Page 1 of 1

$_SESSION passing issues.

Posted: Thu Jul 31, 2008 10:42 pm
by sHobbsWW
So here is the issue.

I have a login, connects to dB, verifys user and redirects.

Code: Select all

<?php
    session_start();
    //connect to login dB
    include "dBALVConnect.php";
    //set vars from posts
    $postUserLogin = $_POST['user'];
    $postUserPass = $_POST['pass'];
    //look at what?
    $lookAtWhat = "SELECT * FROM userAccounts WHERE user_login ='$postUserLogin' AND user_pass RLIKE BINARY '$postUserPass'";
    //look at that!
    $looking = mysql_query($lookAtWhat) or die(mysql_error());
    //extract
    while ($row = mysql_fetch_array($looking)) {
        extract($row);
        $dBUserLogin = $user_login;
        $dBUserPassword = $user_pass;
        $dBUserAuthLevel = $user_authLevel;
        $dBUserRD = $user_redirect;
    }
    //set session
    if ($postUserLogin == $dBUserLogin and $postUserPass == $dBUserPassword){
        $_SESSION['userLogin'] = $dBUserLogin;
        $_SESSION['userAuthLevel'] = $dBUserAuthLevel;
    } else {
        //do nothing
    }
?>
^ As you can see at lines 21-26 if the inputed user name / password match the database then sets two $_SESSIONS for their login and a user authorize level.

Once redirected (code not shown) the page again double checks their auth level. If approved the page is displayed, if not it resets the session values and stops the processing. Shown here :

page2.php

Code: Select all

    //session(s)
    session_start();
    //check auth
    if ($_SESSION['userAuthLevel'] == $authLAdmin ){
        //do nothing
    } else {
        //reset session vars and exit
        echo "You should'nt be here!";
        $_SESSION['userLogin'] = "";
        $_SESSION['userAuthLevel'] = 0;
        exit();
    }
 

My issue is that it works 100% in I.E. but when using Safari or FireFoxx I keep getting the "You should'nt be here!" echo.

Obviously that is because the userAuthLevel !== $authLAdmin.

But it does in I.E........*stabs brain with q-tip*

Re: $_SESSION passing issues.

Posted: Fri Aug 01, 2008 12:16 am
by Amit Rathi
Incomplete Script..

Check if session_start() not passed in every page where you are redirecting to page..

This may be the reason.

Re: $_SESSION passing issues.

Posted: Fri Aug 01, 2008 12:20 am
by Stryks
In page2.php, what is $authLAdmin?

How and where is it set?

Re: $_SESSION passing issues.

Posted: Sun Aug 10, 2008 8:09 pm
by sHobbsWW
I am sorry to respond so late to this post. Had some not so fun car accident issues.

Anyways, authLAdmin can be found in a separate included .js (authLevels.php).

Here is the complete pHp of page2.php

Code: Select all

<?php
    include "../../php/dBALVConnect.php";
    include "../../php/authLevels.php";
    include "../../php/userTools.php";
    
    //session(s)
    session_start();
    //check auth
    if ($_SESSION['userAuthLevel'] == $authLAdmin ){
        //do nothing
    } else {
        //reset session vars and exit
        echo "You shouldn’t be here!";
        $_SESSION['userLogin'] = "";
        $_SESSION['userAuthLevel'] = 0;
        exit();
    }
 
?>
I apologize for having left it out in the first place.

Inside authLevels.php

Code: Select all

<?php
    $authLAdmin = 1961;
?>
The practicality of this is 0. In my inexperienced mind I see it as a possible second method of making sure the right person is accessing this page. All it does is verify that what I manually inputted into the .js matches what is on the database. That way a person that shouldn't be on this page would have to change both if he wanted to access this page and stop the original admin from being able to access it.

In the end this is probally useless and adds more unneeded complication to the code.

Any who, that’s where the variable is pulled from, they both match. (the .js and the database).

So any ideas still why safari / firefoxx on mac will not work when logging in but will on Windows?

Re: $_SESSION passing issues.

Posted: Mon Aug 11, 2008 1:58 am
by Stryks
Just a comment before moving on to your problem ... it really isn't advisable to store passwords in the database in plain text, or in any medium that can be converted easily to plain text.

My advice is to use ...

Code: Select all

$postUserPass = md5($_POST['pass']);
 
// or even
 
md5('secret_code' . md5($postUserPass = $_POST['pass']));
... for both storing and checking the users password.

This will avoid the need to get creative with your SQL.

Code: Select all

$lookAtWhat = "SELECT * FROM userAccounts WHERE user_login ='$postUserLogin' AND user_pass = '$postUserPass'";
... will suffice.

Also, while we're at it .. *ALL* user input from *ANY* source ($_POST, $_GET or carrier pidgeon) *MUST* be at least passed through mysql_real_escape_string() unless it is being hashed (md5).

So ...

Code: Select all

$postUserLogin = mysql_real_escape_string($_POST['user']);
$postUserPass = md5('jones_is_ripleys_cat' . md5($_POST['pass']));
Last word on your query, try to only call the columns that you actually need. It's faster, and it's also a handy lookup for what column names are in the database.

For example ...

Code: Select all

$lookAtWhat = "SELECT user_login, user_pass, user_authLevel, user_redirect FROM userAccounts etc .... '";
Now ... given that you have an authlevel setting in there, I have to assume you have a multi-tier authorization scheme in mind. Where you have a 'user' and an 'admin' level, with the latter having access to all areas. This being the case, the only way a person could falsify their auth level is to have write access to your servers session files, and if they have that, then it's all over anyway because they can just search all session files until they find one with an unusual auth level and then set their own. You could help secure it somewhat by say ... storing the timestamp of them the person logged in, and then hashing that time, a secret code, and their authlevel to produce a unique value for each user. The addition of the secret code should make it more difficult to replicate. But I wouldn't say impossible.

If you're worried about this kind of infiltration, perhaps database sessions might be a better solution?

Now ... I'm confused why you're referring to things being set in the .js?

Anyhow, you are either having an issue with your sessions not being transferred from page to page, or it's something as simple as the value being incorrect in the database, or you're not getting the data you expect from the database.

First things first, add this bit of code above your code as marked.

Code: Select all

 
    echo "<pre>FOUND " . mysql_num_rows($looking) . " ROWS</pre>";
    print_r(mysql_fetch_assoc($looking));
    exit();
    // <----------------------------- insert the lines above before your existing code below
    //extract
    while ($row = mysql_fetch_array($looking)) {
        extract($row);
        $dBUserLogin = $user_login;
        $dBUserPassword = $user_pass;
        $dBUserAuthLevel = $user_authLevel;
        $dBUserRD = $user_redirect;
    }
Run that and post back what it displayed.

Re: $_SESSION passing issues.

Posted: Mon Aug 11, 2008 5:37 am
by eskio
Instead of

Code: Select all

$_SESSION['userLogin'] = "";
$_SESSION['userAuthLevel'] = 0;
use

Code: Select all

unset($_SESSION['userLogin']);
unset($_SESSION['userAuthLevel']);