Session cache and clearing

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Session cache and clearing

Post by kkonline »

Code: Select all

session_cache_expire(10);  //10 minutes
session_start();
{
some data processing
}
and to logout i am using

Code: Select all

unset($_SESSION['user']);
  unset($_SESSION['pass']);
session_destroy();
echo 'Logged out successfully';
and for processing

Code: Select all

if(isset($_SESSION['user']) && isset($_SESSION['pass'])) 
{
user is logged in 
}
Are the above codes sufficiently secure and other suggestions or corrections?
Another thing is session cache expire used in the correct way? I am using 10 minutes cache time expire
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

The sessions aren't really the part where we have a lot of security problems... You shouldn't have too much concern. The security comes in the authentication, which you haven't shared. Why save the username and password if you aren't checking it against the database in each request?
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Post by kkonline »

superdezign wrote:The security comes in the authentication, which you haven't shared. Why save the username and password if you aren't checking it against the database in each request?
I am using all the measures i am aware of mysql_real_escape_string , validating , data filtering etc. but i am currently concerned regarding clearing the sessions after 10 mins

In this version of accesscontrol i am not showing you the mysql_real escape and others... but in final version i will be using it. if you are concerned about sql injection

accesscontrol.php

Code: Select all

<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';

session_cache_expire(10);
session_start();

$user = isset($_POST['user']) ? $_POST['user'] : $_SESSION['user'];
$pass = isset($_POST['pass']) ? $_POST['pass'] : $_SESSION['pass'];

if(!isset($user)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for instant access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="user" size="8" /><br />
    Password: <input type="password" name="pass" SIZE="8" /><br />
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;

dbConnect("mysql");
$sql = "SELECT * FROM member WHERE
        userid = '$user' AND password = sha1('$pass')";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['user']);
  unset($_SESSION['pass']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}

$username = mysql_result($result,0,'fullname');
?>

In the signup process i take the user name and check if it exists and if it doesn't i continue with validation
Post Reply