restricting access using sessions
Hi
i have a login form , once logged in it takes the users to another page (useraccount.php). ive set the session, however i can still access useraccount.php without logging in. why is this happening
login form code:
session_start();
include 'dbconnect.php';
if(isset($_POST['submit'])) {
if(mysql_num_rows(mysql_query("SELECT fk_memberid, password FROM members WHERE fk_memberid = '".$_POST['username']."' && password = '".$_POST['password']."' ")) > 0) {
$_SESSION['logged'] = true;
$_SESSION['username'] = $_POST['username'];
$memberid = $_POST['username'];
header('Location: http://www.kumar.adsl24.co.uk/Storm%20Broadband/useraccount.php?memberid=' . $memberid);
exit;
}else{ //username/password doesn't exist
header('Location: http://www.kumar.adsl24.co.uk/Storm%20Broadband/failedlogin.html');
}
}
?>
useraccount code
//ob_start allows header location work at the bottom. it bypasses it.
session_start();
ob_start();
if (!isset($_SESSION['logged'])
|| $_SESSION['logged'] !== true) {
// not logged in, move to login page
header('Location: login.php');
exit;
}
any help greatly appreciated. thanks
# 1 Re: restricting access using sessions
By "ob_start allows header location work at the bottom. it bypasses it"...are you saying that you have put this code at the bottom? I hope not. All header() calls must happen before any output to the client. Always put that stuff at the top.
Also, don't forget to specify a session id and set it with a cookie. I would suggest something like the following. Your code is open to session corruption without specifying a session id. Or you can specify a session name as well. I would suggest making this an included file named session.php and always put it at the top of any file that is part of the session.
<?php
$webappname = 'whatever your web app name is';
if(@$_COOKIE[$webappname] == ""){
$sesid = $webappname . mt_rand(0, 9999999);
setcookie($webappname, $sesid);
}
else{$sesid = $_COOKIE[$webappname];}
session_id($sesid);
session_start();
?>
# 2 Re: restricting access using sessions
It's generally not a good idea to set a boolean session flag if the user is logged in as this is very easy to hack and overwrite with one look at thier session cookies. Instead, what I do, is assign a user a session_id, similar to what Peej did, and store that in a database on login.
This database has a relational key between the timestamp (when they logged in) field and the uuid (session_id) field so querying it on every page wont be that big of a deal, just remember to clear out the session table every so often, usually daily is a good idea.
The login page looks something like this:
<?php
//login.php
//Make sure we are starting with a clean slate.
if (strlen(session_id()) > 0) {
session_destroy();
}
if (isset($_POST['submit']) && isset($_POST['username']) && isset($_POST['password'])) {
$query = "SELECT ID FROM users WHERE username =
'".trim(addslashes($_POST['username']))."' AND password =
'".trim(addslashes($_POST['password']))."'";
//assuming you have some dbconnect and all that, i'm gonna skip to the resultset: $result
if (mysql_num_rows($result) > 0) {
$sess_id = mt_rand(111111111,999999999);
session_id($sess_id);
session_start();
$insert = "INSERT INTO sessions VALUES ('',CURRENT_TIMESTAMP(),'$sess_id')";
//do insert
header("main.php");
} else {
$status = "Invalid username or password!";
}
}
?>
Auth.php:
<?php
//auth.php
$sid = session_id();
if (strlen($sid) < 8) {
header("login.php");
}
//Get the oldest date we allow, current timestamp, minus 30 minutes;
$oldest_session_ts = time() - (30 * 60);
$oldest_session_allowed = date("m-d-Y H:i:s",$oldest_session_ts);
$query = "SELECT ID FROM sessions WHERE uuid = '".trim(addslashes($sess_id))."' AND timestamp >= '$oldest_session_allowed'";
//do query, get $result back
if (mysql_num_rows($result) == 0) {
header("login.php");
}
// else continue on with the content of the page
?>
Main.php (or any other password protected site):
<?php
//main.php
//This should be required on every password protected page.
require("auth.php");
echo "bla bla my special password protected content!!";
?>
Its 6am as i write this, so i cant be held responsible for any logic errors in the code (hehe), take it with a grain of salt, dont copy and paste it. Besides, you should have functions to do this stuff and objects and whatnot, this is just the most basic of procedural examples.
I hope it helps some,
Zetas
Zetas at 2007-11-10 3:57:04 >
