SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am trying to use php4 native sessions function but would like a bit of help with the design of how to do this. The implementation can come a bit later.


    I am building an application that at certain points will require a user to be logged in. It might be that the application is set so that the user does not have to be logged in.

    This is important because i can't just go and use kevin's script which password protects all the pages with a username and password because some pages would not require a user to log in.

    So what i want is this:

    i) A log in script, say login.php sort of thing. User logs in, has a session variable created with their username and password and can then continue to use the whole site. Thus the session "must" get passed to every single page.

    ii) a function that i can call at certain points in the process to check if the user is logged in. If they are not then it gives them a form to login with and then re-directs them to where they were previously.


    What is the best way to go about this do you think?


    Also, once a user logs in i am going to need to get some other data from the user table. Would it be better to do a sql query on the usertable for every page i would need it or would it be better to set the whole row as session variables?

  2. #2
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok thought about this some more.

    The easy bit is authenticating when i need it i either do

    i) login form (login.php) which creates the session variable

    or

    ii) just call the sessions.php script (a hacked version of Kyank's tutorial one) when i need authentication in a script.


    BUT!

    what is going to be the easiest way to pass on the session variable from one page to another if i am not requring authentication on that page?

    If i just have

    PHP Code:
    session_start(); 
    on every page, will that work?

  3. #3
    SitePoint Member
    Join Date
    Feb 2001
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Chris,

    Yes, it will work, although it's not really necessary. You only realistically need to call session_start() on a page in which you need access to the session variables. Cookie-based sessions survive regardless of whether or not session_start() is called on each page.

    Non-cookie sessions are a little more complicated - you need to be sure to pass the session ID around on *every* link. PHP can help you with this if it was compiled with --enable-trans-sid. That makes PHP add the session ID to most relative links.

    As for the question of how many variables to store in the session: I generally try to store only a few things, like the userid and some configuration values. (Note that you do *not* need to store the password in the session. Authenticate them against their password in login.php, but then just store their userid in the session. Be sure to check for people trying to pre-load that value before you call session_start(), though.) Basically, any value that will be needed on most pages should go in the session. If getting some other value is computationally expensive, such as requiring a lot of queries, you may also consider putting it in the session if it will be used a lot. Otherwise, just query for the data when you need it given the keys in the session.

    Hope that helps...
    Travis Burnside
    travis@qwk.net

    Free monitoring for your web site - http://www.qwkmon.com

  4. #4
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks a couple of things:

    i) --enable-trans

    i can not gurantee this will be on every server that uses the script so don't want to rely on it but also don't really want to rely on the use of cookies if possible so do i have to create the &s= type links everywhere? like vb? or do you think a session cookie would be the best way to do this (as i assume almost everyone accepts these don't they?)

    ii) preventing people spoking $id. I thought about this and it is something that worries me. I would have thought is a lot better if all the session variables are in an array and you would do $session['uid'] and then it only checks the session data but never mind.

    My worry is that i will only know half way through the script if i am going to require $id or not so can't put the authentication until then but by then the person could have spooked $id could they not?

  5. #5
    SitePoint Member
    Join Date
    Feb 2001
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cookies are really preferable. Personally, I just say "this site requires cookies" and that's that. You can't expect an online application to work properly without them. Your only choice aside from that, if you don't want to rely on enable-trans-sid being enabled, is to hard-code the session id into every link.

    I don't think using an array for your session variables really offers any extra security. PHP's session variable implementation is fairly secure, if a bit basic, so you don't have too much to worry about.

    One tip: check to see if session variables have been set before calling session_start(). If they have, bomb out, because somebody's trying to do something nasty. (Such as sending them with a ?userid=whatever URL.) PHP won't allow GET or POST variables to override session variables anyway, but it's good basic deterrence to error these people out.
    Travis Burnside
    travis@qwk.net

    Free monitoring for your web site - http://www.qwkmon.com

  6. #6
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thank you, answers lots of questions but one thing.

    so on a previous page i set $uid = 45 (in the session)

    and then someone goes to the page

    www.domain.com/page.php?uid=454

    where page.php is:

    PHP Code:

    session_start
    ()
    echo 
    $uid
    that will print 45 and not 454 right?

    what would happen if the session was empty, ie, if $uid was not set in the session then it would print 45 right? so does php think:

    i) check to see if this variable is a session variable, if so use it.
    ii) not a session variable so check to see if it contained in the script?

    is that it?




    if this is the case, what i am thinking is that i want the script to know if $uid is a session variable but also not pop up an error if there is no session but also not allow someone to "spoke" the variable.

    So i do:

    PHP Code:

    if isset($uid) {
    echo 
    "what a very bad person you are, ignoring your variable";
    $uid "";
    }

    session_start();

    // we now know that $uid is the real $uid from the session or it is empty if there is no "real" $uid set 
    is that logic correct?

  7. #7
    SitePoint Member
    Join Date
    Feb 2001
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, $uid should be 45. It should not be able to be overridden via variables passed in the URL.

    If UID was not in the session, then it $uid would contain whatever was passed in the URL. This is why you want to check for the presence of session variables being passed on the URL - someone could call a script directly and pre-load all the values before a session is created. That would be bad.

    Your code is correct in spirit, although I would personally just bomb out rather than set the variable to empty. (If anything, you should unset() it.)
    Travis Burnside
    travis@qwk.net

    Free monitoring for your web site - http://www.qwkmon.com

  8. #8
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks for all your help on this, greatly appreciated.

  9. #9
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Padders, just make sure you implement session_start() before you echo any output. session_start() writes out info to the page header and this can't be done if you start echoing out contents to the rest of the page first.

    i.e.

    session_start();

    if isset($uid) {
    echo "what a very bad person you are, ignoring your variable";
    $uid = "";
    }

  10. #10
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok

    isset only checks for value in the variable if it is from user input does it, as opposed to from a session variable?

    because if one of the session variables is, say 45 then won't isset($uid) return as true from the session variable? if you see what i mean?

  11. #11
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    isset just checks to see if the variable has been defined.

    session_register("uid") tells php to store the variable name in the session file. after it is registered, any time you assign it a value from then on it stores the value along with the variable name in the session file.

    Basically, isset() just checks to see if the variable name "uid" exsists in the session file, doesn't have anything to do with the value assigned to it.

    session_start();

    if(!isset($uid)){ // if not set

    echo("variable uid as never set. uid will now be defined as a session variable.");


    // this stores something like "uid=" in the session file
    session_register("uid");

    // this will cause "uid=1234" to be stored in the sesison file.
    $uid = "1234";

    } else {

    echo($uid); // uid was previously set. This will print "1234"

    }



    session_unregister("uid") will cause the varible $uid and its value to be erased from the session file.

    Hope this helps.

  12. #12
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i have a problem then. You see i get to a point in the script where either $uid can be from the session (it gets there from another page after authentication which i can handle) or it is empty. The thing i don't want is it to be a fake value from ?uid=xyz sort of thing.

    so what i want to do is something like

    if variable coming from ?= then bomb out, then wipe the variable, then do the session. So will this work:

    but i think we are back to where we were earlier, i just do

    PHP Code:
    if isset($uid) { // trying to trick us.
    unset($uid);
    }

    session_start(); 
    so it just checks to see if they are sending a spoof value, if they are unsets the value and then does the session so we know if we use the value from then on it is real.

    p.s. does unset($uid) if $uid is not set cause an error. Ie, would it be more efficient just to do:

    PHP Code:
    unset($uid); 
    at the top of every script instead of

    PHP Code:
    if isset($uid) { // trying to trick us.
    unset($uid);

    ?

  13. #13
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, I would probably do a sql query on $uid and $pwd if the $uid is valid and the $pwd matches whats in the database then they are logged in, otherwise its a bogus user id. This way, if a hacker sets up a random uid & pwd generator and the possiblities that both match what is in the database would probably be astronomical. Be sure to check the referrer to ensure your script is running from your site as well.

    The only other thing offhand, but would require a lot more work, would possibly be to collect the uid then encrypt it some way before its passed. Thus, a little function in the other pages. But, this could be cracked if one was persistant.

    Avoid using the variable name uid or pwd, just about every one here (and other forums) refers to it. This gives someone that wants to hack a php site half of the puzzle.

  14. #14
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    makes sense. I am going to have to do a SELECT from user where $uid = x on every page anyway so adding AND pass = y is not going to make any difference to performance etc.

    Is there any security problem in storing the password in the session? i assume only if someone could get into the server and read the sessions created but if they can do that you are pretty much up a creek without a paddle anyway.

    Will change from uid etc, good idea.

    thanks again.

  15. #15
    SitePoint Wizard holmescreek's Avatar
    Join Date
    Mar 2001
    Location
    Northwest Florida
    Posts
    1,707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, its ok to put the password in the session. You can't "hide" stuff from the server admin since they run the server.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •