Do I need to add a token when generating Session?
Posted: Wed Oct 24, 2007 5:09 am
I'm creating a login page and protected pages.
login.php
protected.php
In the protected.php, I've added $authorize variable to check if the user is the intended one. Is this neccessary or I've overdid something?
Can I use session to stored the $authorize value -> $_SESSION['authorize']; So that it will become...
login.php
protected.php
Should I regenerate the session ID to make that more secure?
Thanks in advance for the helps..
login.php
Code: Select all
<?php
require_once "config.inc.php"; // include the database information
if(isset($_POST['login'])){
$clean = array();
$mysql = array();
$clean['user'] = strip_tags($_POST['username']);
$clean['pw'] = $_POST['password'];
$salt = 'alenn';
$password_hash = md5($salt . md5($clean['pw'] . $salt));
$mysql['user'] = mysql_real_escape_string($clean['user']);
// formulate and execute the query
$cmd = "SELECT * FROM inb_contact WHERE name='{$mysql['user']}' AND password='$password_hash'";
$sql = mysql_query($cmd) or die("username was incorrect. MySQL said".mysql_error()); // this checks to see if the username exists
$result = mysql_fetch_array($sql); // puts the database information into an array
// Present results based on validity.
if (mysql_num_rows($sql) == 1) {
session_start();
$_SESSION['sessioname'] = $mysql['user'];
header("location: protected.php");
} else {
echo "You are not authorized!";
}
}else{
echo "Na Tink.";
}
?>protected.php
Code: Select all
<?php
$authorize = 0;
session_start();
if(isset($_SESSION['sessioname'])){
$authorize = 1;
}else{
// Your protected stuff goes here if you wish to echo the username echo $_SESSION[”sessioname”]
echo "YOU MUST BE LOGGED IN TO SEE THIS!";
if($authorize == 1){
echo "welcome ".$_SESSION['sessioname'];
//show content here
}
}Can I use session to stored the $authorize value -> $_SESSION['authorize']; So that it will become...
login.php
Code: Select all
<?php
//Is this suitable to start session here?
session_start();
$_SESSION['authorize'] = 0;
require_once "config.inc.php"; // include the database information
if(isset($_POST['login'])){
$clean = array();
$mysql = array();
$clean['user'] = strip_tags($_POST['username']);
$clean['pw'] = $_POST['password'];
$salt = 'alenn';
$password_hash = md5($salt . md5($clean['pw'] . $salt));
$mysql['user'] = mysql_real_escape_string($clean['user']);
// formulate and execute the query
$cmd = "SELECT * FROM inb_contact WHERE name='{$mysql['user']}' AND password='$password_hash'";
$sql = mysql_query($cmd) or die("username was incorrect. MySQL said".mysql_error()); // this checks to see if the username exists
$result = mysql_fetch_array($sql); // puts the database information into an array
// Present results based on validity.
if (mysql_num_rows($sql) == 1) {
$_SESSION['authorize'] = 1; //set it to be true if successfully logged in
$_SESSION['sessioname'] = $mysql['user'];
header("location: protected.php");
} else {
echo "You are not authorized!";
}
}else{
echo "Na Tink.";
}
?>Code: Select all
session_start();
if(isset($_SESSION['sessioname'])){
if($_SESSION['authorize'] == 1){
echo "welcome ".$_SESSION['sessioname'];
//show content here
}
else{
echo "unauthorize user";
}
}else{
echo "YOU MUST BE LOGGED IN TO SEE THIS!";
}Thanks in advance for the helps..