handling sessions ...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

handling sessions ...

Post by pavanpuligandla »

hii..
herez a small problem with session handling,
when i login to my application sessions are being registered, that is okay, and after getting logged in i can see the members page well, but when i'm opening the the loginpage.htm in the new tab of firefox browser, i'm able to see the login page itself and not the members page.
the sessions are not being synchronized, why is this happening?

i tried to include session.php in the login page itself, so if the user is already logged in even though when i open a login page it shld be redirected to members page instead itz showing me server configuration error on the browser.

i'm here with attaching my code..kindly help me with ur ideas and suggestions..
logincheck.php

Code: Select all

<?php
 
 //Connect to mysql server
    $link=mysql_connect("localhost","root","");
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    //Select database
    $db=mysql_select_db("tge");
    if(!$db) {
        die("Unable to select database");
    }
 
$username = $_POST["username"];
$password = $_POST['password'];
$encrypt = sha1($password);
 
$query="SELECT * FROM login WHERE username='" . mysql_real_escape_string($username) . "' AND password='".   mysql_real_escape_string ($encrypt). "'";
    
    //require_once('attempt.log.class.php'); 
    $result=mysql_query($query);
    $rows2=mysql_fetch_array($result);
    if($rows2["password"] == $encrypt && $rows2["username"] == $username )
        {
        if(mysql_num_rows($result)>0) 
            {
            //Login Successful
            session_start();
            $start=time();
            $_SESSION['time_start']=$start; 
            $_SESSION['username']=$username;
            $_SESSION['password']=$encrypt;
            $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
            
            session_register('username');
            session_register('password');
            session_register('time_start');
            session_regenerate_id();
            session_write_close();
            include "session.php";
            header("Location: redirect.php");
            exit(); 
            }
            
      else {
            //Login failed
            require_once('attempt.log.class.php');
            session_unset();
            session_destroy();
            header("location: loginfail.htm");
            exit();
            }
        }
      else{
           require_once('attempt.log.class.php');
           session_unset();
           session_destroy();
           header("location: loginfail.htm");
          }
 
?>
here is code for session.php

Code: Select all

<?php
 
//start the session
session_start();
 
//check to make sure the session variable is registered
if(session_is_registered('username')){
 
//the session variable is registered, the user is allowed to see anything that follows
 
#echo 'Welcome, you are still logged in.';
}
else{
 
//the session variable isn't registered, send them back to the login page
header( "Location: login.htm" );
exit();
}
 
?>
Many Thanks,
Pavan.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: handling sessions ...

Post by Maugrim_The_Reaper »

Firstly - you need to focus on using $_SESSION and not duplicating its functionality with session_register(). Secondly, how is the session id passed to the application? Is it stored in the browser cookie (should have no tab-to-tab effect) or via a GET parameter in the URL address you see in the first browser tab but is missing in the second tab's address?
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Re: handling sessions ...

Post by pavanpuligandla »

hi..
@ above.,
i've removed

Code: Select all

session_register('username');
session_register('password');
session_register('time_start');
. and now i'm using $_SESSION .. and instead of session_is_registered, i'm using like this:

Code: Select all

if(isset($_SESSION['VARNAME']))
{
    print("What you want if the session var is set");
}
else
{
    print("What you want if the sessions variable is not set");
}
i'm getting the same error. sessions are not being carried overURL, i'm not storing sessions in DB and i'm including session.php which is posted above in every page logged in users can see.
kindly help me out..
Many Thanks.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: handling sessions ...

Post by Maugrim_The_Reaper »

Try the following:

1. remove session_write_close() - the session will do this automatically once the script ends (which is not a problem unless using iframes and session locks become a problem).
2. Move session_start() to the very beginning of the script - it should be called as early as possible.

It looks like your login block opens the session and then closes it later - obviously if re-running the script from scratch, this means you have to login a second time to get the session to open.

You can also remove session_unset():

You could use

Code: Select all

unset($_SESSION['someVar']);
for each data point you add to the session instead or simply use

Code: Select all

$_SESSION = array();
before calling session_destroy().
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Re: handling sessions ...

Post by pavanpuligandla »

hii..
@ Maugrim_The_Reaper
Thnx for ur reply..i've sorted out my login script..but getting the same problem,, after getting logged in, and opening login page in new tab both the sessions are not being synchronised as a result i can c the loginpage itself..
herez my sorted out code..

Code: Select all

<?php
 session_start();
 //Connect to mysql server
    $link=mysql_connect("localhost","root","");
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    //Select database
    $db=mysql_select_db("tge");
    if(!$db) {
        die("Unable to select database");
    }
 
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$encrypt = sha1($password);
 
$query="SELECT * FROM examadminlogin WHERE username='" . mysql_real_escape_string($username) . "' AND password='".   mysql_real_escape_string ($encrypt). "'";
    
    //require_once('attempt.log.class.php'); 
    $result=mysql_query($query);
    $rows2=mysql_fetch_array($result);
    if($rows2["password"] == $encrypt && $rows2["username"] == $username )
        {
        if(mysql_num_rows($result)>0) 
            {
            //Login Successful
            
                $start=time();
                       $_SESSION['time_start']=$start; 
            $_SESSION['username']=$username;
            $_SESSION['password']=$encrypt;
            $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
                 [color=#FF0000] include "authn.php";[/color]
                 header("Location: redirect.php");
            exit(); 
            }
            
      else {
            //Login failed
            require_once('attempt.log.class.php');
            session_destroy();
                header("location: loginfail.htm");
            exit();
            }
        }
      else{
           require_once('attempt.log.class.php');
           session_destroy();
           header("location: loginfail.htm");
          }
 
?>
authn.php script goes here:

Code: Select all

<?php
    //Start session
    session_start();
    //Check whether the session variable
    //SESS_username is present or not
    if(!isset($_SESSION['username']) || (trim($_SESSION['username'])=='')) {
        header("location: examlogin.htm");
        exit();
    }
?>
can u please modify my code..
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Session handling and firefox tabs..

Post by pavanpuligandla »

Hii,,
This has been posted earlier..please do help me..
u can see my post in the below " Handling sessions..."

When using $_SESSION to "store parameters", rather than $_GET be aware that people may open the same "window" in different tabs (Firefox... IE7?). When the $_SESSION variable stores an "id", changes to an earlier tab may be incorrectly stored (uses the latest id).

Just thought I'd mention this as I have come across a couple of sites where they do not take it into account.

Many Thanks,
Pavan.P
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Re: handling sessions ...

Post by pavanpuligandla »

can anyone help me pls..
Post Reply