Page 1 of 1
Php Sesssion
Posted: Wed Apr 13, 2011 3:33 am
by ko_sAnton
I have write a simple script for login, and when you login, start a session.
When i logout, i use session_destroy();..
Now in the browser(firefox) if i click the button "Go Back one Page", i have the session that i destroy before...
How can i fix it?
Re: Php Sesssion
Posted: Wed Apr 13, 2011 12:49 pm
by social_experiment
Firstly, it goes a bit faster if you paste your script. It's possible that you are setting certain values during login process but you don't destroy them and when you go back, those values are still 'active'.
Re: Php Sesssion
Posted: Wed Apr 13, 2011 4:50 pm
by dukenmarga
i have 2 opinions about this:
1. i think when you back to request your last page, there are lines in your last page that useful to activate your session, so, you see that you have your session again
2. when you go back to your last page, your last page only show the last view, in this case, when you have session, but the session had changed. try to reload your page to see the new view from page.
Re: Php Sesssion
Posted: Thu Apr 14, 2011 12:08 am
by waytoecommerce
given below code is fully secure and once the session get destroyed it will never starts. Please read each line care fully.
Code: Select all
$result = $login_data->logi($_REQUEST['user_name'],$_REQUEST['password']);
$secret = SECRET_KEY.date('d');
$pfid = $result[0];
$hash = sha1($secret . $id);
if($result[1] == 1) {
$_SESSION['user_name'] = $_REQUEST['user_name'];
$_SESSION['hash'] = $hash;
header("Location: yoururl.html");
Logi Function :
Code: Select all
public function logi($data1,$data2) {
$query = mysql_fetch_array(mysql_query("SELECT profile_id, username,password,status FROM user WHERE username ='$data1'"));
$num = mysql_num_rows(mysql_query("SELECT username, password FROM user WHERE username='$data1'"));
$secret = SECRET_KEY;
if($num >= 0) {
if($data1 == $query['username'] && sha1($secret . $data2) == $query['password'] && $query['status'] == 1) {
$_SESSION['user_name'] = $query['username'];
$s = new fetch();
$s->status_change($query['username']);
return array($query['profile_id'], 1);
} else {
return 0;
}
} else {
return 0;
}
}
Re: Php Sesssion
Posted: Thu Apr 14, 2011 2:48 pm
by Mordred
waytoecommerce wrote:given below code is fully secure
No, it isn't. There are multiple security problems with this code and not a single attempt at solving them. I suggest you review what you know about SQL injection and the header() function.
Re: Php Sesssion
Posted: Fri Apr 15, 2011 1:08 am
by waytoecommerce
We have answered regarding the session_destroy() issue not about the sql injection.
For making the code more secure we have to include sql injection restriction via .htaccess file and there other more other method to do it.
Security of web application is very broad area.
Re: Php Sesssion
Posted: Fri Apr 15, 2011 1:34 am
by social_experiment
waytoecommerce wrote:We have answered regarding the session_destroy() issue not about the sql injection.
True, but security should be second nature when creating code

Re: Php Sesssion
Posted: Fri Apr 15, 2011 3:00 am
by Mordred
waytoecommerce wrote:For making the code more secure we have to include sql injection restriction via .htaccess file and there other more other method to do it.
I'm sorry, but I think you don't know what you are talking about. This is not how one protects against SQL injection, it's by using proper SQL syntax and escaping (see the article in my sig).
I'm curious to see what you do with .htaccess though, it's the first time I see someone trying to use it for that purpose.
Re: Php Sesssion
Posted: Thu Jun 09, 2011 7:48 pm
by xtiano77
I use the code below on my logout page and with the exception of the "Epiphay" web browser it works pretty good on Internet Explorer, Firefox and Safari.
Code: Select all
public function destroySession(){
$_POST = array();
$_GET = array();
$_SESSION = array();
session_destroy();
setcookie("PHPSESSID", "", time() - 1200, "/", ".yourwebsitehere.com");
}
public function createNewSession(){
session_regenerate_id(true);
session_write_close();
session_start();
# your code here...
}
public function validateSession(){
try{
$this -> checkSessionTimer();
$this -> checkUserIpAddress();
$this -> checkSessionBrowser();
}catch(Exception $e){
header("Location: http://www.yourwebsitehere.com/yourpagehere.php");
}
}
Now, I am sure there are more secure ways to do it that the above, but like I've said earlier this has worked pretty good for me so far. The first method/function begins by clearing the $_POST and $_GET arrays followed by all the values of the $_SESSION variable. Then it calls the "session_destroy( )" method. Afterwards, if a person tries tries to access a page by clicking on the browser's "back" button the "validateSession( )" method/function will check to see if the necessary $_SESSION variables are set and if they are not, which is the idea, then it throws an exception therefore stopping the remaining of the code and redirecting the page to the one specified in the "catch( )" code block.
Afterwards, if a person tries to log back into the site the system calls the "session_regenerate_id(true)", which creates a new session id and deletes the current $_SESSION file upon completion of the script. It then calls the "session_write_close( )" which closes and saves the session data (this is normally done by default at the end of each script-- and follows by a call to "session_start( )" and from that point on you are using an entire new $_SESSION variable with whatever values you want to assign to them.
I know this is perhaps a simplistic solution to the problem, but if the more senior PHP codes out there have a better approach to this issue I would love to see it and learn from it. Hope this helps. Cheers!!!
xtiano77
Re: Php Sesssion
Posted: Fri Jun 10, 2011 3:39 pm
by flying_circus
xtiano77 wrote:Code: Select all
public function destroySession(){
$_POST = array();
$_GET = array();
$_SESSION = array();
session_destroy();
setcookie("PHPSESSID", "", time() - 1200, "/", ".yourwebsitehere.com");
}
public function createNewSession(){
session_regenerate_id(true);
session_write_close();
session_start();
# your code here...
}
public function validateSession(){
try{
$this -> checkSessionTimer();
$this -> checkUserIpAddress();
$this -> checkSessionBrowser();
}catch(Exception $e){
header("Location: http://www.yourwebsitehere.com/yourpagehere.php");
}
}
- Why do you empty the $_GET and $_POST vars in destroySession()?
- What happens if the session_name() is not PHPSESSID?
- Why do you regenerate the session id, close the session, and then start a new one in createNewSession()?
Re: Php Sesssion
Posted: Mon Jun 13, 2011 9:37 pm
by xtiano77
- Why do you empty the $_GET and $_POST vars in destroySession( )?
* Just wanted to remove any and all date provided by the user during the session. It is a matter of choice really.
- What happens if the session_name( ) is not PHPSESSID?
* I used the default name assigned by PHP, and because it is he name of the cookie sent to the browser.
- Why do you regenerate the session id, close the session, and then start a new one in createNewSession( )?
* One reason, to prevent session hijacking. It can help foil session fixation attacks.
* If you obtain someone's session ID you can effectively log in as them. If the session ID changes frequently, the chance of a compromised session ID still being active decreases.
* A general rule of thumb is to generate the session ID each time a user changes his access level.
When a user log in
When a user log out
When a user get administrative access
* Some people think that the session ID should be regenerated every 10 transactions/requests or so, but I only do it at login.
Re: Php Sesssion
Posted: Tue Jun 14, 2011 3:31 pm
by flying_circus
xtiano77 wrote:- Why do you empty the $_GET and $_POST vars in destroySession( )?
* Just wanted to remove any and all date provided by the user during the session. It is a matter of choice really.
Ok, I suppose every situation is different.
In a more typical scenario, $_GET and $_POST dont persist, there is no reason to destroy them, especially if you are about to redirect. $_GET should contain only a minimum of information, ideally just navigation vars. If you destroy your navigation vars you'd likely have to redirect to the default home page.
xtiano77 wrote:
- What happens if the session_name( ) is not PHPSESSID?
* I used the default name assigned by PHP, and because it is he name of the cookie sent to the browser.
Sure, but the session name can be changed both in the configuration and at runtime. You should use session_name() to fetch the session name, so there is no guesswork involved.
Code: Select all
setcookie(session_name(), "", time() - 1200, "/", ".yourwebsitehere.com");
xtiano77 wrote:
- Why do you regenerate the session id, close the session, and then start a new one in createNewSession( )?
* One reason, to prevent session hijacking. It can help foil session fixation attacks.
* If you obtain someone's session ID you can effectively log in as them. If the session ID changes frequently, the chance of a compromised session ID still being active decreases.
* A general rule of thumb is to generate the session ID each time a user changes his access level.
When a user log in
When a user log out
When a user get administrative access
* Some people think that the session ID should be regenerated every 10 transactions/requests or so, but I only do it at login.
I understand what you mean, but the order of operations in your code is to:
1. Regenerate Session Id (i.e. change the id of the current session)
2. Close the current session
3. Start the session again.
Why not skip steps 2 and 3?
Re: Php Sesssion
Posted: Tue Jun 14, 2011 6:27 pm
by xtiano77
flying_circus,
Thanks for the session_name( ) suggestion, it hadn't thought about it.
As far as the session_regenerate_id( ), I just don't feel like waiting until PHP calls the session_write_close( ) at the end of the script. I want to make sure it is called when I want it called.
Also, the $_GET var will normally have a value. After the logout link is clicked the page is redirected to a script which after clearing all the data, it assigns a message which in turn will be displayed to the user via JavaScript.
Re: Php Sesssion
Posted: Fri Jun 17, 2011 1:58 am
by Apollo
waytoecommerce wrote:For making the code more secure we have to include sql injection restriction via .htaccess file
Wait... What? How??
(you ever heard of
mysql_real_escape_string?)