Jump to content

question on sessions

harkly

By harkly
in PHP Coding Help

Recommended Posts

harkly Regular Member

harkly

Posted
Posted

I have set up a session for logins but not to sure if it is the best way to go about it. Seems to work but a little concerned with security. Can someone check it out and let me know what they think?

 

Login page

<?php

session_start(); // starting session
$fingerprint = md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
$_SESSION['last_active'] = time();
$_SESSION['fingerprint'] = $fingerprint;

?>

<?php
        if( isset($_POST['submitLogin']))
          {

            include('library/login.php');
            login();
            mysql_select_db('test');

            $userID=$_POST["userID"];
            $pswd=$_POST["pswd"];

            $sql="SELECT * FROM user WHERE userID='$userID' and pswd='$pswd'";
            $result=mysql_query($sql);

            while ($r=mysql_fetch_array($result))
              {
                $exp_date=$r["exp_date"];
                $todays_date=date("Y-m-d");
              }

            // Mysql_num_row is counting table row
            $count=mysql_num_rows($result);

            // If result matched $userID and $pswd, table row must be 1 row
      if($count==1)
              {
              $_SESSION['userID'] = $userID;
              
                  if ($exp_date >= $todays_date)
                  {
                    // setting user session
                    $_SESSION['logged_in'] = true;
                    // billing is up to date
                    echo "<meta http-equiv='refresh' content='0;url=testSession2.php'>";
                  }
                else
                  {
                    // setting user session
                    $_SESSION['billing'] = true;
                    // billing has expired
                    echo "<meta http-equiv='refresh' content='0;url=nextSession.php'>";
                  }
              }
            else
              {
                // incorrect user/password
                echo " <div id='incorrect'>Please verify the username or password.</div>

                <form method='post' action='' name='login' id='login'>
                  <div id='loginForm'>
                    <fieldset>
                      <span class='textbox'>
                        <label for='username'>Username: </label> <input type='text' name='userID' size='25' class='cells' value='$userID'>
                        <br><label for='pswd'>Password: </label> <input type='password' name='pswd' size='25'class='cells' value='$pswd'>
                        <br><label for='pswd'> </label>Remember Me:  <input type='checkbox' name='Remember' value='21'>
                        <br><label for='blank'> </label><a href='resetPswd.php'>Forget Your Password? </a>
                        <br><label for='blank'> </label><input type='image' value='Login'  src='img/button_login.gif' width='64' height='25'
                            onmouseover=\"javascript:this.src='img/button_login2.gif';\" onmouseout=\"javascript:this.src='img/button_login.gif';\">
                        <input type='hidden' name='submitLogin' value='true'>
                      </span>
                    </fieldset>
                  </div>
                </form>
                ";
              }
          }
        else
          {
            // log in form
            echo "
              <form method='post' action=''  name='login' id='login'>
              <div id='loginForm'>
                <fieldset>
                  <span class='textbox'>
                    <label for='username'>Username: </label> <input type='text' name='userID' size='25' class='cells'>
                    <br><label for='pswd'>Password: </label> <input type='password' name='pswd' size='25'class='cells'>
                    <br><label for='pswd'> </label>Remember Me:  <input type='checkbox' name='Remember' value='21'>
                    <br><label for='blank'> </label><a href='resetPswd.php'>Forget Your Password?</a>

                    <br><label for='blank'> </label><input type='image' value='Login' src='img/button_login.gif' width='65' height='25'
                    onmouseover=\"javascript:this.src='img/button_login2.gif';\" onmouseout=\"javascript:this.src='img/button_login.gif';\">
                    <input type='hidden' name='submitLogin' value='true'>
                  </span>
                </fieldset>
              </div>
            </form>
            ";
          }
      ?>

 

Right now I have it going to this page based of certain conditions of the users account.

 

<?php
session_start();

// If

$timeout = 60 * 1; // In seconds, i.e. 30 minutes.
$fingerprint = md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
session_start();
if (    (isset($_SESSION['last_active']) && $_SESSION['last_active']<(time()-$timeout))
     || (isset($_SESSION['fingerprint']) && $_SESSION['fingerprint']!=$fingerprint)
     || isset($_GET['logout'])
    ) {
    setcookie(session_name(), '', time()-3600, '/');
    session_destroy();
}
session_regenerate_id();
$_SESSION['last_active'] = time();
$_SESSION['fingerprint'] = $fingerprint;

?>

<?php
// user will go here is they are not logged in
if (!isset($_SESSION['billing'])) {
    // User is not logged in, so send user away.
    //header("Location:/singles/login.php");

    echo "Sorry, you are not logged in.";
    die();
}

// user will go here if logged in
else  {
echo "Welcome: " .$_SESSION['userID']; "<br><Br>";
}
?>

Using this tutorial

http://en.wikibooks.org/wiki/PHP_Programming/User_login_systems

Link to comment
https://forums.phpfreaks.com/topic/209994-question-on-sessions/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.