Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    249
    Rep Power
    17

    Exclamation Sessions exposure


    Hi all,

    I have a problem with sessions and the fact that when I close a browser and pull up an old session I can gain access to a members area without having to login again - which is obviously a big concern!

    I am using the following code to setup my sessions:

    Here is the function:



    PHP Code:
    function checkLoggedIn($status){
        
    /*
        Function to check whether a user is logged in or not:
        This is a function that checks if a user is already logged
        in or not, depending on the value of $status which is passed
        in as an argument.

        If $status is 'yes', we check if the user is already logged in;
        If $status is 'no', we check if the user is NOT already logged in.
        */
        
    switch($status){
            
    // if yes, check user is logged in:
            // ie for actions where, yes, user must be logged in(!)
            
    case "yes":
                if(!isset(
    $_SESSION["loggedIn"])){
                    
    header("Location: login.php");
                    exit;
                }
                break;
                
            
    // if no, check NOT logged in:
            // ie for actions where user can't already be logged in 
            // (ie for joining up or logging in)
            
    case "no":
                
                if(isset(
    $_SESSION["loggedIn"]) && $_SESSION["loggedIn"] === true ){
                    
    header("Location: members.php?".session_name()."=".session_id());
                }
                break;            
        }    
        
    // if got here, all ok, return true:
        
    return true;
    // end func checkLoggedIn($status) 


    Then in my pages I have been passed the session id and have this line of code at the top of each page:


    PHP Code:
    checkLoggedIn("yes"); 


    If you need any more info, please let me know.

    Thanks,


    G

    Comments on this post

    • chadsmith729 agrees : Fantastic commenting! I wish my guys did that!!!
  2. #2
  3. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2006
    Location
    Gujju in London
    Posts
    564
    Rep Power
    102
    Yes we do require some more code.

    Where do you intialise the $_SESSION["loggedIn"]? Are you starting sessions each page with session_start()??
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Jan 2005
    Posts
    1,579
    Rep Power
    279
    Even though you close your browser the session storage file, is not removed until the garbage collection is run. A browser based session means that the session cookie is held in the current browser session, it does not get put on the users computer. So when the browser is closed the session id is removed from the browser, but not the file that contains the session information.


    That's why letting the core control what you should be controlling in your script is always a bad idea. The only way around this problem is to create you own garbage collection or add a more refined control to your session logic.

    printf
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    249
    Rep Power
    17
    No I am not using session_start and I am not familiar with initialising the session. All that is happening at the moment is the sessionid is passed through the url when a user goes to another page.

    I tried using session_start($username); for example but I got a warning saying a session had already been started.

    In light of this how could I adopt some strategy using session start or initialising $session['variable']??
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    249
    Rep Power
    17
    Ah, I have just overlooked my $session['loggedin'], its here in the functions page:

    PHP Code:
    function cleanMemberSession($username$password) {
        
    /*
        Member session initialization function:
        This function initializes 3 session variables:
      $login, $password and $loggedIn.

        $login and $password are used on member pages (where you
        could allow the user to change their password for example).

        $loggedIn is a simple boolean variable which indicates
        whether or not the user is currently logged in.
        */
        
    $_SESSION["username"]=$username;
        
    $_SESSION["password"]=$password;
        
    $_SESSION["loggedIn"]=true;
        

  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Jan 2005
    Posts
    1,579
    Rep Power
    279
    setting a session in a URL is not recommended, but I unlike some others I don't have problem with it because a session is only as safe as your user allows it to be, so a session in a cookie or a url can both be safe if you educate your users on the do(s) and don't of copying url(s) in your service!

    A session must always be started no matter if you pass the session in the url or by cookie, because session_start() tells PHP, to load the session file that is associated with that session_id.

    printf
  12. #7
  13. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2006
    Location
    Gujju in London
    Posts
    564
    Rep Power
    102
    Well can't say much with this code. Can you show some code where this functions are calling? I mean your login page or the page where this pages are being called to initialise.

    FYI, session_start(); should be just as it is at the top of every page where you want to use sessions.

    I will suggest this link to know more about sessions.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    249
    Rep Power
    17
    Thanks guys,

    Here is a sample from the login script, this is taken below the part where I validate the username and password:

    PHP Code:
       cleanMemberSession($row["username"], $row["password"], $row["userid"]);

        
    // and finally forward user to members page (populating the session id in the URL):
        
    header("Location: members.php?".session_name()."=".session_id());
    } else {    
        
    // The login form wasn't filled out yet, display the login form for the user to fill in:
        
    doIndex();

    The function it is calling looks like so:

    PHP Code:
    function cleanMemberSession($username$password) {
        
    /*
        Member session initialization function:
        This function initializes 3 session variables:
      $login, $password and $loggedIn.

        $login and $password are used on member pages (where you
        could allow the user to change their password for example).

        $loggedIn is a simple boolean variable which indicates
        whether or not the user is currently logged in.
        */
        
    $_SESSION["username"]=$username;
        
    $_SESSION["password"]=$password;
        
    //$_SESSION["userid"]=$userid;
        
    $_SESSION["loggedIn"]=true;
        

    printf, are you saying that I should use something like session_start(sessionid)? Having tried session_start I got a warning saying it was being ignored because a session had already been started (having been passed the sessionid from the login page as in the first lot of code above in this reply).


    Thanks,

    G
  16. #9
  17. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2006
    Location
    Gujju in London
    Posts
    564
    Rep Power
    102
    We already have this code and need some more code where you doing all this.

    Anyway, are you getting session id on next page? I dont think you will get bcz you are not starting session anywhere.

    You need to put session_start() at very top of your page. Just after<?php

    Nothing should be there before session_start(). Just put session_start() and check.

    Also, what exactly you are doing at members.php page? What are you doing with session id?

    The reason why I asked more code is to check where are you calling all functions and what happening at members page.
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    249
    Rep Power
    17
    Ok, for 1 here is the complete members page, hopefully what you will see is that currently all I am doing is 'checkloggedin.' Therefore as you say should I use session_start($_GET('sessionid')) on the basis that this is what is passed from any other page? ie:
    PHP Code:
    header("Location: members.php?".session_name()."=".session_id()); 
    .

    Anyway here is the complete members page:

    PHP Code:
    <?php

    //*****
    //*
    //Members script:
    //This is a very simple script that generates a web page when the user
    //has logged in successfully.
    //
    //In this code the user's details are simply displayed for the user - these
    //details are taken from the session variables $login and $password.

    include_once("../private/config.php");

    $title="Welcome to the member section";


    // Check user logged in already:
    checkLoggedIn("yes");
    doCSS();

    $query="SELECT userid, username, password FROM users WHERE username='$username' and password='$password'";
        
    //$query="SELECT username, password FROM users WHERE username='$username' and password='$password'";
        
    $result=mysql_query($query$link)
            or die(
    "checkPass fatal error: ".mysql_error());
            
    $row mysql_fetch_array($resultMYSQL_ASSOC); 
            
    $username=$row['username'];
            
            


    print(
    "Welcome to the members page <b>".$_SESSION["username"]."</b><br>");
    print(
    "<a href=\"logout.php?".session_name()."=".session_id()."\">Logout</a></b><br>");
    print (
    "<a href=\"suppliersearch.php?".session_name()."=".session_id()."\">Search for suppliers</a></b></br>");
    print (
    "<a href=\"updatedetails.php?".session_name()."=".session_id()."\">Click here to update your details</a></b></br>");


    ?>
    <html>
    <head>
    <title><?=$title?></title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    </html>
    Last edited by genista; October 26th, 2006 at 10:12 AM.
  20. #11
  21. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2006
    Location
    Gujju in London
    Posts
    564
    Rep Power
    102
    I have never said you use session_start($_GET('sessionid')).

    It is JUST session_start(); Nothing inside the function. And as I said in my last post, Put session_start() at very top of your page where you are using cleanMemberSession().

    That's it.
  22. #12
  23. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2006
    Location
    Gujju in London
    Posts
    564
    Rep Power
    102
    Also put session_start() at top of all the page where you are going to use sessions. Otherwise there is not any use of session.
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    249
    Rep Power
    17
    Ok, thanks.

    I think I might be being stupid, but here is what I have now and I can still copy a url with the session, close the browser open a new one, past and off i go. I have made a note in the script below of something else I have tried as well:

    PHP Code:
    <?php
    session_start
    (); 
    //*****
    //*
    //Members script:
    //This is a very simple script that generates a web page when the user
    //has logged in successfully.
    //
    //In this code the user's details are simply displayed for the user - these
    //details are taken from the session variables $login and $password.

    include_once("../private/config.php");

    $title="Welcome to the Head2ToeWeddings member section";


    // Check user logged in already:
    checkLoggedIn("yes");
    // - I HAVE TRIED THIS LINE OF CODE, BUT STILL NO SUCCESS:
    //cleanMemberSession($_SESSION["username"], $_SESSION["password"]);
    doCSS();

    $query="SELECT userid, username, password FROM users WHERE username='$username' and password='$password'";
        
    //$query="SELECT username, password FROM users WHERE username='$username' and password='$password'";
        
    $result=mysql_query($query$link)
            or die(
    "checkPass fatal error: ".mysql_error());
            
    $row mysql_fetch_array($resultMYSQL_ASSOC); 
            
    $username=$row['username'];
            
            


    print(
    "Welcome to the members page <b>".$_SESSION["username"]."</b><br>");
    print(
    "<a href=\"logout.php?".session_name()."=".session_id()."\">Logout</a></b><br>");
    print (
    "<a href=\"suppliersearch.php?".session_name()."=".session_id()."\">Search for suppliers</a></b></br>");
    print (
    "<a href=\"updatedetails.php?".session_name()."=".session_id()."\">Click here to update your details</a></b></br>");


    ?>
    <html>
    <head>
    <title><?=$title?></title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    </html>
    Thanks,

    G
  26. #14
  27. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2006
    Location
    Gujju in London
    Posts
    564
    Rep Power
    102
    PHP Code:
    <?php 
    session_start
    ();
    have you done the same at login page as well?
  28. #15
  29. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    249
    Rep Power
    17
    To be honest - I hadn't but now have and still the same problem. Here is the code for the login page:

    PHP Code:
    <?php
    session_start
    ();
    /*****
    login.php:
    This file contains a simple front end login script.


    *****/

    include_once("../private/config.php");

    /*
    Login script:
    This script does the following:

    Checks that the user is NOT already logged in - if they are they
    are redirected to the members page by the 'checkLoggedIn()' function.

    Checks if the login form has been submitted - if so, the 'login' and
    'password' fields are checked to ensure they are of the correct format and length.
    If there are any problems here an error is added to the $messages array and
    then the script executes the 'doIndex()' function - this function basically
    outputs the main 'index' page for this script - ie the login form.

    If there are no problems with the previous step, the 'login' and 'password'
    field data is passed to the 'checkPass' function to check that an entry
    exists in the 'users' table for that login/password pair.
    If nothing is returned from the 'checkPass()' function, an error is
    added to the $messages array and the 'doIndex()' function is called as above.

    If a row of data is returned from the 'users' table, the data is passed to
    the 'cleanMemberSession()' function - which initializes session variables and
    logs the user in.  The user is then forwarded to the members page.

    If the form hasn't yet been submitted, then the 'doIndex()' function is called
    and the login page is displayed.
    */
    // Check user not logged in already:
    checkLoggedIn("no");

    // Page title:
    $title="Member Login Page";

    // if $submit variable set, login info submitted:
    if(isset($_POST["submit"])) {
        
    //
        // Check fields were filled in
        //
        // login must be between 4 and 15 chars containing alphanumeric chars only:
        
    field_validator("username"$_POST["username"], "alphanumeric"415);
        
    // password must be between 4 and 15 chars - any characters can be used:
        
    field_validator("password"$_POST["password"], "string"415);

        
    // if there are $messages, errors were found in validating form data
        // show the index page (where the messages will be displayed):
        
    if($messages){ 
            
    doIndex();
            
    // note we have to explicity 'exit' from the script, otherwise
            // the lines below will be processed:
            
    exit;
        }

        
    // OK if we got this far the form field data was of the right format;
        // now check the user/pass pair match those stored in the db:
        /*
        If checkPass() is successful (ie the username and password are ok),
        then $row contains an array of data containing the login name and 
        password of the user.
        If checkPass() is unsuccessful however, $row will simply contain
        the value 'false' - and so in that case an error message is
        stored in the $messages array which will be displayed to the user.
        */
        
    if( !($row checkPass($_POST["username"], $_POST["password"])) ) {
            
    // username/passwd string not correct, create an error message:
            
    $messages[]="Incorrect username/password, try again";
        } 

        
    /*
        If there are error $messages, errors were found in validating form data above.
        Call the 'doIndex()' function (which displays the login form) and exit.
        */
        
    if($messages){
            
    doIndex();
            exit;
        }

        
    /*
        If we got to this point, there were no errors - start a session using the info
        returned from the db:
        */
    //$userid = $sql ("SELECT userid from users where username = "$_SESSION["username"]);
    //$_SESSION['userid'] = $userid;
        
        
    cleanMemberSession($row["username"], $row["password"], $row["userid"]);

        
    // and finally forward user to members page (populating the session id in the URL):
        
    header("Location: members.php?".session_name()."=".session_id());
    } else {    
        
    // The login form wasn't filled out yet, display the login form for the user to fill in:
        
    doIndex();
    }

    /*
    This function displays the default 'index' page for this script.  This consists of just a simple
    login form for the user to submit their username and password.
    */
    function doIndex() {
        
    /*
        Import the global $messages array.
        If any errors were detected above, they will be stored in the $messages array:
        */
        
    global $messages;

        
    /*
        also import the $title for the page - note you can normally just declare all globals on one line 
        - ie:
        global $messages, $title;
        */
        
    global $title;

        
    // drop out of PHP mode to display the plain HTML:
    ?>
    <html>
    <head>
    <title><?=$title?></title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    <?php doCSS()?>
    <body>
    <h1><?=$title?></h1>
    <?php
    // if there are any messages stored in the $messages array, call the displayErrors
    // function to output them to the browser:
    if($messages) { displayErrors($messages); }

    /*
    PHP_SELF:
    The $_SERVER superglobals variable $PHP_SELF is one of the most useful predefined variables in PHP.
    It contains the URI (uniform resource indicator) of the current script.
    For example if this script is at http://example.com/somedir/join.php, then $_SERVER["PHP_SELF"] will contain:
    /somedir/join.php

    This is very useful because it means if you change the name of the script, you don't have to change every reference
    to the script in <form> tags - $_SERVER["PHP_SELF"] automatically includes the current script URI!
    */
    ?>
    <form action="<?=$_SERVER["PHP_SELF"]?>" method="POST">
    <table>
    <tr><td>Username:</td><td><input type="text" name="username" 
    value="<?php print isset($_POST["username"]) ? $_POST["username"] : "" ;?>
    maxlength="15"></td></tr>
    <tr><td>Password:</td><td><input type="password" name="password" value="" maxlength="15"></td></tr>
    <tr><td>&nbsp;</td><td><input name="submit" type="submit" value="Submit"></td></tr>
    </table>
    </form>
    </body>
    </html>
    <?php
    }
    echo 
    "Click <a href=\"passwordretrieve.php\">here</a> if you have forgotten your password.";
    ?>
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo