Page 1 of 1

Session Security

Posted: Sun May 13, 2007 12:31 pm
by dhossai
Hi Fellows!
I hope someone can give me a better idea about this. I use two session file for my login process to the site one is session.php and other is welcomesession.php and they are as follows:

Code: Select all

<?php
session_start();
session_register("session");
?>
and newsession.php........

Code: Select all

<?php
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
$session['id']=session_id();
$session['userid']=$userid;
//echo $session['userid'];
?>
Now can [s]u[/s] you [s]pls[/s] please explain me how secure are this to use and if not what can i do to make it secure. I do not have ssl capabilities.
I would really appreciate your quick response.
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:11. Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.

Some examples of what not to do are ne1, any1 (anyone); u (you); ur (your or you're); 2 (to too); prolly (probably); afaik (as far as I know); etc.

Posted: Sun May 13, 2007 2:49 pm
by rmouali
First, you have to start session in "newsession.php" file

Code: Select all

<?php
session_start();
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
$session['id']=session_id();
$session['userid']=$userid;
//echo $session['userid'];
?>
Session are not the only thing you have to pay with it to secure your web application. And SSL protect only data when it transfer between the client and the server.
SSL don't provide Authorisation mecanisms or ACL.

If you want to secure your application, first you have to answer a question : What do you want to protect ? Application file, user data, user access...

You'll find more information in this web site : http://phpsec.org
[/url]

Posted: Sun May 13, 2007 2:54 pm
by John Cartwright
session_register is deprecated, use the $_SESSION superglob instead.

Code: Select all

session_start();
$_SESSION['userid'] = $userid;

Posted: Sun May 13, 2007 6:22 pm
by dhossai
Thanks rmouali, Well, obviously I want to protect userdata first so could [s]u[/s] you [s]pls[/s] please tell me what route I should go.
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:11. Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.

Some examples of what not to do are ne1, any1 (anyone); u (you); ur (your or you're); 2 (to too); prolly (probably); afaik (as far as I know); etc.

Posted: Wed May 16, 2007 2:10 pm
by dhossai
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi fellows!
Well I am too confused now. I have read many things about session scurity in different forums as well, I am getting more and more confused as I am reading. Here is the process I am following.........

My loing page where users input the id and password it take the input and call the other file to process which is....

Code: Select all

include "include/session.php"; # INCLUDE SESSION FILE HERE#

include "include/dbconnection.php";

?>

$userid=mysql_real_escape_string($userid);
$password=mysql_real_escape_string($password);

if($rec=mysql_fetch_array(mysql_query("SELECT * FROM tbl_login WHERE userid='$userid' AND password = '$password'"))){
	if(($rec['userid']==$userid)&&($rec['password']==$password)){
	 include "include/newsession.php";  # IT INCLUDE NEWSESSION FILE#
            echo "<p class=data> <center>Successfully,Logged in<br><br><a href='logout.php'> Log OUT </a><br><br><a href=welcome.php>Click here if your browser is not redirecting automatically or you don't want to wait.</a><br></center>";
     print "<script>";
       print " self.location='welcome.php';"; // Comment this line if you don't want to redirect
          print "</script>";

				} 
		}	
	else {

		session_unset();
echo "<font face='Verdana' size='2' color=red>Wrong Login. Use your correct  Userid and Password and Try <br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
	}
?>
And here is the new session file....

Code: Select all

<?php
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
$session['id']=session_id();
$session['userid']=$userid;
//echo $session['userid'];
?>
And here is the session file.....

Code: Select all

<?php
session_start();
session_register("session");
#$_Session['userid'] = $userid;
?>
Now if someone could please have a look and let me know how secure is this to use ( I know that nothing is hundred percent secure) and if not pls explain me elaborately. I would appreciate your help a lot.[quote]

Code: Select all

[


[color=red][b]feyd[/b] | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]