Session Management

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Session Management

Post by Takuma »

I have created a login system which stores the username and password in the session. I installed 2 of this system in the same host but using different database. The trouble is that if one user is logged in one system and visit the protected page of the other system they can view the page...
Any ideas on this?
User avatar
DesignerSMS
Forum Newbie
Posts: 17
Joined: Tue Aug 06, 2002 12:16 am
Location: Gold Coast, Australia

Post by DesignerSMS »

Idea 1:

You could store the host of the page in the session as well. At the top of each page you would then just test to see if the host in the session is the same as the REMOTE_HOST server variable.

If the site is related to the path as well, you could use the dirname(...) of the PHP_SELF variable as well in the session/check.

Idea 2:

At the top of each page that you want secured you could test to see if the user should be able to log into this page with their username and password.

This would be something like:

Code: Select all

$cn = mysql_pconnect();
mysql_select_db("user");
$sql = "SELECT * FROM user WHERE username = '{$_SESSIONї'username']}' AND password = '{$_SESSIONї'password']}'";
$rs = mysql_query($sql, $cn);
if ($rs && mysql_num_rows($rs) > 0) {
  // Put your page code here.
}
else {
  // The user doesn't belong here. Redirect them somewhere else.
}
I hope that you aren't storing the users passwords in plain text as this could be a large security flaw.

Anyway, hope this helps.

:: Kondro ::
daemorhedron
Forum Commoner
Posts: 52
Joined: Tue Jul 23, 2002 11:03 am

Post by daemorhedron »

You could also look into session_name() and session_set_cookie() to help distinguish your sessions from site to site.

HTH.
darkshine
Forum Newbie
Posts: 15
Joined: Wed Aug 07, 2002 4:15 am
Location: paris, france

Post by darkshine »

Yes ...but i suuppose it could be easy to redirect your test by a header
if true...
isn' t it?
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Thanks Guys:D

Post by Takuma »

Thanks for the tip.

P.S Don't worry I am not storing the password as plain text in the sessions! It's encrypted! ;D
Post Reply