Page 1 of 1

how can start unique session for each user?

Posted: Sat Oct 22, 2005 8:39 am
by rami
i have login page where i start session (on correct pass)and check session in another profile page a each where user goes after sucessful login
personal profile..of each user...
suppose a student harry logs in(with user_id 1)

in my login page i do
session_start();
$_SESSION['name'] = $row[1];
$_SESSION['user_id'] = $row[0];
when sucessfully logged....
on succesful login then pass user_id as uid to display profile page
display.php?uid=$row['user_id'].......

in address bar of browser...
http://www.host.com/dispaly.php?uid=1

and in display page i check as
if (!isset($_SESSION['user_id']))
{

header ("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/index.php");
ob_end_clean(); // Delete the buffer.
exit(); // Quit the script.

} else { .....

now mr harry is able to view is profile
select ...where user_id=$_GET['uid'] (logic i use)


the security hole i am taking about is if mr harry with user_id 1 wants see all profile page of person whose user_id is 2...doing
http://www.host.com/dispaly.php?uid=2
he is not being stopped,the page opening as there is user_id session....
so no use of making members...
how can assign a unique to each login
if A logs in a student then he is not able to see profile of other students doing
http://www.host.com/dispaly.php?uid=2
or http://www.host.com/dispaly.php?uid=3
how one can create unique session among even students...
that way history of browser also will not work ..if some body tries to be clever
any help ?

i experimented with some session variables but didnt succeed
how to create session(unique) after login and check it in another page
a single comp may be used by many students..
thanks for all help

Posted: Sat Oct 22, 2005 8:58 am
by feyd