Page 2 of 2

Re: PHP Sessions Not working

Posted: Mon Oct 27, 2008 8:24 pm
by QuickSnail
Wow. Thank you for such a large post full of a lot of info. Thank you.

The ip changing is a good issue. I thought of it but didn't put it to a great concern.
Do you have other suggestion on checks to run through? As far as the idea of the ip checker.

Re: PHP Sessions Not working

Posted: Tue Oct 28, 2008 12:42 am
by Stryks
You can generate some basic info abut your users system and use that to create a 'fingerprint' of their system. This 'fingerprint' is hardly unique, but it is static per user. So if a user is using IE 7 on his XP box, and he switches to firefox, HTTP_USER_AGENT will change and so you force a re-login. Same if a user suddenly pops up with the same browser on a mac, or vista.

Code: Select all

<?php
 
session_start();
 
// USER LOGS IN 
$_SESSION['fingerprint'] = md5('your_super_secret_code' . $_SERVER['HTTP_USER_AGENT'] . session_id());  
?>
 
... and verify with ...

Code: Select all

<?php
 
session_start();
 
$fingerprint = md5('your_super_secret_code' . $_SERVER['HTTP_USER_AGENT'] . session_id());
if( $_SESSION['fingerprint'] != $fingerprint) 
    // This user has a different fingerprint than was expected
    echo "You must log in again to continue";
 
I'm sure I have an excellent link around here somewhere for an explanation of sessions and session security. I think I might have originally got that code from there actually. I'll have a hunt around and see if I can find it.

Cheers

Re: PHP Sessions Not working

Posted: Tue Oct 28, 2008 1:04 am
by Stryks
Here is the link I was thinking of.

An excellent read, but seriously, don't go browsing the site ... you may never get around to coding ever again. :P

Re: PHP Sessions Not working

Posted: Tue Oct 28, 2008 3:46 am
by papa
Stryks wrote:Here is the link I was thinking of.

An excellent read, but seriously, don't go browsing the site ... you may never get around to coding ever again. :P
Great article I must say!

Re: PHP Sessions Not working

Posted: Tue Oct 28, 2008 9:42 am
by QuickSnail
Great article very informative.

It stated a very short comment about cookies and if a user doesn't accept cookies.
How might I go by logging a user in if cookies are not accepted? Should I prompt to allow cookies?

Re: PHP Sessions Not working

Posted: Wed Oct 29, 2008 7:44 am
by Stryks
I don't really know if I am the best one to answer you on that one to be honest. I usually just require cookies to be enabled and say so on my Terms Of Use page or note it elsewhere. It's standard practice that cookies be enabled, but I do know of some who don't allow them.

I believe that sessions just fail if the use does not have cookies enabled, as the script does not receive any session ID.

As for designing your site to work without cookies, I don't think it happens automatically like cookie based sessions do. Oh, wait .. the manual says ...
PHP is capable of transforming links transparently. Unless you are using PHP 4.2.0 or later, you need to enable it manually when building PHP. Under Unix, pass --enable-trans-sid to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.
What this means for later versions, I'm not sure. Perhaps it IS be default in later versions. I always thought that you had to specifically pass the session ID in the URL ... such as in the manual page example.

Code: Select all

<?php
 
session_start();
 
if (empty($_SESSION['count'])) {
 $_SESSION['count'] = 1;
} else {
 $_SESSION['count']++;
}
?>
 
<p>
Hello visitor, you have seen this page <?php echo $_SESSION['count']; ?> times.
</p>
 
<p>
To continue, <a href="nextpage.php?<?php echo htmlspecialchars(SID); ?>">click
here</a>.
</p>

Re: PHP Sessions Not working

Posted: Wed Oct 29, 2008 8:01 am
by Stryks
Just had a bit of a tinker with a simple sessions page with my cookies off, and as expected, it just fails to initialize the session.

Using the session ID method from the manual seems to work a treat.

To catch non-cookie users, you could have users redirected to a page (let's say post_login.php) after they have logged in successfully and their session data has been set. If they hit that page and they have no session ID, bounce them to a warning page saying they have not been logged in, possibly due to a cookie problem. Maybe give a few instructions on turning them back on. Then let them choose to either continue using a less secure method, or try again with cookies enabled.

Either way, they would have to log in again.

On the other hand, If they reach post_login.php and the session ID is fine, then bounce them back out to wherever you need them to go.

But seriously, I don't really see any problem with using sessions with cookies and taking as many of the countermeasures mentioned earlier to limit issues as your desired user experience will allow.

There is a risk in either case, but I'd rather have my session ID's in a cookie than in every URL.

Cheers

Re: PHP Sessions Not working

Posted: Wed Oct 29, 2008 9:57 am
by QuickSnail
Thank you so much for your help, all of you.

Re: PHP Sessions Not working

Posted: Wed Oct 29, 2008 1:22 pm
by califdon
Here's a fairly good tutorial on Sessions and Cookies and their relations, and the alternatives of using url (GET) variables or form (POST) variables: http://www.free2code.net/tutorials/view ... page1.html