Page 1 of 1
Session cache and clearing
Posted: Mon Sep 24, 2007 5:41 am
by kkonline
Code: Select all
session_cache_expire(10); //10 minutes
session_start();
{
some data processing
}
and to logout i am using
Code: Select all
unset($_SESSION['user']);
unset($_SESSION['pass']);
session_destroy();
echo 'Logged out successfully';
and for processing
Code: Select all
if(isset($_SESSION['user']) && isset($_SESSION['pass']))
{
user is logged in
}
Are the above codes sufficiently secure and other suggestions or corrections?
Another thing is session cache expire used in the correct way? I am using 10 minutes cache time expire
Posted: Mon Sep 24, 2007 7:29 am
by superdezign
The sessions aren't really the part where we have a lot of security problems... You shouldn't have too much concern. The security comes in the authentication, which you haven't shared. Why save the username and password if you aren't checking it against the database in each request?
Posted: Mon Sep 24, 2007 8:45 am
by kkonline
superdezign wrote:The security comes in the authentication, which you haven't shared. Why save the username and password if you aren't checking it against the database in each request?
I am using all the measures i am aware of mysql_real_escape_string , validating , data filtering etc. but i am currently concerned regarding clearing the sessions after 10 mins
In this version of accesscontrol i am not showing you the mysql_real escape and others... but in final version i will be using it. if you are concerned about sql injection
accesscontrol.php
Code: Select all
<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';
session_cache_expire(10);
session_start();
$user = isset($_POST['user']) ? $_POST['user'] : $_SESSION['user'];
$pass = isset($_POST['pass']) ? $_POST['pass'] : $_SESSION['pass'];
if(!isset($user)) {
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Please Log In for Access </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Login Required </h1>
<p>You must log in to access this area of the site. If you are
not a registered user, <a href="signup.php">click here</a>
to sign up for instant access!</p>
<p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
User ID: <input type="text" name="user" size="8" /><br />
Password: <input type="password" name="pass" SIZE="8" /><br />
<input type="submit" value="Log in" />
</form></p>
</body>
</html>
<?php
exit;
}
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
dbConnect("mysql");
$sql = "SELECT * FROM member WHERE
userid = '$user' AND password = sha1('$pass')";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details');
}
if (mysql_num_rows($result) == 0) {
unset($_SESSION['user']);
unset($_SESSION['pass']);
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Access Denied </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Access Denied </h1>
<p>Your user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
<a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
access, click <a href="signup.php">here</a>.</p>
</body>
</html>
<?php
exit;
}
$username = mysql_result($result,0,'fullname');
?>
In the signup process i take the user name and check if it exists and if it doesn't i continue with validation