TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   Absolute Beginners (http://www.talkphp.com/absolute-beginners/)
-   -   Understanding Session ID (http://www.talkphp.com/absolute-beginners/3771-understanding-session-id.html)

oMIKEo 12-15-2008 10:18 PM
Understanding Session ID
 
Hi guys,

I am starting work on a large development with some pretty sensitive data so want to push to make the site as secure as possible. I have been reading a bit about security but am having a bit of trouble understanding how session_id works.

In the past my login scripts sets something like:

PHP Code:
$_SESSION['username'] = $username;
$_SESSION['userlevel'] = $userlevel
And then on secure pages i use something like:

PHP Code:
if(!$_SESSION['username'] || !$_SESSION['userlevel'])
{
    // Not logged in, redirect
    header("Location: login.php")

Obviously there is a lot of other code from the login page to make that secure but my problem is how do i use session_id to help check a user is permitted to view the page? Should i be storing the username/session_id in the database to refer back to on each page?

I'm sorry if this is an extremely stupid question,
Mike

9three 12-16-2008 02:47 PM
I always use HTTP_USER_AGENT and regenerate_id() on every page that is suppose to be secure.

You can put (mail) function under the echo if you really want to send an email whenever the session does not match the HTTP_USER_AGENT.

You can also use md5 to generate an encryption session

All these little stuff help you stop Session Hijacking.

thanhtung90 08-12-2009 09:57 AM
Thank you. But i can't working with it. You can test two file help me. Login.php
PHP Code:
<?php 
 ob_start();
 session_register(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

    <title>Untitled 7</title>
</head>

<body>
    <?php
    /**
     * @author ThanhTung
     * @copyright 2009
     */
     //include("PhanTren.php");
     require("../KetNoi.php");
     if (isset($_SESSION['QuanTri'])){
         header("location:index.php");
     }
     else {
             echo "session chua duoc";
     }
    ?>
    <form action="DangNhap.php" method="POST">
        <table border="1">
            <tr>
                <td>T&agrave;i khoản</td><td><input type="text" name="tk" /></td>
            </tr> 
            <tr>
                <td>Mật khẩu</td><td><input type="text" name="mk" /></td>
            </tr> 
            
            <tr>
                <td colspan="2"><input type="submit" value="Dang nhap" /><input type="button" value="Qu&ecirc;n mật khẩu" /></td>
            </tr> 
        </table>
    </form>
<?php
$tk=$_POST[tk];
    $tk=stripslashes($tk); // process quocte
        $tk=mysql_real_escape_string($tk);// remove special character
$mk1=$_POST[mk];
    $mk1=stripslashes($mk1);
        $mk1=mysql_real_escape_string($mk1);
        //$mk1=md5($mk1);
        echo $tk;
        echo $mk1;
    if (strlen($tk)!=and strlen($mk1)!=0){
        $sql=mysql_query("select * from quantri where TenTaiKhoan='$tk' and MatKhau='$mk1'") or die (mysql_error());
        if (mysql_num_rows($sql)==1){
            while($qt=mysql_fetch_array($sql)){
            $_SESSION['QuanTri']=$qt['HoTen'];
            };
            echo $_SESSION['QuanTri'];
        //    session_register("QuanTri");
        //    setcookie('QuanTri', $layhang['TenTaiKhoan']);
        //$quaylai=$_SERVER['HTTP_REFERER'];
            if (isset($_SESSION['QuanTri'])&& $_SESSION['login']==true){
                header("Location:index.php");
            }
        }
        else{
            echo "error!";
        }
    }

?>
</body>
</html>
<?php     ob_end_flush();?>
index.php
PHP Code:
<?php session_start();
require("PhanTren.php");
/**
 * @author ThanhTung
 * @copyright 2009
 */
 //$s=mysql_query("select * from quantri where TenTaiKhoan=".$_SESSION['QuanTri'], $kn);
// while ($b=mysql_fetch_array($s)){
?>
<div class="Bao">
    <div class="banner">
    </div>
    <div class="tab">
        <ul>
            <li>Cua hang</li>
            <li>Quan li</li>
                <ul>
                    <li><a href="phathanh.php">nha phat hanh</a></li>
                    <li><a href="sanpham.php">san pham</a></li>
                    <li><a href="tintuc.php">tin tuc</a></li>
                    <li><a href="phanhoi.php">phan hoi</a></li>
                    <li><a href="quantri.php">quan tri</a></li>
                </ul>
            <li>Thong ke</li>
                <ul>
                    <li><a href="thongkehoadon.php">hoa don</a></li>
                    <li><a href="thongkesanpham.php">san pham</a></li>
                    <li><a href="thongkePhatHanh.php">nha phat hanh</a></li>
                    <li><a href="thongkequantri.php">quan tri</a></li>
                </ul>
            <li>Khac </li>
                <ul>
                    <li><a href="quangcao.php">quang cao</a></li>
                    <li><a href="khuyenmai.php">khuyen mai</a></li>
                </ul>
            <li>Bao tri</li>
                <ul>
                    <li><a href="saoluu.php">sao luu</a></li>
                    <li><a href="phuchoi.php">phuc hoi</a></li>
                </ul>
            <li><a href="thoat.php">Thoat</a></li>
            <li><a href="dangnhap.php">dang nhap</a></li>
        </ul>
    </div>
    <div class="trai">
    </div>
</div>
I don't understand why i can't login suscessfull.

9three 08-12-2009 02:22 PM
A simple search on php.net will show you why

session_register:

Quote:
This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

thanhtung90 08-13-2009 12:45 AM
Ha ha. Thank you very much ^^.
I hope you will support me in very much error!
I programming poor.

thanhtung90 08-13-2009 08:18 AM
I want ask you:
- If login sucessfful (i.e: when user login and check to "Remember account"), i will create 1 cookie same time?
- why HTTP_USER_AGENT and regenerate_id() secure. You can talk about it clearly.


All times are GMT. The time now is 08:04 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0