PHP Session Issue

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Virendra Maloo
Forum Newbie
Posts: 3
Joined: Mon Dec 21, 2009 10:52 pm

PHP Session Issue

Post by Virendra Maloo »

Hi,

I have developed an (PHP)application which has been tested on different development servers.

So when I login to the app and navigate to a specific page just after loggin-in, the app logs-out and I have to re-enter the user credentials. But after loggin-in again, it works fine(and doesn't shows the log-in screen until we log-out). I wonder why it works in such an unpredictable way.!!

I have used session for security reasons and am quite eager to know if this is something to do with cache.

I am using the below code on almost all the pages of the app.(so that the user just can't enter the URL of the page and start accessing the application)

---------------------

session_start();

header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

/*
The app matches the current session-ID with the session ID which previous page has sent and if it doesn't matches, LOG-Out.
*/

try {
if(($_GET['session'])==(session_id())){
// do nothing
}else{
echo '<script type="text/javascript">parent.location="../index.php";</script>';
}
}catch(Exception $e){
echo '<script type="text/javascript">parent.location="../index.php";</script>';
}


---------------
I strongly feel that if the app performs well on one server then it shud work perfectly fine on the other system.

I, however have no idea of the php.ini file on the server which throws this issue of loggin-out. but I can certainly find out the details if it is something to do with php.ini file.

If there's any modification I need to do in the cache setting, lemme know.


Any help/suggestion would be appreciated.
Virendra Maloo.
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: PHP Session Issue

Post by cpetercarter »

Where does $_GET['session'] come from?

If you echo the values of $_GET['session']and session_id(), you should be able to see whether they contain different values or whether (more probable) $_GET['session'] does not exist. That should give you a clue about where the problem lies.

More generally, I am puzzled about why you are trying to validate your page in this way. session_start() will resume an existing session, and pick up the session id from the session cookie sent by the browser. It adds nothing for the browser to send the session id a second time as a $_GET. A more normal process would be:

- log-in page, session_start(), enter and check name and password
- on successful login, regenerate_session_id(), and set a session variable eg $_SESSION['login'] = true;
- move to another page, session_start()
- check whether there is a session variable 'login' and that its value is 'true'
- if yes, proceed; if no, back to login
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: PHP Session Issue

Post by s.dot »

Most likely the problem you are experiencing has to do with the session cookie being set. A cookie can be set but is not usable until the next page request after it is set.

My guess is if when you first log in, the cookie is being set then and detects that you are not logged in (because your session cookie can't be read until the next page request), thus prompting you to login. On your next login attempt, you have reloaded the session cookie and it is available for your script to see and check against.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Virendra Maloo
Forum Newbie
Posts: 3
Joined: Mon Dec 21, 2009 10:52 pm

Re: PHP Session Issue

Post by Virendra Maloo »

When I redirect my app to a certain page using link, what I do for that link is this :=
====
Page1.php?session=<?php echo session_id(); ?>
====
and the code which I had sent in the original thread is pasted on page1.php, which checks if the current session is equal to the session rec.


I wonder if I can set the session cookie right from the first login?!?
Is there any way of doing it? or modification in php.ini is reqd?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP Session Issue

Post by kaisellgren »

Log everytime the script sends you a redirection and then see where this unexpected redirection occurs.
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: PHP Session Issue

Post by cpetercarter »

Maybe you are making other checks to see whether the session is logged in. But if the only thing you do is to check the session id against the value of $_GET['session'], your site can be hacked easily - http://www.yoursite.com/page1?session=[ ... ter_string] will get me in.
Virendra Maloo
Forum Newbie
Posts: 3
Joined: Mon Dec 21, 2009 10:52 pm

Re: PHP Session Issue

Post by Virendra Maloo »

"When I log-in for the first time and redirect the user to a certain page, the page expires and subsequent login-redirection works fine."
This is because the session-id I pass through the link is different than the session-id on the redirected page(only for the first time access!!!).
(I checked it by echo-ing it on screen)
Post Reply