BillyT Posted March 3, 2009 Share Posted March 3, 2009 Hi there I have a web application that allows multiple people to log into a central CMS and then edit their own websites. When they log in it finds a match in the users table and then returns their domain which it stores in a session. All uploaded files etc then go into their domain directory. Now this seemed to be fine but I had a situation recently when a user claimed they had logged in but the changes they were making weren't working and when they launched their site from within the CMS, another users domain was launched. Is it possible for session data to get mixed up at all when multiple users are logged in at the same time? And how secure is the data stored in a session? Thanks in advance Quote Link to comment Share on other sites More sharing options...
phant0m Posted March 3, 2009 Share Posted March 3, 2009 Sessions shouldn't get mixed up - but it could be that different users are using the same session, although this usually only happens when one of the two is an "attacker". Perhaps there's an error in your scripts which messes things up? Quote Link to comment Share on other sites More sharing options...
waynewex Posted March 3, 2009 Share Posted March 3, 2009 I had a small problem like this before. Basically, I was using if($_SESSION['variable'] = $variable) instead of if($_SESSION['variable'] == $variable) Check to see if you're assigning instead of comparing. Quote Link to comment Share on other sites More sharing options...
BillyT Posted March 3, 2009 Author Share Posted March 3, 2009 Thanks for the reply. Here is a stripped back version of my login script - can you see any problems? $checkUserName=$_POST['username']; $checkPass=$_POST['pass']; // Attempt to authorise user with database $authorise = auth($checkUserName, $checkPass); // If authorisation failed... if ($authorise['userID'] == -1) { $errors[]="Invalid username and/or password"; }else{ $userID=$authorise['userID']; $_SESSION['loggedIn']="yes"; $_SESSION['domain']=$authorise['domain']; echo("<script>location.href='../app.php';</script>"); } and the auth looks something like function auth($username, $password) { $table='users'; $query = "SELECT * FROM $table WHERE username = '$username' AND password = '$password'"; $result = mysql_query($query); $return=array(); // If we found a match... if (mysql_num_rows($result) == 1) { // Extract user ID from the results $user = mysql_fetch_array($result); $userID = $user['userID']; $domain = $user['domain']; $return['userID']=$userID; $return['domain']=$domain; } else { // Otherwise set userID to -1 $userID = -1; $return['userID']=$userID; } return $return; } There is code in the registration process that stops duplicate usernames. So the domain that is stored in the session is then used for a 'launch site' button - can you see any way that one users domain could have been passed to another user? Just noticed another reply to this topic which I will check now Thanks again Quote Link to comment Share on other sites More sharing options...
BillyT Posted March 3, 2009 Author Share Posted March 3, 2009 Check to see if you're assigning instead of comparing. thanks but that is definitely not the problem. Code has been fine for a couple of years but getting more users now and this glitch was reported - not sure if it is a problem with my logic or just a strange server quirk that will probably never happen again. Thanks again Quote Link to comment Share on other sites More sharing options...
phant0m Posted March 3, 2009 Share Posted March 3, 2009 Errors shouldn't happen randomly... As I understand it, you were not able to reproduce the error, right? here's what comes to my mind: 1) There is an unexpected, let's call it "situation" where your scripts somehow fails 2) An attacker is involded(your login script seems prone to mysql injection) 3) The feedback was just a hoax Quote Link to comment Share on other sites More sharing options...
BillyT Posted March 3, 2009 Author Share Posted March 3, 2009 no I can't recreate it and have never had another user mention it. 1. Possibly due to server maintenance? 2. I run this function on all posted data like logins function make_safe($variable) { $variable = addslashes(trim($variable)); return $variable; } Are there more robust methods of preventing injection? 3. Possibly. But I doubt this user would have even heard of the other user whose site he claims loaded when he clicked his launch site button, so it definitely sounded like a glitch in my script or the way my server stores and handles sessions. Thanks again Quote Link to comment Share on other sites More sharing options...
BillyT Posted March 4, 2009 Author Share Posted March 4, 2009 Here is another scenario that I would like feedback on I have a php script that multiple users access that has session_start(); include('../common.php'); in common.php it accesses the session vars and and returns values for other vars eg $domain=$_SESSION['domain']; Is it possible for 2 users to hit the script in quick succession and for the server to return cached values to the second user, and thereby pass this second user the values from the first users session? Thanks in advance Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.