Page 1 of 1

Session cache and clearing

Posted: Mon Sep 24, 2007 5:41 am
by kkonline

Code: Select all

session_cache_expire(10);  //10 minutes
session_start();
{
some data processing
}
and to logout i am using

Code: Select all

unset($_SESSION['user']);
  unset($_SESSION['pass']);
session_destroy();
echo 'Logged out successfully';
and for processing

Code: Select all

if(isset($_SESSION['user']) && isset($_SESSION['pass'])) 
{
user is logged in 
}
Are the above codes sufficiently secure and other suggestions or corrections?
Another thing is session cache expire used in the correct way? I am using 10 minutes cache time expire

Posted: Mon Sep 24, 2007 7:29 am
by superdezign
The sessions aren't really the part where we have a lot of security problems... You shouldn't have too much concern. The security comes in the authentication, which you haven't shared. Why save the username and password if you aren't checking it against the database in each request?

Posted: Mon Sep 24, 2007 8:45 am
by kkonline
superdezign wrote:The security comes in the authentication, which you haven't shared. Why save the username and password if you aren't checking it against the database in each request?
I am using all the measures i am aware of mysql_real_escape_string , validating , data filtering etc. but i am currently concerned regarding clearing the sessions after 10 mins

In this version of accesscontrol i am not showing you the mysql_real escape and others... but in final version i will be using it. if you are concerned about sql injection

accesscontrol.php

Code: Select all

<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';

session_cache_expire(10);
session_start();

$user = isset($_POST['user']) ? $_POST['user'] : $_SESSION['user'];
$pass = isset($_POST['pass']) ? $_POST['pass'] : $_SESSION['pass'];

if(!isset($user)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for instant access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="user" size="8" /><br />
    Password: <input type="password" name="pass" SIZE="8" /><br />
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;

dbConnect("mysql");
$sql = "SELECT * FROM member WHERE
        userid = '$user' AND password = sha1('$pass')";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['user']);
  unset($_SESSION['pass']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}

$username = mysql_result($result,0,'fullname');
?>

In the signup process i take the user name and check if it exists and if it doesn't i continue with validation