Sessioncheck

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

Sessioncheck

Post by joshm »

I believe I'm having sessioncheck issues. I'm not really a php person, or a database person so I can't be sure. We had a website built for us, and got screwed so I am left to figure things out on my own. I'm now down to 2 issues. One being this sessioncheck thing. when I go to ligin to our admin area the login screen comes up and I enter the username and password. then it says "You are not AUTHORIZED to view this page." I did a code serch in all the php files and found that phrase in the sessioncheck.php file. this is what my code looks like.

Code: Select all

<?php
	session_start();
	ob_start();
	if(strtolower(md5($_SERVER['SERVER_ADDR']))!='d8c068d81fd577ee1ed71222f87c4953')
	{	
		echo "You are not AUTHORIZED to view this page.";
		//Header("Location:index.php");
     	exit;
	}
	/*	
	include_once('../business/clsmaintenance.php');
	$Maintenance = new Maintenance();
	
	if($Maintenance->CheckSchedule())
	{
		$Maintenance->DoMaintenance();
	}
	*/
  	if(!(session_is_registered($_SESSION["sesadmin"])))
  	{
     	Header("Location:index.php");
     	exit;
  	}
?>
If anyone can help me that would help a lot because I'm pretty lost. I know what the session check is supposed to do I just don't know how to fix the problem. Thanks in advance for any help or knowlege passed my way.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Did you switch domains or transfer this code from a development server to live server?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Code: Select all

if(!(session_is_registered($_SESSION["sesadmin"])))
That's an oxymoron if I ever saw one :P
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

Code: Select all

bool session_is_registered ( string name )

if(!(session_is_registered($_SESSION["sesadmin"]))) 
      { 
         Header("Location:index.php"); 
         exit; 
      } 
}
in your statement you are passing value of the session variable, sesadmin to session_is_registerted() which is wrong.

Instead if you are going to check a session variable is registered, you should pass the name of the variable to session_is_registered().

so it should be...

Code: Select all

if(!(session_is_registered("sesadmin"])) 
      { 
         Header("Location:index.php"); 
         exit; 
      } 
}

Also do make sure when you execute md5 on your server address you yield the constant md5ed value.
joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

sessioncheck

Post by joshm »

Jcart wrote:Did you switch domains or transfer this code from a development server to live server?
No but we did switch from one live server to another live server, which I'm pretty sure is the problem. I actually have the site running on one server perfectly fine, but on the server I switched it to it doesn't work. I thought maybe it had something to do with the string of numbers on line 4 'd8c068d81fd577ee1ed71222f87c4953' but I'm not sure.

As for the rest of the responses I thank you, but like I said I don't know php so I'm pretty lost to all of what was said.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

Code: Select all

if(strtolower(md5($_SERVER['SERVER_ADDR']))!='d8c068d81fd577ee1ed71222f87c4953')
For you I am explaining again, this expects the address of the server when hashed using md5 algorithm should yield 'd8c068d81fd577ee1ed71222f87c4953', which won't happen since you have changed server.

What you have to do now is, run a separate file, find md5("your_new_server_address") and assume that value as
val_md5...

Code: Select all

val_md5 = md5($_SERVER['SERVER_ADDR']); //note down this value and go to the original file and replace the if statement like...

if(strtolower(md5($_SERVER['SERVER_ADDR']))!= val_md5)//the val_md5 is the value I asked you to note down
joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

Post by joshm »

raghavan20 wrote:

Code: Select all

if(strtolower(md5($_SERVER['SERVER_ADDR']))!='d8c068d81fd577ee1ed71222f87c4953')
For you I am explaining again, this expects the address of the server when hashed using md5 algorithm should yield 'd8c068d81fd577ee1ed71222f87c4953', which won't happen since you have changed server.

What you have to do now is, run a separate file, find md5("your_new_server_address") and assume that value as
val_md5...

Code: Select all

val_md5 = md5($_SERVER['SERVER_ADDR']); //note down this value and go to the original file and replace the if statement like...

if(strtolower(md5($_SERVER['SERVER_ADDR']))!= val_md5)//the val_md5 is the value I asked you to note down
How do I find the md5?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

It's pretty obvious the author of that code didn't want that it would work on a different domain.
Simply removing the if block would make the problem go away.
joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

Post by joshm »

timvw wrote:It's pretty obvious the author of that code didn't want that it would work on a different domain.
Simply removing the if block would make the problem go away.
Is that going to mess anything else on the site? like normal users not admin users and or shopping cart?
joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

Post by joshm »

actually I just did a search in the source code for all my php files and md5 is attached to a ton of files so I know I need to find the md5 for my server somehow. Any ideas?
Thanks for all the help.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

md5 as said, is an hashing algorithm to hash passwords and other data.
What you have to do is, use the inbuilt function of PHP, md5() and run this function with your server name as input and substitute this value in the if statement.
joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

Post by joshm »

raghavan20 wrote:use the inbuilt function of PHP, md5() and run this function with your server name as input and substitute this value in the if statement.
I know you must think I'm a retard, but could you explain how to go about doing that. I've been trying to research it on php website but I'm not really finding anything I understand
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

create a new file on the server you wish to run this application on, with the following contents:

Code: Select all

<?php

echo md5($_SERVER['SERVER_ADDR']);

?>
That will give you the md5 value you need to replace.




raghavan20 - as the manual says, session_is_registered is not to be used if using the $_SESSION superglobal, use isset($_SESSION['var']) instead.
joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

Post by joshm »

Jenk wrote:create a new file on the server you wish to run this application on, with the following contents:

Code: Select all

<?php

echo md5($_SERVER['SERVER_ADDR']);

?>
That will give you the md5 value you need to replace.




raghavan20 - as the manual says, session_is_registered is not to be used if using the $_SESSION superglobal, use isset($_SESSION['var']) instead.
you are my GODs thank you all for your help! It worked! I'm SOOOOO greatful. Now if only I could fix the one last problem I am having with my damn directories. If anyone is willing to help me with that problem I can explain it.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Now here is what i would have done:

Code: Select all

/*
   if(strtolower(md5($_SERVER['SERVER_ADDR']))!='d8c068d81fd577ee1ed71222f87c4953')
    {    
        echo "You are not AUTHORIZED to view this page.";
        //Header("Location:index.php");
         exit;
    } 
*/
Might even consider to completely delete those lines.
Post Reply