My Users keep getting logged in as others.
Moderator: General Moderators
So, this pretty much ruins my authentication system?
If I checked the value of the session_id() (deleted), against the value stored in the database (deleted), then any user whos values have been deleted by a proxy system or whatever.. would have the same credientials on both ends (deleted), thus it really wouldn't matter what their ID is.. they could be logged in as anyone who has their credentials set to "deleted".
Proposed solution?
I have also ran chkrootkit on the server and the output appears normal.
If I checked the value of the session_id() (deleted), against the value stored in the database (deleted), then any user whos values have been deleted by a proxy system or whatever.. would have the same credientials on both ends (deleted), thus it really wouldn't matter what their ID is.. they could be logged in as anyone who has their credentials set to "deleted".
Proposed solution?
I have also ran chkrootkit on the server and the output appears normal.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
session_regenerate_id()?
You could, potentially, set the URL transport of the session ID. As for making sure users don't hijack others, without a cookie to help, I don't really know other than requesting them to log in again before doing anything near sensitive. I like to implement login requirements when moving up in permission requirements... such as when entering an administrative area, attempting to edit profiles, sometimes to make posts/update/create things..
You could, potentially, set the URL transport of the session ID. As for making sure users don't hijack others, without a cookie to help, I don't really know other than requesting them to log in again before doing anything near sensitive. I like to implement login requirements when moving up in permission requirements... such as when entering an administrative area, attempting to edit profiles, sometimes to make posts/update/create things..
Hmm. Seems that would be annoying in a highly dynamic environment
I'm trying to look for the reason that it's being set to deleted. I didn't realize anything (including proxies) could change session information that's on MY server. And I don't think 17 people would be using the same proxy server. Maybe 17 users would be using a proxy, but they wouldn't all set values to "deleted".
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Good point. But the only time I'm storing (or updating) the session id in the database is on this line:
Unless the session_id() function grabs the info from the cookie, then it wouldn't be possible to set the database value to 'deleted'.
[edit]the session is generated and stored on this same page, so there is no new page request (cookie headers being sent) before the id is stored in the db.
Code: Select all
mysql_query("
UPDATE
`users`
SET
`user_last_visit` = '".time()."',
`lastlogin` = '".time()."',
`session` = '".session_id()."',
`lastloginip` = '{$_SERVER['REMOTE_ADDR']}'
WHERE
`id` = '{$array['id']}'
") or die(mysql_error());[edit]the session is generated and stored on this same page, so there is no new page request (cookie headers being sent) before the id is stored in the db.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
That's exactly what it is doing. That's how the session is kept track of across multiple pages when the URL doesn't contain the information it needs. When neither exist, it will generate a new ID on its own.scottayy wrote:Unless the session_id() function grabs the info from the cookie, then it wouldn't be possible to set the database value to 'deleted'.
Wow, I didn't know a cookie value could be retrieved on the same page it's set. I know it can't by scripts.. without special configuration?
So now the question comes down to why the cookie values are being set to "deleted". And not only that, some cookie values are accepted as is, and other are set to deleted. Weird.
Maybe on an unrelated note.. I notice the cookie values that are being kept are the ones that have slashes added to them. My PHP is set to add slashes, and those don't get set to deleted. Coincidence?
So now the question comes down to why the cookie values are being set to "deleted". And not only that, some cookie values are accepted as is, and other are set to deleted. Weird.
Maybe on an unrelated note.. I notice the cookie values that are being kept are the ones that have slashes added to them. My PHP is set to add slashes, and those don't get set to deleted. Coincidence?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
I've spoken to two of the users directly. Both are using windows XP home, IE.. and as far as they're *aware of* aren't using a proxy.
I also asked them to tell me their privacy settings for cookies. One was 'medium'. The other was 'medium high'. I tried playing with my own browser settings and it didn't produce the "deleted" effect.
I.... am running out of ideas as to why the cookie values are being set to "deleted". I read through lots & lots of session manual pages, googled for a little bit, and still nothing.
Does anyone know of any programs, browser plugins, etc that would be causing this?
I also asked them to tell me their privacy settings for cookies. One was 'medium'. The other was 'medium high'. I tried playing with my own browser settings and it didn't produce the "deleted" effect.
I.... am running out of ideas as to why the cookie values are being set to "deleted". I read through lots & lots of session manual pages, googled for a little bit, and still nothing.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Actually, I believe this is a bug in PHP.
http://bugs.php.net/bug.php?id=33526
I was informed of this by a fellow programmer who had experienced the same problem. I imagine upgrading PHP should do the trick.
http://bugs.php.net/bug.php?id=33526
I was informed of this by a fellow programmer who had experienced the same problem. I imagine upgrading PHP should do the trick.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Wow, 4 posts in a row by me.
That's okay, this one is informational. It seems the only way around this is a hack. I'll share in case someone is searching for this topic.
The error.php tells the user to make sure their computer clock is set to the right date, and to clear their cookies. That will fix the problem and the user will be able to log in again.
Code: Select all
if((session_id() == 'deleted') || ($_COOKIE[session_name()] == 'deleted'))
{
header('Location: error.php');
exit;
}Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.