bruckerrlb Posted March 24, 2010 Share Posted March 24, 2010 Hey everyone, I'm trying to do a little security here, I have a login script it stores three sessions, session id, the username and the permission level of the user, the last two are database sessions, and I can get them to print out fine on the page, but what is killing me is when I do this if ($_SESSION['sessid'] != session_id()) { header("Location:index.php"); } Nothing seems to happen. What I mean is I logout, kill the session, try to hit a page that has this code in it, and it still lets me in. I don't understand why, there is no output getting sent before this, just start_session(); I've even done tests to see if $_SESSION['sessid'] and session_id() are the same, and they both show up different, but it lets me in. Does anyone know why this could be happening? Quote Link to comment Share on other sites More sharing options...
o3d Posted March 24, 2010 Share Posted March 24, 2010 Rather than using the header function, try to error_log a message when the header function should fire. Then error_log your $_SESSION array to see what variables and values are set. Quote Link to comment Share on other sites More sharing options...
bruckerrlb Posted March 24, 2010 Author Share Posted March 24, 2010 Thanks for the reply! I error logged, not too familiar with doing this, but in my error log, I got the string I passed, nothing else. How would I be able to error_log my session array? Thanks! Quote Link to comment Share on other sites More sharing options...
andrewgauger Posted March 25, 2010 Share Posted March 25, 2010 I think you need a space between the colon and the page: Location: index.php _ Quote Link to comment Share on other sites More sharing options...
Gighalen Posted March 25, 2010 Share Posted March 25, 2010 I'm almost certain you need a space between : and index.php. Quote Link to comment Share on other sites More sharing options...
bruckerrlb Posted March 25, 2010 Author Share Posted March 25, 2010 hey Guys, I had tried with the space there and not there on the header, finally I changed up the code a little, works a little better if ($_SESSION['sessid'] != session_id() || $$_SESSION['sessid'] == ' ') { header("Location:index.php"); } I'm sure thats not the best way but it seems to be working now, weird Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 25, 2010 Share Posted March 25, 2010 You need an exit; statement after your header() redirect to prevent the remainder of the code on the page from being executed/accessed. All a hacker needs to do is ignore the header and he can access the page the same as if that code was not present. As to your original problem in the first post in this thread, you were probably getting a header() error (output sent before the header statement) and without the exit; statement the code on the page was executed the same as if the header statement was not even there. Are you developing and debugging this code on a system with error_reporting set to E_ALL and display_errors set to ON so that you would know if you were or were not getting any header errors? Edit: The $$_SESSION['sessid'] == ' ' part of your logic expression makes no sense and is probably always FALSE. Quote Link to comment Share on other sites More sharing options...
bruckerrlb Posted March 25, 2010 Author Share Posted March 25, 2010 hey thanks for that info, that's what the problem was, I needed an exit() statement and I was able to take out the $_SESSION['sessid'] == ' ' part with the exit right after the header statement! I appreciate the help! Quote Link to comment Share on other sites More sharing options...
bruckerrlb Posted March 25, 2010 Author Share Posted March 25, 2010 And a quick correction in my post, it wasn't the exit() it was the exit; statement Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.