Understanding Session ID

oMIKEo · 12-15-2008, 10:18 PM

Hi guys,

I am starting work on a large development with some pretty sensitive data so want to push to make the site as secure as possible. I have been reading a bit about security but am having a bit of trouble understanding how session_id works.

In the past my login scripts sets something like:

PHP Code:


			
$_SESSION['username'] = $username;

$_SESSION['userlevel'] = $userlevel;

And then on secure pages i use something like:

PHP Code:


			
if(!$_SESSION['username'] || !$_SESSION['userlevel'])

{

    // Not logged in, redirect

    header("Location: login.php")

}

Obviously there is a lot of other code from the login page to make that secure but my problem is how do i use session_id to help check a user is permitted to view the page? Should i be storing the username/session_id in the database to refer back to on each page?

I'm sorry if this is an extremely stupid question,
Mike

9three · 12-16-2008, 02:47 PM

I always use HTTP_USER_AGENT and regenerate_id() on every page that is suppose to be secure.

You can put (mail) function under the echo if you really want to send an email whenever the session does not match the HTTP_USER_AGENT.

You can also use md5 to generate an encryption session

All these little stuff help you stop Session Hijacking.

thanhtung90 · 08-12-2009, 09:57 AM

Thank you. But i can't working with it. You can test two file help me. Login.php

PHP Code:


			
<?php 

 ob_start();

 session_register(); ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">



<head>



    <title>Untitled 7</title>

</head>



<body>

    <?php

    /**

     * @author ThanhTung

     * @copyright 2009

     */

     //include("PhanTren.php");

     require("../KetNoi.php");

     if (isset($_SESSION['QuanTri'])){

         header("location:index.php");

     }

     else {

             echo "session chua duoc";

     }

    ?>

    <form action="DangNhap.php" method="POST">

        <table border="1">

            <tr>

                <td>T&agrave;i khoản</td><td><input type="text" name="tk" /></td>

            </tr> 

            <tr>

                <td>Mật khẩu</td><td><input type="text" name="mk" /></td>

            </tr> 

            

            <tr>

                <td colspan="2"><input type="submit" value="Dang nhap" /><input type="button" value="Qu&ecirc;n mật khẩu" /></td>

            </tr> 

        </table>

    </form>

<?php

$tk=$_POST[tk];

    $tk=stripslashes($tk); // process quocte

        $tk=mysql_real_escape_string($tk);// remove special character

$mk1=$_POST[mk];

    $mk1=stripslashes($mk1);

        $mk1=mysql_real_escape_string($mk1);

        //$mk1=md5($mk1);

        echo $tk;

        echo $mk1;

    if (strlen($tk)!=0 and strlen($mk1)!=0){

        $sql=mysql_query("select * from quantri where TenTaiKhoan='$tk' and MatKhau='$mk1'") or die (mysql_error());

        if (mysql_num_rows($sql)==1){

            while($qt=mysql_fetch_array($sql)){

            $_SESSION['QuanTri']=$qt['HoTen'];

            };

            echo $_SESSION['QuanTri'];

        //    session_register("QuanTri");

        //    setcookie('QuanTri', $layhang['TenTaiKhoan']);

        //$quaylai=$_SERVER['HTTP_REFERER'];

            if (isset($_SESSION['QuanTri'])&& $_SESSION['login']==true){

                header("Location:index.php");

            }

        }

        else{

            echo "error!";

        }

    }



?>

</body>

</html>

<?php     ob_end_flush();?>

index.php

PHP Code:


			
<?php session_start();

require("PhanTren.php");

/**

 * @author ThanhTung

 * @copyright 2009

 */

 //$s=mysql_query("select * from quantri where TenTaiKhoan=".$_SESSION['QuanTri'], $kn);

// while ($b=mysql_fetch_array($s)){

?>

<div class="Bao">

    <div class="banner">

    </div>

    <div class="tab">

        <ul>

            <li>Cua hang</li>

            <li>Quan li</li>

                <ul>

                    <li><a href="phathanh.php">nha phat hanh</a></li>

                    <li><a href="sanpham.php">san pham</a></li>

                    <li><a href="tintuc.php">tin tuc</a></li>

                    <li><a href="phanhoi.php">phan hoi</a></li>

                    <li><a href="quantri.php">quan tri</a></li>

                </ul>

            <li>Thong ke</li>

                <ul>

                    <li><a href="thongkehoadon.php">hoa don</a></li>

                    <li><a href="thongkesanpham.php">san pham</a></li>

                    <li><a href="thongkePhatHanh.php">nha phat hanh</a></li>

                    <li><a href="thongkequantri.php">quan tri</a></li>

                </ul>

            <li>Khac </li>

                <ul>

                    <li><a href="quangcao.php">quang cao</a></li>

                    <li><a href="khuyenmai.php">khuyen mai</a></li>

                </ul>

            <li>Bao tri</li>

                <ul>

                    <li><a href="saoluu.php">sao luu</a></li>

                    <li><a href="phuchoi.php">phuc hoi</a></li>

                </ul>

            <li><a href="thoat.php">Thoat</a></li>

            <li><a href="dangnhap.php">dang nhap</a></li>

        </ul>

    </div>

    <div class="trai">

    </div>

</div>

I don't understand why i can't login suscessfull.

9three · 08-12-2009, 02:22 PM

A simple search on php.net will show you why

session_register:

Quote:

This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

thanhtung90 · 08-13-2009, 12:45 AM

Ha ha. Thank you very much

.
I hope you will support me in very much error!
I programming poor.

thanhtung90 · 08-13-2009, 08:18 AM

I want ask you:
- If login sucessfful (i.e: when user login and check to "Remember account"), i will create 1 cookie same time?
- why HTTP_USER_AGENT and regenerate_id() secure. You can talk about it clearly.