Problem with SESSION_STAR(); any help ??
Moderator: General Moderators
Problem with SESSION_STAR(); any help ??
hy there,
its my first post, so i have one question about sessions...
so, i create a litle forum with simple mysql autentication, but i use
session_start();
$_SESSION["nick"] = $nick;
so to acess the variable $nick in other pages i have to do:
session_start();
$nick = $_SESSION["nick"];
ok everything ok, now i have created one other page, about other thinks, do not have any relation with the forum, but i use the same system with session_start
ok what happen ?
i loge with nick duk, in forum, the $_SESSION regists the variable $nick, and if i want to visit my other page, this other page tell me im loged in with the nick duk becouse this page acess the same variabel $nick with $_SESSION, so im loged in to my page with a user that doesn´t exist's, with this conflit i was able to post a msg in my forum, with a user that doesn't exist in my mysql Data base...
someone knows how to resolve this situation ???
sorry my english
regards
duk
its my first post, so i have one question about sessions...
so, i create a litle forum with simple mysql autentication, but i use
session_start();
$_SESSION["nick"] = $nick;
so to acess the variable $nick in other pages i have to do:
session_start();
$nick = $_SESSION["nick"];
ok everything ok, now i have created one other page, about other thinks, do not have any relation with the forum, but i use the same system with session_start
ok what happen ?
i loge with nick duk, in forum, the $_SESSION regists the variable $nick, and if i want to visit my other page, this other page tell me im loged in with the nick duk becouse this page acess the same variabel $nick with $_SESSION, so im loged in to my page with a user that doesn´t exist's, with this conflit i was able to post a msg in my forum, with a user that doesn't exist in my mysql Data base...
someone knows how to resolve this situation ???
sorry my english
regards
duk
- launchcode
- Forum Contributor
- Posts: 401
- Joined: Tue May 11, 2004 7:32 pm
- Location: UK
- Contact:
ow..
the problem is not the code, the problem is that!!
if you have one apache server with PHP, and if you create a simple code that using session_start(); to registe some variables as global...
and if you have some code like this:
ok if you run this page, now if you use the some window of IE, to jump to my page... here is my funtion to autenticate:
so, i use $_SESSION["nick"] = $nick
and i use this, to chosse what function will be work:
so if you read all of this you understande, that your variable of the first code, will be in my you_in(); function... and you are a user that doesn't exist..
the problem is not the code, the problem is that!!
if you have one apache server with PHP, and if you create a simple code that using session_start(); to registe some variables as global...
and if you have some code like this:
Code: Select all
<?php
session_start();
$nick = "me";
$_SESSION["nick"] = $nick;
echo "ok, now you can jump to other page";
?>ok if you run this page, now if you use the some window of IE, to jump to my page... here is my funtion to autenticate:
Code: Select all
<?php
function login($email,$password)
{
mysql_connect("localhost","user","pwd") or die ("problemas de ligação á base de dados");
$comando = "select email,id,nick,valido,autenti from membros where passwd='$password'";
if ($comando)
{
$executa_comando = mysql_db_query("ptcup", $comando);
$registo = mysql_fetch_row($executa_comando);
$email_db = $registo[0];
$id_membro = $registo[1];
$nick = $registo[2];
$valido = $registo[3];
$autenti = $registo[4];
if (($email) == ($email_db) && ($valido) == S )
{
session_start();
$_SESSION["id_membro"] = $id_membro;
$_SESSION["nick"] = $nick;
$_SESSION["autenti"] = $autenti;
$comando2 = "select id_clan from membros where nick='$nick'";
$executa_comando2 = mysql_db_query("ptcup", $comando);
$registo2 = mysql_fetch_row($executa_comando2);
$id_clan = $registo2[0];
if($id_clan != 0)
{
session_start();
$_SESSION["id_clan"] = $id_clan;
}
you_in($nick,$id_membro);
mysql_close();
} else {
autenticacao_falhou();
mysql_close();
}
} else {
autenticacao_falhou();
mysql_close();
}
}
?>
?>and i use this, to chosse what function will be work:
Code: Select all
<?php
$email = $_POST["email"];
$password = $_POST["password"];
session_start();
$nick = $_SESSION["nick"];
$id_membro = $_SESSION["id_membro"];
if ($nick)
{
you_in($nick,$id_membro);
} elseif (($email) && ($password)) {
login($email,$password);
} else {
mostra_pagina();
}
?>
Last edited by duk on Thu May 20, 2004 5:53 am, edited 1 time in total.
- launchcode
- Forum Contributor
- Posts: 401
- Joined: Tue May 11, 2004 7:32 pm
- Location: UK
- Contact:
You are always logged in because all your code does is check to see if the variable $nick isn't false - it will never be false, because 2 lines above you set it to the value of $_SESSION["nick"] - and even if this is empty it will still set $nick to be an empty string value.
You should be using single quotes: $_SESSION['nick'] btw.
You should be using single quotes: $_SESSION['nick'] btw.
no sorry see with more atention...
i put $nick = $_SESSION["nick"];
becou in my function with autentication i set the $_SESSION["nick"]
about thew code i dont have any problem here try to understand, i just want a way to prevent that some user in other page with some code, get in my page logged... so
im thinking in use session_id();
if you pute in your server a page with the first code i demonstrate... and if you inicializate the same variable $nick with session_start(); and if you go to my server, he checks that is session_start is true, and if is true i will get the variable $nick...
but session_start works like that so, if i use this simple way we have problems, so i need to use other way to prevent this to happen.
i put $nick = $_SESSION["nick"];
becou in my function with autentication i set the $_SESSION["nick"]
about thew code i dont have any problem here try to understand, i just want a way to prevent that some user in other page with some code, get in my page logged... so
im thinking in use session_id();
if you pute in your server a page with the first code i demonstrate... and if you inicializate the same variable $nick with session_start(); and if you go to my server, he checks that is session_start is true, and if is true i will get the variable $nick...
but session_start works like that so, if i use this simple way we have problems, so i need to use other way to prevent this to happen.
- launchcode
- Forum Contributor
- Posts: 401
- Joined: Tue May 11, 2004 7:32 pm
- Location: UK
- Contact:
- launchcode
- Forum Contributor
- Posts: 401
- Joined: Tue May 11, 2004 7:32 pm
- Location: UK
- Contact:
Could you not just use two different session values? One for the forum and one for the rest of the site?
Or even better - don't rely on sessions at all really - just issue a session value which could be their user ID (or something like this, depending how secure you want to be) and then validate their login and extract their nick on every page.
There are numerous ways to handle this though.
Or even better - don't rely on sessions at all really - just issue a session value which could be their user ID (or something like this, depending how secure you want to be) and then validate their login and extract their nick on every page.
There are numerous ways to handle this though.
yes you right.. i have a lot of ways to resolve this situation, i have an ideas...
about what you say, to change the session in the forum and in the page, but anyway i ill have the same problem...
my idea is use in the autentication, an method to be a unique autentication...
i need to think in one way easy to not have to write all code in all pages...
about what you say, to change the session in the forum and in the page, but anyway i ill have the same problem...
my idea is use in the autentication, an method to be a unique autentication...
i need to think in one way easy to not have to write all code in all pages...