European Experts Exchange (EEE.org) :: Free Experts PHP MySql Oracle Microsoft Web SQL Delphi


Languages :: PHP :: Session, cookies and security
By: xedstr	Date: 01/06/2003 00:00:00	Points: 500	Status: Answered Quality : Excellent
I'm missing some good explanation about how to use sessions and cookies for security. It seems possible to create sessions in different ways. I already received the information (from VGR) that it is not good to use the HTTP Basic Authentication. So I already adapted my login-page that starts with a form with 2 fields for login_id and password. At the top of this page I have put : session_start(). When I check in a subsequent page (where I have also put the session-start()-statement) the existence of the session (with <?echo $_SESSION['thenameIgave']; ?> )=> the name seems to be passed to the next page. But how do I control in each subsequent page that it is still the same session? When I use the statement : if (session is registered('thenameIgave')) => I get an error message... Other, not-registered persons may not have the possibility to enter those protected pages. Suppose that he knows the name of the restricted PHP-files and puts them directly in the browser => until now this person still has access to those pages? How can I avoid this? Even when a person has passed a succesful login -> I want to verify the time he is not active. After a period of 30 minutes inactivity, I want the session the be destroyed. I think it has to do something with cookies... Can anyone give me some good examples or reading material about these subjects? Thanks for any help, EDS
By: VGR	Date: 01/06/2003 22:57:00		Type : Answer
it's not that it's not good, it's that the way you mixed it was slightly twisted IMHO basic auth works fine, but is really limited. I found more versatile to use a simple FORM for authentication, a DB access, setting a session variable, and session_start()-ing all pages that needed the positive login to be accessed. That's all. To answer your questions in order : 1) "At the top [...] how do I control in each subsequent page that it is still the same session? " This is automatic. The sessionID is linked to a specific instance of the client browser. You can also create (server-side) your own session ID with some mixture of the remote IP address ($_SERVER['HTTP_REFERER'] and a randomized mktime() 1b) "When I use the statement : if (session is registered('thenameIgave')) => I get an error message..." it doesn't work because you've to choose either to use $_SESSION[] or "thenameigave=value; session_register('thenameigave'); " See doc : session_is_registered (PHP 4 ) session_is_registered -- Find out whether a global variable is registered in a session Description bool session_is_registered ( string name) session_is_registered() returns TRUE if there is a global variable with the name name registered in the current session. Note: If $_SESSION (or $HTTP_SESSION_VARS for PHP 4.0.6 or less) is used, use isset() to check a variable is registered in $_SESSION. Caution If you are using $_SESSION (or $HTTP_SESSION_VARS), do not use session_register(), session_is_registered() and session_unregister(). 2) "Other, not-registered persons may not have the possibility to enter those protected pages. Suppose that he knows the name of the restricted PHP-files and puts them directly in the browser => until now this person still has access to those pages? How can I avoid this?" This is automatic with my suggestion and is done by the inclusion of session.inc.php that redirects the user somewhere else if he didn't pass the login screne successfully. Something like this (in every page to be protected) will do : <?php session_start(); if (! isset($_SESSION['thenameIgave'])) Header('Location: index.php?reason=invaliddirectaccess'); // else pass on ... ?> 3) "Even when a person has passed a succesful login -> I want to verify the time he is not active. After a period of 30 minutes inactivity, I want the session the be destroyed. I think it has to do something with cookies..." Not really. Just store in each session the datetime of the last action taken, put this in the DB, and each time someone makes an action, check the DB for all users who haven't done anything since 30 minutes or more, then destroy their session file directly (dirty, but works :D ) or set a DB flag "sessiontodestroy" And in the session.inc.php included file - that all pages do use - put a "check DB for myself, if "sessiontobedestroyed" is set, then destroy_session. regards

By: rodnex	Date: 01/06/2003 23:53:00		Type : Comment
One way you could do it is to create a .php file called, let's say 'security.php'. In this file, you put code simliar to this: if(!isset($user_id)) { //redirect to login page. $msg = "You must login to access this area of the site."; header("Location: <A HREF="http://www.yoursite.com/login.php&msg=">http://www.yoursite.com/login.php&msg=</a>" . urlencode($msg)); exit; } You need to call session_start(); at the top of each page that you would like to access the session variables for. So upon successful login, you might set: $user_id = some value from database; session_register("user_id"); Then checking for this existing by including security.php at the top of all pages for 'logged in' users.

By: rodnex	Date: 01/06/2003 23:56:00		Type : Comment
BTW, the onlinr php manual is very helpful for this type of stuff... <A HREF="http://us2.php.net/session">http://us2.php.net/session</a>

By: inimit	Date: 02/06/2003 09:52:00		Type : Comment
The reason why you recieve an error on all the subsequent pages is due to the fact that to access any valid data within a session, you must first initialize it before anything else. <?php session_start(); if ($_SESSION['thenameIgave'] != FALSE) { // valid user } else { // invalid session die('Error when validating this user'); // or you can redirect to the login page by commenting this out // header("location: /login.php"); } ?> Also, if you require your sessions to last for longer then the default setting, you must have access to modify the php.ini file to set the session.maxlifetime to be 30minutes. The value is in seconds so you would set it to be 1800. You can check to see the default lifetime of the session by creating a phpinfo.php page that has <?php phpinfo(); ?> in it, and it will describe all your server configuration settings, then simply search for "lifetime" and you will find the value you seek.

By: heppa	Date: 04/06/2003 19:16:00		Type : Comment
Hi there! If you don´t have access to the php.ini to change the time, a session is active, you have to tend over to the database-version described earlier. You need a table having a session_id and several info like the time it was registered (respectively last updated). Everytime the user is active on a page, you update this table´s datetime field. If this is older than 30minutes when accessing a page (i used a function to start every page, where everything is checked), you either "include" the login-page at that point or send the redirect headers like described earlier! regards heppa

By: xedstr	Date: 05/06/2003 04:37:00		Type : Comment
Thanks guys, You are all really experts. I have learned a lot in a short time. EDS

Do register to be able to answer

©2010 These pages are served without commercial sponsorship. (No popup ads, etc...). Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE.
Please DO link to this page! Post to Plurk Post to Yahoo Buzz Post to Delicious Post to Digg Post to MySpace Post to Ping.fm Post to Reddit Post to StumbleUpon

Contact

page generated in 349.607940 milliseconds

Why Google AdSense ads ?

New Improved Search!