Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Feb 2009
    Posts
    96
    Thanks
    8
    Thanked 0 Times in 0 Posts

    Session Suggestions?

    Hey.
    I'm making it where when you login, it's a normal session (I already have it)
    And when you login to the ACP it is a different session. (Makes it harder to hack)
    And I was wondering if anyone new what "kind" of session I should use for this.

    I'm kind of stuck on this. It needs to be different then my login session, I know. But I mean, what else can I do? xD


    Thanks.

  • #2
    Regular Coder kokjj87's Avatar
    Join Date
    Sep 2008
    Location
    Singapore
    Posts
    279
    Thanks
    1
    Thanked 55 Times in 54 Posts
    Perhaps you might want to change the session_id on each page request().
    So when a hacker get your session cookie id would also be quite useless, as you would have a new id on every request.

    PHP Code:
    session_regenerate_id(TRUE);  //put it after the session_start(); 
    http://php.net/session_regenerate_id
    Last edited by kokjj87; 03-05-2009 at 03:44 AM.

  • #3
    Senior Coder
    Join Date
    May 2005
    Posts
    2,137
    Thanks
    96
    Thanked 72 Times in 72 Posts
    I didn't know you can hack a session. Never use cookies they are hackable. But sessions? hmm

  • #4
    Regular Coder kokjj87's Avatar
    Join Date
    Sep 2008
    Location
    Singapore
    Posts
    279
    Thanks
    1
    Thanked 55 Times in 54 Posts
    A session is tied to the user cookie!
    Most php site store the 'session cookie' as PHPSESSID, which contain your session id

    Whenever you make a request to the server, your cookie are been sent via the http header to the server as well(that is why the server can read the cookie value).

    When you are using session, the server would look for the user cookie, in my example PHPSESSID(can change in the php.ini).... And see if there is a matching session in the tmp directory of the server. If there is you are able to access the content of the session($_SESSION).

    So if a user manage to have the same 'session cookie' as you, he would be able to access the webpage as the privilege of yours.

    You can try yourself too..
    -create a login page(using session)..
    -login
    -copy the cookie info
    -open a different browser
    -put the cookie info from the first browser to this
    -go to the login page(and you would be login!!)

  • Users who have thanked kokjj87 for this post:

    uncleroxk (03-05-2009)

  • #5
    New to the CF scene
    Join Date
    Mar 2009
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi, i am also using session based login but i dont want to store in cookies

    I havent made the session part yet but could someone take a look and se if i can make improvments. It`s also important for med to not just store that the user is logged in but also a user role.

    I woud appretiate any help

    PHP Code:
    <?php
    require("config.inc.php");
    $con mysql_connect($DBhost,$DBusername,$DBpassw);
    if (!
    $con)
      {
      die(
    'Kan ikke koble til mysql: ' mysql_error());
      }
    mysql_select_db($db$con);
    // SQL Setting
    $sql 'SELECT user_roles.role, username, password'
            
    ' FROM users, user_roles'
            
    ' WHERE users.username = "' $_POST['username'] . '" and users.role_id = user_roles.role_id';
    $result mysql_query($sql);
    while(
    $row mysql_fetch_array($result))
      {
      
    $role $row['user_roles.role'];
      
    $username $row['username'];
      
    $password $row['password'];
      }
      if(
    $password $_POST['password']){
      
    //SESSION START ETC
      
    }
      else{
      echo 
    "Login denied!";
      }
    mysql_close($con);

    ?>
    Last edited by RanK2007; 03-07-2009 at 02:08 PM. Reason: Minor bug in script

  • #6
    Regular Coder kokjj87's Avatar
    Join Date
    Sep 2008
    Location
    Singapore
    Posts
    279
    Thanks
    1
    Thanked 55 Times in 54 Posts
    There is no choice, either the session id is store in your cookie(default) or in your url(not that safe)..

    You have one missing equal sign, 1 equal sign is for assigning, 2 equal sign is for comparison
    PHP Code:
    //wrong
    if($password $_POST['password']){
    //correct
    if($password == $_POST['password']){ 
    this id how you use session
    PHP Code:
    //Before you can use session, you need to start first
    //to start a session, make sure it is before any output
    session_start();

    //to assign a value to session
    if($password == $_POST['password'])
    {
       
    $_SESSION['login'] = true;
    }

    //to check for value in session
    if($_SESSION['login'] == true)
    {
       echo 
    "You are login";
    }
    else
    {
       echo 
    "You are not login";

    Last edited by kokjj87; 03-07-2009 at 03:09 PM.

  • #7
    New to the CF scene
    Join Date
    Mar 2009
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for your reply.

    What about storing session id in a db? And making a function to check if the session id is the same, you could even store the session id with md5 og sha1. Then you could call that function whenever the user does a request for a site?

  • #8
    Regular Coder kokjj87's Avatar
    Join Date
    Sep 2008
    Location
    Singapore
    Posts
    279
    Thanks
    1
    Thanked 55 Times in 54 Posts
    To store the session in the database is very easy, take a look here:
    http://php.net/session-set-save-handler


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •