Jump to content

How to make a secure login and session


Dakkadakka

Recommended Posts

Guest So Called

If your index page is index.html how can it check anything? Are you using JS? Or is your index page not HTML?

Link to comment
Share on other sites

If your index page is index.html how can it check anything? Are you using JS? Or is your index page not HTML?
index.html is the homepage, index-in.php is the php script embedded to it. Making the header either one has the same effect but it doesn't solve my problem. How do I get it to read the session?
Link to comment
Share on other sites

<p>have you started session? before you use any session data you have to start it using session_start()<br /> </p><div>

<br /><p> </p><p>index.html is the homepage, index-in.php is the php script embedded to it
</p><p>I am not sure what you mean by embedded . You can set header to redirect to any of that pages but after redirecting codes of inside<?php ?> blocks wont execute if you dont use .php ,unless your server is configured to handle .html file as .php file.</p></div>
Link to comment
Share on other sites

<p>have you started session? before you use any session data you have to start it using session_start()<br /></p><div></p><p>I am not sure what you mean by embedded . You can set header to redirect to any of that pages but after redirecting codes of inside<?php ?> blocks wont execute if you dont use .php ,unless your server is configured to handle .html file as .php file.</p></div>
I fixed it but the session still is not detected.
Link to comment
Share on other sites

can you post your updated code?

Link to comment
Share on other sites

can you post your updated code?
<?phpinclude 'session.php'; /*if(empty($_POST['customer_id'])) { echo("Customer ID is empty!"); }*/ $customer_id = trim($_POST['customer_id']);$dbuser = "";$dbpass = "2";$host = "localhost";$dbname = ""; // database connection mysql_connect("localhost", $dbuser, $dbpass) or die(mysql_error());mysql_select_db($dbname) or die("Unable to select database"); //This query grabs all the puchases going back up to three months//This debug line displays the query$query = "SELECT * FROM customers WHERE customer_id = '$customer_id'";//echo $query."<br>"; $found = 0;$result = mysql_query($query) or die(mysql_error()); while($row = mysql_fetch_array($result)){//Grab the database pieces the customer will need throughout the page.//echo "Checking customer number ".$row['customer_id']."<br>";if ($row['customer_id'] == $customer_id){$found = 1;//Grab the database pieces the customer will need throughout the page.$customer_id = $row['customer_id'];$first_name = $row['first_name'];$last_name = $row['last_name'];$price_level = $row['price_level'];//These debug lines check if the database query was successful//echo 'Customer ID is '.$customer_id.'<br>';//echo 'First Name is '.$first_name.'<br>';//echo 'last name is '.$last_name.'<br>';//echo 'price level '.$price_level.'<br>';break;} } //-create while loop and loop through result set/*if ($found == 0){echo 'Wrong customer number';}*///Give the user a session HEREsession_start();$_SESSION['customer_id'] = $customer_id;$_SESSION['first_name'] = $first_name;$_SESSION['last_name'] = $last_name;$_SESSION['price_level'] = $price_level; //This debug line makes sure the session array has all areas filled//echo "Your name is ".$_SESSION['first_name']." ".$_SESSION['last_name']."<br>(and the peronalized Level is ".$_SESSION['price_level'].")";header('Location: index.html'); ?> And then here is the logic at the beginning of index.html <?phpinclude 'session.php';if (isset($_SESSION['customer_id'])){ //Grab their session dataecho 'We have a customer id<br>';$customer_id = $_SESSION["customer_id"];$first_name = $_SESSION["first_name"];$last_name = $_SESSION["last_name"];$price_level = $_SESSION["price_level"];echo 'Customer id is '.$customer_id.'<br>';echo 'first_name is '.$first_name.'<br>';echo 'last_name is '.$last_name.'<br>';echo 'Price Level (NEVER SHOW THEM THIS) '.$price_level.'<br>';}else{echo 'Not a logged in person<br>';}
Link to comment
Share on other sites

And then here is the logic at the beginning of index.html<?phpinclude 'session.php';if (isset($_SESSION['customer_id'])){ //Grab their session dataecho 'We have a customer id<br>';$customer_id = $_SESSION["customer_id"];$first_name = $_SESSION["first_name"];$last_name = $_SESSION["last_name"];$price_level = $_SESSION["price_level"];echo 'Customer id is '.$customer_id.'<br>';echo 'first_name is '.$first_name.'<br>';echo 'last_name is '.$last_name.'<br>';echo 'Price Level (NEVER SHOW THEM THIS) '.$price_level.'<br>';}else{echo 'Not a logged in person<br>';}
you have not started session here. you have to start it everywhere where you will use session. also it is best to put session_start() at top of the file or top of the include file higherechy.
Link to comment
Share on other sites

Guest So Called
And then here is the logic at the beginning of index.html <?phpinclude 'session.php';if (isset($_SESSION['customer_id'])){ //Grab their session dataecho 'We have a customer id<br>';$customer_id = $_SESSION["customer_id"];$first_name = $_SESSION["first_name"];$last_name = $_SESSION["last_name"];$price_level = $_SESSION["price_level"];echo 'Customer id is '.$customer_id.'<br>';echo 'first_name is '.$first_name.'<br>';echo 'last_name is '.$last_name.'<br>';echo 'Price Level (NEVER SHOW THEM THIS) '.$price_level.'<br>';}else{echo 'Not a logged in person<br>';}
How can you have PHP code inside an HTML page?
Link to comment
Share on other sites

I just changed it and it still didn't do the trick. Sorry, this is my first time learning sessions. //Give the user a session HEREsession_start();$_SESSION['customer_id'] = $customer_id;$_SESSION['first_name'] = $first_name;$_SESSION['last_name'] = $last_name;$_SESSION['price_level'] = $price_level;$_SESSION['sales_rep'] = $sales_rep; //This debug line makes sure the session array has all areas filled//echo "Your name is ".$_SESSION['first_name']." ".$_SESSION['last_name']."<br>(and the peronalized Level is ".$_SESSION['price_level'].")";header('Location: index-in.php'); ?> And then here is the new top of index-in.php. I was wrong to use index.html, which is just a placeholder. <?php include 'session.php';session_start();if (isset($_SESSION['customer_id'])){ //Grab their session dataecho 'We have a customer id<br>';$customer_id = $_SESSION["customer_id"];$first_name = $_SESSION["first_name"];$last_name = $_SESSION["last_name"];$price_level = $_SESSION["price_level"];$sales_rep = $_SESSION["sales_rep"];echo 'Customer id is '.$customer_id.'<br>';echo 'first_name is '.$first_name.'<br>';echo 'last_name is '.$last_name.'<br>';echo 'Price Level (NEVER SHOW THEM THIS) '.$price_level.'<br>';}else{echo 'Not a logged in person<br>';} ?>

Link to comment
Share on other sites

you should print out SESSION to confirm what is actually in there

var_dump($_SESSION);

by any chance, the customer_id numbers isn't 0, is it? That would evaluate to a falsey statement. Also, what do you get here before the header redirect?

//This debug line makes sure the session array has all areas filledecho "Your name is ".$_SESSION['first_name']." ".$_SESSION['last_name']."<br>(and the peronalized Level is ".$_SESSION['price_level'].")";header('Location: index-in.php');

Edited by thescientist
Link to comment
Share on other sites

you should print out SESSION to confirm what is actually in there
var_dump($_SESSION);

by any chance, the customer_id numbers isn't 0, is it? That would evaluate to a falsey statement. Also, what do you get here before the header redirect?

//This debug line makes sure the session array has all areas filledecho "Your name is ".$_SESSION['first_name']." ".$_SESSION['last_name']."<br>(and the peronalized Level is ".$_SESSION['price_level'].")";header('Location: index-in.php');

That is a neat trick. If I put the vardump before the header the code looks like this. This means I can't use the header, but I can see the session array successfully filled. session_start();$_SESSION['customer_id'] = $customer_id;$_SESSION['first_name'] = $first_name;$_SESSION['last_name'] = $last_name;$_SESSION['price_level'] = $price_level;$_SESSION['sales_rep'] = $sales_rep;var_dump($_SESSION); //header('Location: index-in.php'); ?> It successfully displays the customer session according to the customer number I enter. This is one for example. I'm not giving the name of coursearray(6) { [1]=> int(1) ["customer_id"]=> string(19) "8000004C-1325619329" ["first_name"]=> string(6) "Dakka" ["last_name"]=> string(5) "Moredakka" ["price_level"]=> NULL ["sales_rep"]=> string(2) "OM" } But if I uncomment the header and use this, the session array becomes blank.<?php include 'session.php';session_start();var_dump($_SESSION);if (isset($_SESSION['customer_id'])){ //Grab their session dataecho 'We have a customer id<br>';$customer_id = $_SESSION["customer_id"];$first_name = $_SESSION["first_name"];$last_name = $_SESSION["last_name"];$price_level = $_SESSION["price_level"];$sales_rep = $_SESSION["sales_rep"];echo 'Customer id is '.$customer_id.'<br>';echo 'first_name is '.$first_name.'<br>';echo 'last_name is '.$last_name.'<br>';echo 'Price Level (NEVER SHOW THEM THIS) '.$price_level.'<br>';}else{echo 'Not a logged in person<br>';} The var dump says this, and the debug line says nobody is logged in:array(1) { [1]=> int(1) } Not a logged in person
Link to comment
Share on other sites

Guest So Called

What's in session.php? Also, just wondering, why not move session_start() to above the line with the include file? If for no other reason than just to see if it changes anything.

Link to comment
Share on other sites

session.php is a script from here:http://w3schools.invisionzone.com/index.php?showtopic=9731 I made the appropriate database for it, and I moved session start but that didn't have an effect. It looks like this. <?php session_start();include 'session.php'; var_dump($_SESSION);if (isset($_SESSION['customer_id'])){ //Grab their session data$customer_id = $_SESSION["customer_id"];$first_name = $_SESSION["first_name"];$last_name = $_SESSION["last_name"];$price_level = $_SESSION["price_level"];$sales_rep = $_SESSION["sales_rep"]; }else{echo 'Not a logged in person<br>';} ?>

Link to comment
Share on other sites

Guest So Called

Oh, okay. I've been using the default session stuff that comes with PHP. This topic is probably over my skill level. Good luck!

Link to comment
Share on other sites

Oh, okay. I've been using the default session stuff that comes with PHP. This topic is probably over my skill level. Good luck!
....removing including this solved my problems! Still, this makes me uncomfortable. What are the security limitations using the default? I would love thing more than the provided script to work, but I have to move forward.
Link to comment
Share on other sites

Guest So Called

You're on a shared hosting service, right? Probably typical LAMP setup? There are experts here and I don't consider myself one of them. I think in the standard shared hosting setup that it might be possible for other sites on the same server who are owned by malicious people might be able to hijack a session from you, since I understand everybody uses a shared cache to track all the server's sessions. I presume your script is intended to move your session cache to an area that none of the other users of your server have access to. In my case I'm using sessions only for a contact form so I'm not concerned if my contact form gets hijacked. It wouldn't be worth anybody's trouble, and my form gets used so infrequently that somebody would probably have to try for years to find a session they could hijack. Depending on how sensitive your site information is you might not want to share your session cache (or store, or whatever it's called) with other sites, and you may need to take extra precautions. If yours is a commercial site with financial transactions then you probably should look into it further. As I said I'm not knowledgeable in this subject, and I hope one of the experts will elaborate on what I've said, and can correct any errors on my part.

Link to comment
Share on other sites

Guest So Called

I've been reading up more on the source code:

Here is some code you can include to implement custom session save handlers. These functions will store all of your sessions in a MySQL database instead of the default temporary files. Storing the sessions in a database makes it easy to determine the number of users that are currently on the site. The code includes all of the session handling functions, plus a function to get the number of users active within a certain number of minutes.
That's very nice code JMG (although I didn't read it in detail). I would just add that your code achieves a number of benefits besides the one(s) you named. Particuarly, I know there is a potential problem of session hijacking on shared hosting servers, and I believe your code solves that issue too--by placing the session data on a MySQL server instead of having it in files that may be vulnerable to other websites sharing your server. The MySQL table of course is secure in that other sites would not have access to your MySQL username/password so they can't steal your database data. I'm pretty sure that shared hosting customers cannot snoop packets from the front end (Linux/Apache/PHP) server to the back end (MySQL) server. So Dakka, depending on how sensitive your site is you might want to pursue this solution or pursue a different solution that moves your session cache to an area that others on your shared server do not have access to. I'm pretty sure there are other solutions that involve mostly just moving the files to a non-public area. I'll be really interested in reading what the experts have to say on this topic. (In this area I'm just a novice.)
Link to comment
Share on other sites

session_start(); include 'session.php';
Now, why are you trying to start the session before including the custom session handling code? That include file contains session_start, the only thing you need to do is include the file. It will start the session after it defines the custom handlers. I wrote that in the thread, in the "how to use it" part.
Still, this makes me uncomfortable. What are the security limitations using the default? I would love thing more than the provided script to work, but I have to move forward.
The custom session handlers aren't really for security, they don't add security to the existing session handling mechanisms. You can add IP address checking if you want to do that as well.
Particuarly, I know there is a potential problem of session hijacking on shared hosting servers
I would say that's really only a problem if the server is set up incorrectly. If a professional set the thing up then the default file handling should be secure enough. I can't really say what percentage of hosts or which hosts in particular have good or bad security practices though. Anyway, on the topic of session security in general there's a lot of information about that online. http://www.google.com/search?client=opera&rls=en&q=php+session+security&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
Link to comment
Share on other sites

Guest So Called

Ah, I see the problem now. It's a RTFM problem. :) It will be interesting to see if the OP fixes it by deleting the start_session() line. So what actually is the file good for? It seems to me that there's lots easier ways to determine how many users are "on the site." Is that all it does or what else does it do?

Link to comment
Share on other sites

That's really all that that particular script does, the counting of users was an example of why you may want to do this. You could also run statistics on active sessions though, if that's your thing. Storing and checking the user's IP address or user agent string could also be added. That code is pretty old though, it uses the old mysql extension and doesn't have any error checking (although I purposely had it suppress error messages so that the server wouldn't output errors if you're trying to start a session, but it would probably be a good idea for the sake of debugging). And, like you mentioned, on questionable servers it may improve session security.

Link to comment
Share on other sites

Guest So Called

What I particularly liked about your code was the use of indentation to improve readability. I hardly ever get to see that (except in my own code). From what I see posted here in the forum I wonder if anybody uses indentation. It would be refreshing if more people used indentation, and if forum members posting code could use the CODE tags. (Or even ask a coherent question in the OP and use a meaningful topic title... but I digress... again...) Here's an interesting article I read a few weeks ago, and in my own way barfing up some of the information I learned there (although probably I didn't do a very good job of it.) http://phpsec.org/projects/guide/4.html It's a really good website with lots of very useful and important information for PHP developers. I've read several of the articles there and I plan on reading many more in the future.

Link to comment
Share on other sites

Readability goes long way and one of the crucial things which is usually being ignored. it is best to following any particular coding standards. it reduces disambiguity, increases readibility,maintainance,later extension of codes. well commenetd indented codes wont look like foreign languages after several months after you wrote it. http://www.google.co...QCXyhFw&cad=rja <=zend coding standard https://pear.php.net...n/standards.php <= pear standard (mostly i follow it)

Edited by birbal
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...