...

View Full Version : Some confusion getting started with sessions



mothra
09-21-2003, 07:57 PM
I'm just learning php and have a few questions on sessions:

From the manual...
// Use of $_SESSION is preferred, as of PHP 4.1.0
$_SESSION["zim"] = "An invader from another planet.";

In the above it appears this is creating an element in the $_SESSION global array called "zim".

What is the purpose of doing this? And why is it equated to a string?

I need to create a login, and a validation script for all pages requiring the user to be logged in, this is what I *think* I need to do, but I'm not sure if exactly how to get there:

1. User logs in, username and pw are checked against my database. If all is ok then a flag is stored in the session indication they are sigend in, and their IP is stored in the session to check against hijacking.
2. When accessing various pages their session info is checked to see if they are signed in, and their IP checked to make sure it has not changed.

I'm not really clear on how to assign sessions to users and how to know which session to check when a user tries to access a page, maybe the session id, but again I don't really know how to make use of it, any help would be appreciated.

M.

raf
09-21-2003, 09:22 PM
For each new user, a sessions is started automatically (unless you change the session.auto_start setting). So you don't actually 'assign them'

by placing session_start() in your script, you can access the session-variables, which is from there on just like accessing variables fromt the other collections.
You create a new sessionvariable + assign a variable to it like this
$_SESSION['var']=$var;
or
$_SESSION['var']= "dedede";

The purpose ? Well, to create a variable and store a stringvalue in it, sot that this value can easely be retrieved during the session --> to "maintain state"

And get the value of a sessionvariable like
$var = $_SESSION['var'] ;

Your planned securitycheck is OK, until you have two users with the same IP because they are behind the same proxy. This handy script (from Morgoth http://www.hackthissite.org/readarticle.php?id=44 ) has this little extra to try to avoid proxy server forwarding masking the real IP

To do the check, you just do


if (isset ($_SERVER["HTTP_X_FORWARDED_FOR"])) {
$UserIP = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else {
$UserIP = $_SERVER["REMOTE_ADDR"];
}

session_start() ;
if $_SESSION['IPuser'] == $UserIP {
go ahead
} else {
redirect to loginpage or so
}


More info : http://be.php.net/session

÷kii
09-22-2003, 11:00 AM
Using IPs is not a very grand idea as a few ISPs send every request as a different IP number (AOL is the main big ISp who do that) so testing the last pages IP would fail every time.

---------------------

The session of a particular user is (short of hacking) unique to that user - calling session_start() will access only that session and no other.
Basically each session has an id reference which is ported between pages - either sent as a cookie and retrieved, or appended to the url (sometimes transparently) - this id is then used to access a file stored on the server (generally in /tmp/) which holds all the var=val pairs.

So, you don't need to do anything to assure that the user gets the right session each time, php does that automatically.

raf
09-22-2003, 01:28 PM
I didnít know that.

The most dynamic IP system I knew of, what assigning a new IP each time you connect to the web, not for each request. It seems that even opening a new browser-window generates a new IP for this new window with AOL.

Lucky for me, I donít think there is an ISP here that uses such a system, and I only used IP based security for local businesses.

Acecool
09-22-2003, 02:56 PM
What about proxys? What about "spoofing an ip"...

Spookster
09-22-2003, 03:03 PM
I didn't know that either. Just another reason added to my long list of reasons to dislike AOL.

My place of work does that also. They have three servers using 3 IPs and each request goes through one of the 3. It gets very annoying at times when applications use IP checking because that really screws it up. InvisionBoard uses IP checking for administration so trying to change settings from work is a real pain because I have to keep clicking links until the correct IP gets sent out.

mothra
09-22-2003, 03:27 PM
I think I'm getting the idea, I was under the impression that the sessiosns had to be managed, and that creating a 'session' variable was equivalent to creating a new session.

If I'm understanding correctly the session variables are just any data that I want to maintain and/or modify across multiple pages.

I wasn't aware of the AOL IP issue. (I wonder if they keep logs of all every request sent... crazy). In light of that, what would be a recommended way to check that the session has notbeen corrupted? I'm running everything through SSL and none of the data is extremely sensitive in the first place, but I'd like to increase security where possible.

Thanks again...

raf
09-22-2003, 08:10 PM
Originally posted by Acecool
What about proxys? What about "spoofing an ip"...
In both case the IP will normally be the same during the session.
If someone changes his IP while having an active session, then he will lock himself out. If he changes his IP to that of an active session, then he should still steal the cookie or SID

The problem with proxys, is that two users could have the same IP, which you can try to counter with Morgoths script

But the AOL or the 3 server situation of Spookster is a real problem... It will result in "you need to have cookies enabled to enter this site", so i guess i will be writing a two pages validationscript that first stores the IP in a cookie and send it to the client, then redirects with the IP in the querystring, and try to read the cookie.
If the cookie isn't set, then the IP value inside the queriestring needs to be the same as his 'new' IP. In the AOL case this wount be the case so i'll print a "you need to enable cookies" error.
If the cookie was set and the IP inside the cookie is the same as the 'new' IP, then thee is no problem.
If the cookie was set and the IP was changed, then there is no problem, but identification will be only done using servervariables and no IP checking.


In light of that, what would be a recommended way to check that the session has notbeen corrupted? I'm running everything through SSL and none of the data is extremely sensitive in the first place, but I'd like to increase security where possible

SSL provides client-authentification http://www-10.lotus.com/ldd/today.nsf/8a6d147cf55a7fd385256658007aacf1/5abbf9afca963758852565b6006d9285?OpenDocument
(i wonder if that link will work ...)

mothra
09-22-2003, 10:08 PM
interesting link...



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum