waynew Posted July 23, 2008 Share Posted July 23, 2008 Okay, I'm on the verge of setting up a pretty big site and I've created a common session include file with a number of functions. Could comebody have a look at it to see if there's anything questionable in regards to security? And yes, I know all about AOL. <?php //--------------------------------------------------------------------- // IF mod log in correct, the session is created //--------------------------------------------------------------------- function set_mod_session($username, $ip, $user_agent, $user_id, $permission_level){ $_SESSION['username'] = $username; $_SESSION['user_agent'] = $user_agent; $_SESSION['ip'] = $ip; $_SESSION['user_id'] = $user_id; $_SESSION['permission_level'] = $permission_level; //can be mod or admin } //--------------------------------------------------------------------- // Users session differs from mod session. //--------------------------------------------------------------------- function set_user_session($username, $ip, $user_agent, $user_id){ $_SESSION['username'] = $username; $_SESSION['user_agent'] = $user_agent; $_SESSION['ip'] = $ip; $_SESSION['user_id'] = $user_id; } //--------------------------------------------------------------------- // Protect password protected moderator areas //--------------------------------------------------------------------- function confirm_mod_permission(){ $logged_in = true; //Assumed true. if( (!isset($_SESSION['username'])) || ($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']) || ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) || (!isset($_SESSION['permission_level'])) || (!isset($_SESSION['user_id']))){ $logged_in = false; } return $logged_in; } //--------------------------------------------------------------------- // Protect password protected admin areas //--------------------------------------------------------------------- function confirm_admin_permission(){ $logged_in = true; //Assumed true. if( (!isset($_SESSION['username'])) || ($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']) || ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) || (!isset($_SESSION['permission_level'])) || (!isset($_SESSION['user_id'])) || ($_SESSION['permission_level'] != "admin")){ $logged_in = false; } return $logged_in; } //------------------------------------------------------------------------------ // Allows us to display pages differently to logged in users //------------------------------------------------------------------------------ function user_is_logged_in(){ if( (isset($_SESSION['username'])) && (isset($_SESSION['user_agent'])) && (isset($_SESSION['ip'])) && (isset($_SESSION['user_id']))){ return true; } else{ return false; } } ?> Link to comment https://forums.phpfreaks.com/topic/116180-sessions/ Share on other sites More sharing options...
jonsjava Posted July 23, 2008 Share Posted July 23, 2008 slight mod to your script. I changed all assumptions to false (call 'em a liar until they prove otherwise. No different to yours, I'm just a pessimist), and added a $_SESSION check: is_a_valid_session. If that's false, they don't get in. <?php //--------------------------------------------------------------------- // IF mod log in correct, the session is created //--------------------------------------------------------------------- function set_mod_session($username, $ip, $user_agent, $user_id, $permission_level){ $_SESSION['is_a_valid_session'] = true; $_SESSION['username'] = $username; $_SESSION['user_agent'] = $user_agent; $_SESSION['ip'] = $ip; $_SESSION['user_id'] = $user_id; $_SESSION['permission_level'] = $permission_level; //can be mod or admin } //--------------------------------------------------------------------- // Users session differs from mod session. //--------------------------------------------------------------------- function set_user_session($username, $ip, $user_agent, $user_id){ $_SESSION['is_a_valid_session'] = true; $_SESSION['username'] = $username; $_SESSION['user_agent'] = $user_agent; $_SESSION['ip'] = $ip; $_SESSION['user_id'] = $user_id; } //--------------------------------------------------------------------- // Protect password protected moderator areas //--------------------------------------------------------------------- function confirm_mod_permission(){ $logged_in = false; //Assumed true. if( ($_SESSION['is_a_valid_session'] == true) && (isset($_SESSION['username'])) && ($_SESSION['user_agent'] == $_SERVER['HTTP_USER_AGENT']) && ($_SESSION['ip'] == $_SERVER['REMOTE_ADDR']) && (isset($_SESSION['permission_level'])) && (isset($_SESSION['user_id']))){ $logged_in = true; } return $logged_in; } //--------------------------------------------------------------------- // Protect password protected admin areas //--------------------------------------------------------------------- function confirm_admin_permission(){ $logged_in = false; //Assumed true. if( ($_SESSION['is_a_valid_session'] == true) && (isset($_SESSION['username'])) && ($_SESSION['user_agent'] == $_SERVER['HTTP_USER_AGENT']) && ($_SESSION['ip'] == $_SERVER['REMOTE_ADDR']) && (isset($_SESSION['permission_level'])) && (isset($_SESSION['user_id'])) && ($_SESSION['permission_level'] == "admin")){ $logged_in = true; } return $logged_in; } //------------------------------------------------------------------------------ // Allows us to display pages differently to logged in users //------------------------------------------------------------------------------ function user_is_logged_in(){ if( (isset($_SESSION['username'])) && (isset($_SESSION['user_agent'])) && (isset($_SESSION['ip'])) && (isset($_SESSION['user_id']))){ return true; } else{ return false; } } ?> Link to comment https://forums.phpfreaks.com/topic/116180-sessions/#findComment-597550 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.