Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts

    Arrow Login script help

    I'm creating a basic login script that redirects a user based on whether they've paid or not.

    For example, when a user logs in it checks their status from the database and if the status shows "paid" it takes them to the member's area, and if the status shows "unpaid" it takes them to a payment page.

    My question is how do I properly (and securely) create sessions to accomplish this?

    Would I just create a new session when a paid user logs in with:

    Code:
    $_SESSION['paid'] = $token1;
    And for unpaid users that try to log in create a new session with:

    Code:
    $_SESSION['unpaid'] = $token2;
    Thanks!

  • #2
    Regular Coder
    Join Date
    Jun 2007
    Location
    Los Angeles
    Posts
    545
    Thanks
    81
    Thanked 5 Times in 5 Posts
    I would use one variable and just set it's status to one or the other, such as

    PHP Code:
    $_SESSION["paid_status"] = 'paid';
    // or
    $_SESSION["paid_status"] = 'unpaid'
    Then you can use it anywhere you need to check the paid status:

    PHP Code:
    if ($_SESSION["paid_status"] == 'paid')
       {
         
    // do this paid or go here paid
       
    }
    else
       {
         
    // do this unpaid or go here unpaid
       

    RalphF
    Business Text Messaging Services
    https://www.MobileTextingService.com

  • #3
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by rfresh View Post
    I would use one variable and just set it's status to one or the other, such as

    PHP Code:
    $_SESSION["paid_status"] = 'paid';
    // or
    $_SESSION["paid_status"] = 'unpaid'
    Then you can use it anywhere you need to check the paid status:

    PHP Code:
    if ($_SESSION["paid_status"] == 'paid')
       {
         
    // do this paid or go here paid
       
    }
    else
       {
         
    // do this unpaid or go here unpaid
       

    Thanks! That works, but I'm using a hashed value for the session data.

    For example, I'm using the user agent and a random string to generate the session data:

    Code:
    $useragent = $_SERVER['HTTP_USER_AGENT'];
    
    $random = 'some_random_string';
    
    $token = hash('sha512',$useragent . $random);
    
    $_SESSION['paid'] = $token;
    How can I get this working?

    Thanks!

  • #4
    Regular Coder ninnypants's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    504
    Thanks
    10
    Thanked 47 Times in 47 Posts
    Why are you using hashed data? It doesn't really seem like you're using a hash to protect anything, it's most likely just making things harder for you.

  • #5
    Senior Coder Rowsdower!'s Avatar
    Join Date
    Oct 2008
    Location
    Some say it's everything.
    Posts
    2,027
    Thanks
    5
    Thanked 397 Times in 390 Posts
    I'm confused. If $_SESSION['paid'] is based on a random value how do you plan to test it for being paid or unpaid?
    The object of opening the mind, as of opening the mouth, is to shut it again on something solid. G.K. Chesterton
    See Mediocrity in its Infancy
    It's usually a good idea to start out with this at the VERY TOP of your CSS: * {border:0;margin:0;padding:0;}
    Seek and you shall find... basically:
    validate your markup | view your page cross-browser/cross-platform | free web tutorials | free hosting

  • #6
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    I'm probably doing this all backwards, so please, I'm open to all suggestions.

    @ninnypants The only reason I'm hashing the session data is to make things harder to analyze. If I were to store a member's session data it would be in plain text, right? So an attacker could just take a look at how the session data is generated?

    @Rowsdower! Well, when the user tries to log in it first checks their status and then sets the appropriate session and redirects to the member's area. The member's area checks for the correct session.


    Now if I use the method that rfresh suggested:

    Code:
    $_SESSION["paid_status"] = 'paid'; 
    // or 
    $_SESSION["paid_status"] = 'unpaid';
    Wouldn't an attacker just be able to change the session data to "paid" and log in without paying?

  • #7
    Regular Coder ninnypants's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    504
    Thanks
    10
    Thanked 47 Times in 47 Posts
    most likely not since the data is stored on your server. It's still a possibility but not very likely. If you're trying to make it so that your sessions can't be hijacked use the unique hash you were using for paid and unpaid and use it as a session identifier. You would store a copy of that hash in your database and in your session data then compare the two when your authenticating the user at the start of every page

  • #8
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    Ok, I think I understand...

    So use the unique hash as the session id? Like this?:

    Code:
    $useragent = $_SERVER['HTTP_USER_AGENT'];
    
    $random = 'some_random_string';
    
    $token = hash('sha512',$useragent . $random);
    
    $_SESSION['$token'];
    When I store the unique hash in my database, would I insert/update this hash each time the user logs in? Would it be easier to just compute the hash on each page and then compare?

    How do you create sessions? Would you do this differently?

  • #9
    Regular Coder ninnypants's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    504
    Thanks
    10
    Thanked 47 Times in 47 Posts
    Close more like this
    PHP Code:
    $useragent $_SERVER['HTTP_USER_AGENT'];

    $random 'some_random_string';

    $token hash('sha512',$useragent $random);

    $_SESSION['token'] = $token
    Then you would store $token in the database and check it against the $_SERVER['token'] each time the user loads a protected page to make sure the user is who they say they are.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •