Chistaen

Thanks for the replies. =) Great idea, I'll definitely keep that in mind. Yeah, I agree, but unfortunately, using a framework proved to be more difficult than writing everything myself. But that's probably because I need to get used to working with them. At the moment, not yet. Right now I just add mysqli_error's whenever something doesn't work, but good idea, I'll change add error checking functions immediately. =) Yep. I just have one file (index.php) which handles all the other pages, like this: index.php?page=hi. The sessions are updated in the database, but for some reason the session data just isn't updated. I'm not sure why, sessions should continue to hold the data I create them with, right? Nope, although I did add a database close function to the session handler, but only because I thought it was required. Apart from that, I don't have a function that closes the database connection. Will do, I'll let you know the results as soon as possible. I was under the impression it was safer, and wouldn't cause problems with multiple servers. But I assume there are more ways to do this? I was actually considering another option: creating a custom session system by using cookies. When logging in, I would use the session table to add a 'session' that would hold a randomly-generated id, user id, the user agent, IP address, and the time. Then I would place a cookie, with said IDs, the user agent and the IP address. Couldn't I just verify that information? It seems to me that shouldn't be too much of a security risk. Right?

Thanks again for the replies. I've removed the password from the session, however I'm now facing another problem: as soon as I leave the login page after logging in (the page that sets the session), PHP empties the 'session_data' column and updates the 'session_date' (the one with the current time) column. I have absolutely NO idea what's causing the problem. Cookies can be changed, so if I use cookies to keep the session data in the database intact, there's a huge security risk. Right? Sorry for being so stupid, I'm sure there's a very simple solution for it, but I just don't even remotely know what that solution might be. Since this is the first time I'm using database sessions, it's still all very new to me. How do you guys handle login systems? I'm not asking for code (I'm here to learn, not to steal your code ), I'm just curious whether you guys use cookies + sessions, custom sessions, sessions, etc., because creating a decent login system can't be too difficult (right?). Since I updated some of the code, here are the relevant pieces of code: The function that writes the session to the database, called automatically by PHP (so it's not the login system that calls this function). function drasession_write($sessionid = '', $sessiondata = '') { global $draseim; // Prepare the variables we need in our query $sessionid = mysqli_real_escape_string($draseim['connection'], $sessionid); $sessiondata = mysqli_real_escape_string($draseim['connection'], $sessiondata); // Run a query $result = draseim_query($draseim['connection'], " REPLACE INTO " . db_pref . "sessions VALUES ( '$sessionid', '$sessiondata', '" . $draseim['time'] . "' ) ", true, false); // Did it actually work? if($result == true) return true; else return false; } This is a part of the login function, the part that sets the session. // The user agent $login['user_agent'] = mysqli_real_escape_string($draseim['connection'], $_SERVER['HTTP_USER_AGENT']); // The IP address $login['user_ip'] = addslashes($_SERVER['REMOTE_ADDR']); // How long should we keep the session active? $sessionlength = (!empty($_POST['draseim_forever']) ? '0' : '60'); // Set the session $_SESSION[$setting['session_name']] = array( 'user' => $userid, 'agent' => $login['user_agent'], 'ip' => $login['user_ip'], 'sessionlength' => $sessionlength ); Oh, to confirm that I am calling session_start();, here's all code from the header comment block to that function. // Let's not jump the gun by accessing files directly. Index.php (which, in case you haven't noticed, is this file) is the only file that should be accessed directly if(defined('Draseim')) die('No. Just... no.'); else define('Draseim', 1); // Let's create an array $draseim = array(); // What time is it? $draseim['time'] = time(); // We need these files. require 'Config.php'; require $setting['dir_resources'] . '/Start.php'; require $setting['dir_resources'] . '/Menu.php'; require $setting['dir_resources'] . '/Session.php'; require $setting['dir_apps'] . '/User.app.php'; // Define db_pref, which contains the database prefix define('db_pref', $setting['db_pref']); // Let's establish a connection to the database $draseim['connection'] = draseim_connect($setting['db_server'], $setting['db_user'], $setting['db_password'], $setting['db_name']); // Database sessions session_set_save_handler( 'drasession_open', 'drasession_close', 'drasession_read', 'drasession_write', 'drasession_destroy', 'drasession_cleaner' ); // Otherwise the sessions won't work session_start(); Thanks again for your replies and help.

Thank you for your fast reply. Oh, okay, so I can just ignore it? My sincerest apologies, it seems that I had an html_entities() in my query function. The quotes now display like they should. Thanks for the tip. ;p Just phpMyAdmin. Lol, I feel so stupid, haha, thanks for the advice. Would you recommend getting rid of the user id as well, or just the password? Thanks again for your help.

Hiya, Embarassing question here. I'm writing a forum software, and this is kind of the first time I've used database sessions instead of 'normal' sessions. It doesn't work as badly as I feared, but I'm still having some problems figuring out how to deal with the double quotes my session function adds to the database. Okay, so my sessions table has three columns: session_id, session_data, session_date. Session_id is the session id, session_data contains some kind of session name (not of the session itself, it's the name used to start the session ($_SESSION['this part'] = 'meh')), a random part PHP adds, the user id and the encrypted password used to login. Session_date just contains the exact date and time the session was created. The problem is, session_data looks like this: drasession123|s:45:"1|60|passwordencryption"; drasession123 is the session name, 1 is the user id, 60 is the session length in minutes, and passwordencryption is the encrypted password (I just replaced it with passwordencryption for safety reasons). There are several things I don't understand, and I would greatly appreciate any help: What is s:45:? Is that some kind of session name? How do I get rid of the quotes? I don't even use htmlspecialchars (using doesn't make much of a difference), and I think it must be PHP adding that part. Please don't laugh too hard, I've always had problems like this. Can I just call sessions like I normally do, i.e. like this: $_SESSION['drasession123']? Unrelated, I know, but is it even wise to add the user's password (even if it's hashed) to a session? The only reason I added it was to verify the session is authentic. This is the function that adds the session to the database: // Write new sessions function drasession_write($sessionid = '', $sessiondata = '') { global $draseim; // Prepare the variables we need in our query $sessionid = mysqli_real_escape_string($draseim['connection'], $sessionid); $sessiondata = mysqli_real_escape_string($draseim['connection'], $sessiondata); // Run a query $result = draseim_query($draseim['connection'], " REPLACE INTO " . db_pref . "sessions VALUES ( '$sessionid', '$sessiondata', '" . $draseim['time'] . "' ) ", true); // Did it actually work? if($result == true) return true; else return false; } And this is the part that tells PHP it should use my functions rather than its own. // Let's establish a connection to the database $draseim['connection'] = draseim_connect($setting['db_server'], $setting['db_user'], $setting['db_password'], $setting['db_name']); // Database sessions session_set_save_handler( 'drasession_open', 'drasession_close', 'drasession_read', 'drasession_write', 'drasession_destroy', 'drasession_cleaner' ); // Otherwise the sessions won't work session_start(); ... and the piece that sets the session. $_SESSION[$setting['session_name']] = $userid . '|' . $sessionlength . '|' . $login['password']; Any help would be most appreciated. Thank you!

Hey guys, What's up? I'm Chistaen, but you can call me Robert or Robbie (whichever you prefer ;p), I'm 18 years old and I currently live in northern Spain (but since I'm not Spanish (Dutch guy here), it's probably best if you didn't ask me for help with the Spanish language. Doesn't mean you can't, it's just not a very good idea. ). I've been using PHP for my software and websites since I was like 13 years old, however I recently came back from a one-year break from programming, so I kind of suck at it now. I primarily use procedural PHP, but I eventually want to switch to OOP. I like movies, music, languages, programming (obviously), writing, etc. If you have any questions, feel free to ask them, and I'll do my best to ignore answer them. Regards! Robbie