Page 1 of 1
Session Management
Posted: Wed Aug 07, 2002 3:12 am
by Takuma
I have created a login system which stores the username and password in the session. I installed 2 of this system in the same host but using different database. The trouble is that if one user is logged in one system and visit the protected page of the other system they can view the page...
Any ideas on this?
Posted: Wed Aug 07, 2002 3:19 am
by DesignerSMS
Idea 1:
You could store the host of the page in the session as well. At the top of each page you would then just test to see if the host in the session is the same as the REMOTE_HOST server variable.
If the site is related to the path as well, you could use the dirname(...) of the PHP_SELF variable as well in the session/check.
Idea 2:
At the top of each page that you want secured you could test to see if the user should be able to log into this page with their username and password.
This would be something like:
Code: Select all
$cn = mysql_pconnect();
mysql_select_db("user");
$sql = "SELECT * FROM user WHERE username = '{$_SESSIONї'username']}' AND password = '{$_SESSIONї'password']}'";
$rs = mysql_query($sql, $cn);
if ($rs && mysql_num_rows($rs) > 0) {
// Put your page code here.
}
else {
// The user doesn't belong here. Redirect them somewhere else.
}
I hope that you aren't storing the users passwords in plain text as this could be a large security flaw.
Anyway, hope this helps.
:: Kondro ::
Posted: Wed Aug 07, 2002 4:23 am
by daemorhedron
You could also look into session_name() and session_set_cookie() to help distinguish your sessions from site to site.
HTH.
Posted: Wed Aug 07, 2002 8:34 am
by darkshine
Yes ...but i suuppose it could be easy to redirect your test by a header
if true...
isn' t it?
Thanks Guys:D
Posted: Wed Aug 07, 2002 10:00 am
by Takuma
Thanks for the tip.
P.S Don't worry I am not storing the password as plain text in the sessions! It's encrypted! ;D