Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Regular Coder
    Join Date
    Jul 2003
    Posts
    262
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Some confusion getting started with sessions

    I'm just learning php and have a few questions on sessions:

    From the manual...
    // Use of $_SESSION is preferred, as of PHP 4.1.0
    $_SESSION["zim"] = "An invader from another planet.";

    In the above it appears this is creating an element in the $_SESSION global array called "zim".

    What is the purpose of doing this? And why is it equated to a string?

    I need to create a login, and a validation script for all pages requiring the user to be logged in, this is what I *think* I need to do, but I'm not sure if exactly how to get there:

    1. User logs in, username and pw are checked against my database. If all is ok then a flag is stored in the session indication they are sigend in, and their IP is stored in the session to check against hijacking.
    2. When accessing various pages their session info is checked to see if they are signed in, and their IP checked to make sure it has not changed.

    I'm not really clear on how to assign sessions to users and how to know which session to check when a user tries to access a page, maybe the session id, but again I don't really know how to make use of it, any help would be appreciated.

    M.

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    For each new user, a sessions is started automatically (unless you change the session.auto_start setting). So you don't actually 'assign them'

    by placing session_start() in your script, you can access the session-variables, which is from there on just like accessing variables fromt the other collections.
    You create a new sessionvariable + assign a variable to it like this
    $_SESSION['var']=$var;
    or
    $_SESSION['var']= "dedede";

    The purpose ? Well, to create a variable and store a stringvalue in it, sot that this value can easely be retrieved during the session --> to "maintain state"

    And get the value of a sessionvariable like
    $var = $_SESSION['var'] ;

    Your planned securitycheck is OK, until you have two users with the same IP because they are behind the same proxy. This handy script (from Morgoth http://www.hackthissite.org/readarticle.php?id=44 ) has this little extra to try to avoid proxy server forwarding masking the real IP

    To do the check, you just do
    PHP Code:
    if (isset ($_SERVER["HTTP_X_FORWARDED_FOR"])) {
    $UserIP $_SERVER["HTTP_X_FORWARDED_FOR"];
    } else {
    $UserIP $_SERVER["REMOTE_ADDR"];
    }

    session_start() ;
    if 
    $_SESSION['IPuser'] == $UserIP {
    go ahead
    } else {
    redirect to loginpage or so

    More info : http://be.php.net/session
    Last edited by raf; 09-21-2003 at 09:26 PM.

  • #3
    Regular Coder
    Join Date
    Jun 2002
    Location
    UK
    Posts
    577
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Using IPs is not a very grand idea as a few ISPs send every request as a different IP number (AOL is the main big ISp who do that) so testing the last pages IP would fail every time.

    ---------------------

    The session of a particular user is (short of hacking) unique to that user - calling session_start() will access only that session and no other.
    Basically each session has an id reference which is ported between pages - either sent as a cookie and retrieved, or appended to the url (sometimes transparently) - this id is then used to access a file stored on the server (generally in /tmp/) which holds all the var=val pairs.

    So, you don't need to do anything to assure that the user gets the right session each time, php does that automatically.
    ÷kii - formerly pootergeist
    teckis - take your time and it'll save you time.

  • #4
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I didnít know that.

    The most dynamic IP system I knew of, what assigning a new IP each time you connect to the web, not for each request. It seems that even opening a new browser-window generates a new IP for this new window with AOL.

    Lucky for me, I donít think there is an ISP here that uses such a system, and I only used IP based security for local businesses.

  • #5
    New Coder
    Join Date
    Sep 2003
    Posts
    98
    Thanks
    0
    Thanked 0 Times in 0 Posts
    What about proxys? What about "spoofing an ip"...

  • #6
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,273
    Thanks
    4
    Thanked 83 Times in 82 Posts
    I didn't know that either. Just another reason added to my long list of reasons to dislike AOL.

    My place of work does that also. They have three servers using 3 IPs and each request goes through one of the 3. It gets very annoying at times when applications use IP checking because that really screws it up. InvisionBoard uses IP checking for administration so trying to change settings from work is a real pain because I have to keep clicking links until the correct IP gets sent out.
    Last edited by Spookster; 09-22-2003 at 03:06 PM.
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #7
    Regular Coder
    Join Date
    Jul 2003
    Posts
    262
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I think I'm getting the idea, I was under the impression that the sessiosns had to be managed, and that creating a 'session' variable was equivalent to creating a new session.

    If I'm understanding correctly the session variables are just any data that I want to maintain and/or modify across multiple pages.

    I wasn't aware of the AOL IP issue. (I wonder if they keep logs of all every request sent... crazy). In light of that, what would be a recommended way to check that the session has notbeen corrupted? I'm running everything through SSL and none of the data is extremely sensitive in the first place, but I'd like to increase security where possible.

    Thanks again...

  • #8
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally posted by Acecool
    What about proxys? What about "spoofing an ip"...
    In both case the IP will normally be the same during the session.
    If someone changes his IP while having an active session, then he will lock himself out. If he changes his IP to that of an active session, then he should still steal the cookie or SID

    The problem with proxys, is that two users could have the same IP, which you can try to counter with Morgoths script

    But the AOL or the 3 server situation of Spookster is a real problem... It will result in "you need to have cookies enabled to enter this site", so i guess i will be writing a two pages validationscript that first stores the IP in a cookie and send it to the client, then redirects with the IP in the querystring, and try to read the cookie.
    If the cookie isn't set, then the IP value inside the queriestring needs to be the same as his 'new' IP. In the AOL case this wount be the case so i'll print a "you need to enable cookies" error.
    If the cookie was set and the IP inside the cookie is the same as the 'new' IP, then thee is no problem.
    If the cookie was set and the IP was changed, then there is no problem, but identification will be only done using servervariables and no IP checking.
    In light of that, what would be a recommended way to check that the session has notbeen corrupted? I'm running everything through SSL and none of the data is extremely sensitive in the first place, but I'd like to increase security where possible
    SSL provides client-authentification http://www-10.lotus.com/ldd/today.ns...5?OpenDocument
    (i wonder if that link will work ...)

  • #9
    Regular Coder
    Join Date
    Jul 2003
    Posts
    262
    Thanks
    1
    Thanked 0 Times in 0 Posts
    interesting link...


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •