is based on a random value how do you plan to test it for being paid or unpaid?

four0four
01-15-2010, 11:49 PM
I'm probably doing this all backwards, so please, I'm open to all suggestions. :)

@ninnypants The only reason I'm hashing the session data is to make things harder to analyze. If I were to store a member's session data it would be in plain text, right? So an attacker could just take a look at how the session data is generated?

@Rowsdower! Well, when the user tries to log in it first checks their status and then sets the appropriate session and redirects to the member's area. The member's area checks for the correct session.


Now if I use the method that rfresh suggested:



$_SESSION["paid_status"] = 'paid';
// or
$_SESSION["paid_status"] = 'unpaid';


Wouldn't an attacker just be able to change the session data to "paid" and log in without paying?

ninnypants
01-16-2010, 01:32 AM
most likely not since the data is stored on your server. It's still a possibility but not very likely. If you're trying to make it so that your sessions can't be hijacked use the unique hash you were using for paid and unpaid and use it as a session identifier. You would store a copy of that hash in your database and in your session data then compare the two when your authenticating the user at the start of every page

four0four
01-17-2010, 03:55 AM
Ok, I think I understand...

So use the unique hash as the session id? Like this?:



$useragent = $_SERVER['HTTP_USER_AGENT'];

$random = 'some_random_string';

$token = hash('sha512',$useragent . $random);

$_SESSION['$token'];


When I store the unique hash in my database, would I insert/update this hash each time the user logs in? Would it be easier to just compute the hash on each page and then compare?

How do you create sessions? Would you do this differently?

ninnypants
01-17-2010, 04:41 AM
Close more like this


$useragent = $_SERVER['HTTP_USER_AGENT'];

$random = 'some_random_string';

$token = hash('sha512',$useragent . $random);

$_SESSION['token'] = $token;

Then you would store $token in the database and check it against the $_SERVER['token'] each time the user loads a protected page to make sure the user is who they say they are.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum