Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Feb 2010
    Posts
    208
    Thanks
    15
    Thanked 2 Times in 2 Posts

    Internet Explorer How to secure sessions?

    Hey,
    I had problems with malicious this week, so I want to ask for help.

    I have session like this: (This is working when enter correct information)
    PHP Code:
    $password md5($_POST['password']);
        
    $nick $_POST['nick'];
        
        
    $password mysql_real_escape_string($password);
        
    $nick mysql_real_escape_string($nick);
        
    $nick strtolower($nick);

    $q mysql_query("SELECT * FROM reg_users WHERE nick='$nick' AND password='$password'") or die(mysql_error());    
    $r mysql_fetch_array$q ) or die(mysql_error());
            
    [
    INDENT]session_start();    
    $_SESSION['nick'] = $nick;
    $_SESSION['password'] = $password;
    $_SESSION['authID'] = $r['id'];[/INDENT
    and script into each safe page:
    PHP Code:
    <?php    
    $IP 
    $_SERVER['REMOTE_ADDR'];
    session_start(); // begin session

    if(isset($_SESSION['authID'])) {
    include 
    $_SERVER['DOCUMENT_ROOT'] . '/game/reg_conn/db_conn.php';
    $dates date("Y-m-d"); 
    $times date("H:i:s");
    $upnick $_SESSION['nick']; 
    $quer mysql_query("SELECT * FROM players WHERE nikas='$upnick'");
    if (
    mysql_num_rows($quer) > 0) {header("Location: index.php");} else {header("Location: register.php");}
    } else {
        
    header("Location: ../login.php"); // if user is not loggged in.
    }
    ?>

    How I can improve this security, or it is good enough???
    Last edited by auriaks; 03-30-2010 at 07:37 AM.

  • #2
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Make sure you kill the script right after the header() call. That header() call doesn't end the script automatically.

  • #3
    Regular Coder sitNsmile's Avatar
    Join Date
    Dec 2009
    Location
    Charlotte, NC
    Posts
    356
    Thanks
    19
    Thanked 2 Times in 2 Posts
    Since you are placing this on "all" pages, best bet is to use functions, incase later you change code, it makes things much easier to manage.


    on the top of "all pages" place

    PHP Code:
    <?php
    session_start
    (); // begin session
    $USERIP $_SERVER['REMOTE_ADDR'];
    $userSession $_SESSION['nick']; 
    include (
    'functions.php');
    checkUser($USERIP,$userSession);
    ?>
    and make a new php page calling what ever "functions.php"
    you can also use the functions page for other stuff, but just showing example, should make things easier for you to call the check from a function.

    -not tested, but that's somehow the way I would place that.
    PHP Code:
    function checkUser($USERIP,$userSession){
        
        if(isset(
    $_SESSION['authID'])) {
            
        include 
    $_SERVER['DOCUMENT_ROOT'] . '/game/reg_conn/db_conn.php';
        
    $dates date("Y-m-d"); $times date("H:i:s");
        
        
    $quer mysql_query("SELECT * FROM players WHERE nikas='$userSession'");
         
         if (
    mysql_num_rows($quer) > 0) {
          
    header("Location: index.php"); // logged in user
          
    } else {
          
    header("Location: ./register.php"); //if user needs to make account
          
    }
          
        } else {
          
    header("Location: ../login.php"); // if user is not loggged in.
        
    }


    Sessions are okay for now, but sometime look into using "save logged in" using cookies as well, I like when I don't have to re-login when im the only one on my computer. (that would just be an easy input check box)

  • #4
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by auriaks View Post
    Hey,
    I had problems with malicious this week, so I want to ask for help.
    What was the problem related to?

  • #5
    Regular Coder
    Join Date
    Feb 2010
    Posts
    208
    Thanks
    15
    Thanked 2 Times in 2 Posts
    They were logged in without actual logging. I have an automatic list of IP's nicks times and dates who cames to my site, and on that list I found some rows with only IP's.

    That means someone haven't started a session, nick and other information couldn't get a value and they were empty...

    About the functions:

    I will include first script to my all pages... and what I have to do with other script? Because first one has a function from second one
    Last edited by auriaks; 03-30-2010 at 09:48 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •