Page 1 of 1
Problem with SESSION_STAR(); any help ??
Posted: Wed May 19, 2004 8:45 am
by duk
hy there,
its my first post, so i have one question about sessions...
so, i create a litle forum with simple mysql autentication, but i use
session_start();
$_SESSION["nick"] = $nick;
so to acess the variable $nick in other pages i have to do:
session_start();
$nick = $_SESSION["nick"];
ok everything ok, now i have created one other page, about other thinks, do not have any relation with the forum, but i use the same system with session_start
ok what happen ?
i loge with nick duk, in forum, the $_SESSION regists the variable $nick, and if i want to visit my other page, this other page tell me im loged in with the nick duk becouse this page acess the same variabel $nick with $_SESSION, so im loged in to my page with a user that doesn´t exist's, with this conflit i was able to post a msg in my forum, with a user that doesn't exist in my mysql Data base...
someone knows how to resolve this situation ???
sorry my english
regards
duk
Posted: Wed May 19, 2004 10:51 am
by duk
maybe try to use PHPSESSID ??? any idea ?
Posted: Wed May 19, 2004 1:48 pm
by launchcode
Post some of your code (SOME of it.. not all of it!) because it's a bit hard to see what you're actually doing right now.
Posted: Wed May 19, 2004 5:07 pm
by tim
other than other errors in your code you failed to post
mysql_num_rows is a powerful function to see if a username is in fact in existance.
Posted: Thu May 20, 2004 3:31 am
by duk
ow..
the problem is not the code, the problem is that!!
if you have one apache server with PHP, and if you create a simple code that using session_start(); to registe some variables as global...
and if you have some code like this:
Code: Select all
<?php
session_start();
$nick = "me";
$_SESSION["nick"] = $nick;
echo "ok, now you can jump to other page";
?>
ok if you run this page, now if you use the some window of IE, to jump to my page... here is my funtion to autenticate:
Code: Select all
<?php
function login($email,$password)
{
mysql_connect("localhost","user","pwd") or die ("problemas de ligação á base de dados");
$comando = "select email,id,nick,valido,autenti from membros where passwd='$password'";
if ($comando)
{
$executa_comando = mysql_db_query("ptcup", $comando);
$registo = mysql_fetch_row($executa_comando);
$email_db = $registo[0];
$id_membro = $registo[1];
$nick = $registo[2];
$valido = $registo[3];
$autenti = $registo[4];
if (($email) == ($email_db) && ($valido) == S )
{
session_start();
$_SESSION["id_membro"] = $id_membro;
$_SESSION["nick"] = $nick;
$_SESSION["autenti"] = $autenti;
$comando2 = "select id_clan from membros where nick='$nick'";
$executa_comando2 = mysql_db_query("ptcup", $comando);
$registo2 = mysql_fetch_row($executa_comando2);
$id_clan = $registo2[0];
if($id_clan != 0)
{
session_start();
$_SESSION["id_clan"] = $id_clan;
}
you_in($nick,$id_membro);
mysql_close();
} else {
autenticacao_falhou();
mysql_close();
}
} else {
autenticacao_falhou();
mysql_close();
}
}
?>
?>
so, i use
$_SESSION["nick"] = $nick
and i use this, to chosse what function will be work:
Code: Select all
<?php
$email = $_POST["email"];
$password = $_POST["password"];
session_start();
$nick = $_SESSION["nick"];
$id_membro = $_SESSION["id_membro"];
if ($nick)
{
you_in($nick,$id_membro);
} elseif (($email) && ($password)) {
login($email,$password);
} else {
mostra_pagina();
}
?>
so if you read all of this you understande, that your variable of the first code, will be in my you_in(); function... and you are a user that doesn't exist..
Posted: Thu May 20, 2004 3:45 am
by launchcode
You are always logged in because all your code does is check to see if the variable $nick isn't false - it will never be false, because 2 lines above you set it to the value of $_SESSION["nick"] - and even if this is empty it will still set $nick to be an empty string value.
You should be using single quotes: $_SESSION['nick'] btw.
Posted: Thu May 20, 2004 3:56 am
by duk
no sorry see with more atention...
i put $nick = $_SESSION["nick"];
becou in my function with autentication i set the $_SESSION["nick"]
about thew code i dont have any problem here try to understand, i just want a way to prevent that some user in other page with some code, get in my page logged... so
im thinking in use session_id();
if you pute in your server a page with the first code i demonstrate... and if you inicializate the same variable $nick with session_start(); and if you go to my server, he checks that is session_start is true, and if is true i will get the variable $nick...
but session_start works like that so, if i use this simple way we have problems, so i need to use other way to prevent this to happen.
Posted: Thu May 20, 2004 4:09 am
by launchcode
You never posted your you_in function, so it was impossible to tell what it did.
Let me get this straight - the only way you check to see if someone is logged in is to see if a session *value* (nick) exists??
Posted: Thu May 20, 2004 4:26 am
by duk
yes, but this var nick, is true just after the user log in the system, so if the login is true e set the var nick with their nick, that is in the mysql db...
Posted: Thu May 20, 2004 5:12 am
by launchcode
Could you not just use two different session values? One for the forum and one for the rest of the site?
Or even better - don't rely on sessions at all really - just issue a session value which could be their user ID (or something like this, depending how secure you want to be) and then validate their login and extract their nick on every page.
There are numerous ways to handle this though.
Posted: Thu May 20, 2004 5:47 am
by duk
yes you right.. i have a lot of ways to resolve this situation, i have an ideas...
about what you say, to change the session in the forum and in the page, but anyway i ill have the same problem...
my idea is use in the autentication, an method to be a unique autentication...
i need to think in one way easy to not have to write all code in all pages...