SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Oct 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    stay logged in using sessions only

    Can you spot any glaring issues with this concept?

    Code:
    <?php
    error_reporting(E_ALL);
    ini_set('display_errors',E_ALL);
    
    ini_set('session.use_only_cookies', 1);
    $cookieParams = session_get_cookie_params();
    
    $loggedin=true;
    if(isset($_GET['logout'])){
    	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);  
    	session_start();
    	session_unset();	//unset($_SESSION['myvar']);
    	session_regenerate_id(true);
    	session_destroy();
    	
    	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
    	exit();
    	
    }elseif(isset($_GET['login'])){
    	session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
    	session_start();
    	$_SESSION['myvar']="Logged in";
    	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
    	exit();
    	
    }else{
    	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);
    	session_start();
    	
    	if(isset($_SESSION['myvar'])){
    		setcookie(session_name(), session_id(), time()+31536000 , $cookieParams["path"], $cookieParams["domain"], false, true);
    	}
    	
    }
    
    echo session_id()."<br />";
    
    if(isset($_SESSION['myvar'])){
    	echo "myvar: ".$_SESSION['myvar']."<br />";
    	echo "<a href='?logout=true'>logout</a><br />";
    }else{
    	echo "<a href='?login=true'>login</a><br />";
    }
    ?>

  2. #2
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    69 Post(s)
    Tagged
    0 Thread(s)
    Other than the title of your thread saying "using sessions only" and then the entirity of the code being cookie based?

    $loggedin=true;
    Unused variable.

    Why are you regenerating the ID of the session a line before destroying it?

    What your script actually does is:
    1. If the user is logged in and is not logging out, perpetuate the session by 11 months, 30 days, 4 hours, 40 minutes.
    2. If the user is logged in and is logging out, destroy the session and reload the page; which will then cause it to follow option 3.
    3. If the user is NOT logged in, and is not logging in, create a session which will expire immediately. (which some might say defeats the purpose)
    4. If the user is not logged in and IS logging in, create a session via cookie that will expire in 11 months, 30 days, 4 hours, 40 minutes, and then reload the page, which will cause it to follow option 1.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  3. #3
    SitePoint Member
    Join Date
    Oct 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    [QUOTE=StarLion;5583221]Other than the title of your thread saying "using sessions only" and then the entirity of the code being cookie based?[/code]

    Its session cookies yes, but not standalone cookies, something everyone seems to use as well as...

    Why are you regenerating the ID of the session a line before destroying it?
    Because destroying it only clears the session data.

    What your script actually does is:
    1. If the user is logged in and is not logging out, perpetuate the session by 11 months, 30 days, 4 hours, 40 minutes.
    2. If the user is logged in and is logging out, destroy the session and reload the page; which will then cause it to follow option 3.
    3. If the user is NOT logged in, and is not logging in, create a session which will expire immediately. (which some might say defeats the purpose)
    4. If the user is not logged in and IS logging in, create a session via cookie that will expire in 11 months, 30 days, 4 hours, 40 minutes, and then reload the page, which will cause it to follow option 1.
    *3. Zero is used to indicate to destroy the session cookie when the browser is closed, remember this is a session cookie not a standard cookie!


    ** unused var is just a remnant (I deleted dev crud as posting!)


    So, in your opinion there is no security issues with this arrangement?

  4. #4
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    69 Post(s)
    Tagged
    0 Thread(s)
    0 in the lifetime does indeed specify until browser close, in that i was mistaken. (This however is not something different than a cookie. It is a standard cookie, just one that PHP interprets into session matching. "Lifetime" is in fact a rather poor combinatory thing; if you tell a cookie to expire at 0 it does the same thing. Otherwise, PHP sets a cookie with expiry time()+$lifetime.)

    Because destroying it only clears the session data.
    And regenerating the ID before killing it does... what, precisely? Creates a new session (which still carries the same data), deletes the old one... and destroys the new one. What's the difference? Have i missed something?

    Security issues? None more than any other implementation of cookie based login. Your script cleans up the cookie if they log out and then close the browser. Using the Location headers might be a bit unnecessary, really. (and it would actually lock your browser into not being able to go "back" unless you tapped it repeatedly to skip the "login" press)
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  5. #5
    SitePoint Member
    Join Date
    Oct 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Regenerating the id, well, changes the session id. If I wanted to carry on tracking them I wouldn't give them a new session id, but...

    I use header redirects so if the page is refreshed, etc then it carries nothing with it. In this case the GET's (note that many browsers now hide the GET stuff in the location entry until you click in it! But it's still there...) (And in a real case I generally wouldn't be using GET, rather POST)


    Thankyou


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •