How to secure sessions?

auriaks

03-30-2010, 07:35 AM

Hey,
I had problems with malicious this week, so I want to ask for help.

I have session like this: (This is working when enter correct information)

$password = md5($_POST['password']);
$nick = $_POST['nick'];

$password = mysql_real_escape_string($password);
$nick = mysql_real_escape_string($nick);
$nick = strtolower($nick);

$q = mysql_query("SELECT * FROM reg_users WHERE nick='$nick' AND password='$password'") or die(mysql_error());
$r = mysql_fetch_array( $q ) or die(mysql_error());

session_start();
$_SESSION['nick'] = $nick;
$_SESSION['password'] = $password;
$_SESSION['authID'] = $r['id'];

and script into each safe page:

<?php
$IP = $_SERVER['REMOTE_ADDR'];
session_start(); // begin session

if(isset($_SESSION['authID'])) {
include $_SERVER['DOCUMENT_ROOT'] . '/game/reg_conn/db_conn.php';
$dates = date("Y-m-d");
$times = date("H:i:s");
$upnick = $_SESSION['nick'];
$quer = mysql_query("SELECT * FROM players WHERE nikas='$upnick'");
if (mysql_num_rows($quer) > 0) {header("Location: index.php");} else {header("Location: register.php");}
} else {
header("Location: ../login.php"); // if user is not loggged in.
}
?>

How I can improve this security, or it is good enough???

Fumigator

03-30-2010, 03:08 PM

Make sure you kill the script right after the header() call. That header() call doesn't end the script automatically.

sitNsmile

03-30-2010, 06:18 PM

Since you are placing this on "all" pages, best bet is to use functions, incase later you change code, it makes things much easier to manage.

on the top of "all pages" place

<?php
session_start(); // begin session
$USERIP = $_SERVER['REMOTE_ADDR'];
$userSession = $_SESSION['nick'];
include ('functions.php');
checkUser($USERIP,$userSession);
?>

and make a new php page calling what ever "functions.php"
you can also use the functions page for other stuff, but just showing example, should make things easier for you to call the check from a function.

-not tested, but that's somehow the way I would place that.
function checkUser($USERIP,$userSession){

if(isset($_SESSION['authID'])) {

include $_SERVER['DOCUMENT_ROOT'] . '/game/reg_conn/db_conn.php';
$dates = date("Y-m-d"); $times = date("H:i:s");

$quer = mysql_query("SELECT * FROM players WHERE nikas='$userSession'");

if (mysql_num_rows($quer) > 0) {
header("Location: index.php"); // logged in user
} else {
header("Location: ./register.php"); //if user needs to make account
}

} else {
header("Location: ../login.php"); // if user is not loggged in.
}

}

Sessions are okay for now, but sometime look into using "save logged in" using cookies as well, I like when I don't have to re-login when im the only one on my computer. (that would just be an easy input check box)

MattF

03-30-2010, 06:30 PM

Hey,
I had problems with malicious this week, so I want to ask for help.

What was the problem related to?

auriaks

03-30-2010, 09:45 PM

They were logged in without actual logging. I have an automatic list of IP's nicks times and dates who cames to my site, and on that list I found some rows with only IP's.

That means someone haven't started a session, nick and other information couldn't get a value and they were empty...

About the functions:

I will include first script to my all pages... and what I have to do with other script? Because first one has a function from second one :)