7 Replies - 580 Views - Last Post: 22 January 2010 - 08:06 PM Rate Topic: -----

#1 Elbrus  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 4
  • View blog
  • Posts: 107
  • Joined: 22-July 08

session help

Posted 22 January 2010 - 11:34 AM

I have a log in script and a snip-it of code checking to see if the user that is visiting the password protected page is registered, this was fine until I was reading on the php site that the two commands that I have used they recommend not using??

This is my code

Here I register the user after they log in.
	 session_register("myusername");
	 session_register("mypassword");
	 header("location:login_success.php");



here is the code I have checking to see if a user is registered ( or has logged in, in other terms).
session_start();
	if(!session_is_registered(myusername)){
		header("location:log.php");
	}



The problem I found is both:
session_register();
session_is_registered();



is not recommended for use any more.

My question is what is another way, I am thinking of just putting it in session like other things.

$_SESSION['user']=1;
$_SESSION['password']=1;



Then on my page's that I check to see if they are logged in, but what I'll do is check to see if the statement is equal to value of 1; I am doing 0 equal's not logged amd 1 equals logged in.

The only concern of mine is this relatively safe, since I am not actually putting the password and user name into the field that it should not be a problem, but I just want to make sure.

Is This A Good Question/Topic? 0
  • +

Replies To: session help

#2 girasquid  Icon User is offline

  • Barbarbar
  • member icon

Reputation: 108
  • View blog
  • Posts: 1,825
  • Joined: 03-October 06

Re: session help

Posted 22 January 2010 - 11:38 AM

I'd say that yes, this is relatively safe - as far as I'm aware (someone better at PHP can correct me if I'm wrong), sessions are stored encrypted on the user's system, so you don't need to worry about them getting into the data unless they're advanced users (in which case, whatever protection you add is a game anyway).
Was This Post Helpful? 0
  • +
  • -

#3 Elbrus  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 4
  • View blog
  • Posts: 107
  • Joined: 22-July 08

Re: session help

Posted 22 January 2010 - 01:05 PM

View Postgirasquid, on 22 Jan, 2010 - 10:38 AM, said:

I'd say that yes, this is relatively safe - as far as I'm aware (someone better at PHP can correct me if I'm wrong), sessions are stored encrypted on the user's system, so you don't need to worry about them getting into the data unless they're advanced users (in which case, whatever protection you add is a game anyway).


I am not that good at php or know a lot about the sessions, but I do believe that sessions are stored on the server and cookies are stored on the user's system but also has a cookie to ref to the session. I could be mixed up but I believe that is what I read before.
Was This Post Helpful? 0
  • +
  • -

#4 garfinkle  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 27
  • View blog
  • Posts: 87
  • Joined: 08-September 09

Re: session help

Posted 22 January 2010 - 07:22 PM

PHP Sessions are not stored local like cookies are, sessions are stored server side and accessed via a Session ID key. The only real security risk with sessions is that the session key can be retrived by injected code and then the user can the modifier there own session key to instantly be logged in as someone else.

The safest thing to do (apart from ensuring you are protected code injections) is to create a checking system that only allows one session to be logged in at a time. If another IP address tries to access the same session id then force a logout.

You can do this by keeping a MySQL database that keeps a record of IP and Session ID ($_REQUEST['PSSID'], i think) and do a quick check in the header to ensure that they match at all times. Or even better store the IP in the SESSION, therefore no extra database access takes place.

With regard to the information you store in the session, you can just simple store a variable such as

$_SESSION['loggedIn'] = 1;


then when checking you can simply use

if(isset($_SESSION['logged_in']))
{
   //do whatever
}


When a user logs out (or if security check mentioned above fails) just simply do the following

unset($_SESSION['logged_id']);


Hope that helps :D

This post has been edited by garfinkle: 22 January 2010 - 07:24 PM

Was This Post Helpful? 1
  • +
  • -

#5 Elbrus  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 4
  • View blog
  • Posts: 107
  • Joined: 22-July 08

Re: session help

Posted 22 January 2010 - 07:30 PM

View Postgarfinkle, on 22 Jan, 2010 - 06:22 PM, said:

PHP Sessions are not stored local like cookies are, sessions are stored server side and accessed via a Session ID key. The only real security risk with sessions is that the session key can be retrived by injected code and then the user can the modifier there own session key to instantly be logged in as someone else.

The safest thing to do (apart from ensuring you are protected code injections) is to create a checking system that only allows one session to be logged in at a time. If another IP address tries to access the same session id then force a logout.

You can do this by keeping a MySQL database that keeps a record of IP and Session ID ($_REQUEST['PSSID'], i think) and do a quick check in the header to ensure that they match at all times. Or even better store the IP in the SESSION, therefore no extra database access takes place.

With regard to the information you store in the session, you can just simple store a variable such as

$_SESSION['loggedIn'] = 1;


then when checking you can simply use

if(isset($_SESSION['logged_in']))
{
   //do whatever
}


When a user logs out (or if security check mentioned above fails) just simply do the following

unset($_SESSION['logged_id']);


Hope that helps :D


Yes this dose help, and I am now very interested in check up how I would set up the records of ip and session off to Google, Thanks again
Was This Post Helpful? 0
  • +
  • -

#6 garfinkle  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 27
  • View blog
  • Posts: 87
  • Joined: 08-September 09

Re: session help

Posted 22 January 2010 - 07:37 PM

To get IP just use

$ip=$_SERVER['REMOTE_ADDR'];


To get the session id use

$session_id = session_id();


:D

This post has been edited by garfinkle: 22 January 2010 - 07:37 PM

Was This Post Helpful? 0
  • +
  • -

#7 Elbrus  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 4
  • View blog
  • Posts: 107
  • Joined: 22-July 08

Re: session help

Posted 22 January 2010 - 07:50 PM

View Postgarfinkle, on 22 Jan, 2010 - 06:37 PM, said:

To get IP just use

$ip=$_SERVER['REMOTE_ADDR'];


To get the session id use

$session_id = session_id();


:D


Ya, I was thinking of just using a session to store the ip,

$_SESSION['ip']=$_SERVER['REMOTE_ADDR'];

//Then using a if statement or just make a func to check to see if current ip from start of the session creation is = to the current user of the session  

if($SESSION['ip'] != $_SERVER['REMOTE_ADDR'];){
//redirect to log in page
//and destroy session
}


I believe this should work fine, don't know will have to test it out :D

This post has been edited by Elbrus: 22 January 2010 - 07:51 PM

Was This Post Helpful? 0
  • +
  • -

#8 garfinkle  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 27
  • View blog
  • Posts: 87
  • Joined: 08-September 09

Re: session help

Posted 22 January 2010 - 08:06 PM

That should work fine.

One thing to do for usuability, if the security check fails, unset the $_SESSION['logged_in'] parameter and set a new one called $_SESSION['forced_logout'].

This will allow you to output a message to the original user that they have been force logged out for whatever reason
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1