perky416 Posted June 21, 2017 Share Posted June 21, 2017 Hi Guys, I have a simple user login form that creates a session. It works perfectly however I am trying to make the session more secure by using session_set_cookie_params and session_regenerate_id. The code I am using is as follows: session_set_cookie_params(time()+3600,'/','example.com',false,true); session_start(); session_regenerate_id(true); if ($_POST['submit']){ //form validation and error handling go here but removed for the purpose of this post if (empty($error)){ $_SESSION['username'] = $_POST['username']; echo "<script type='text/javascript'>document.location.href='members.php';</script>"; } } With the session_set_cookie_params and session_regenerate_id the session is just does not appear to get created. Does anybody have any idea as to why this isnt working? Thanks Quote Link to comment Share on other sites More sharing options...
ginerjm Posted June 21, 2017 Share Posted June 21, 2017 Turn on php error checking. Where is $error defined? Where are those POST fields defined? Quote Link to comment Share on other sites More sharing options...
perky416 Posted June 21, 2017 Author Share Posted June 21, 2017 The $_POST['username']; is the username input from the login form and $error is defined in the error handling for the form. I didnt include them because that part of the code works fine. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted June 21, 2017 Share Posted June 21, 2017 How do you know that the session is not created? Show us what debugging proves such a thing Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 21, 2017 Share Posted June 21, 2017 Several things: Don't override all parameters, only the ones you're actually interested in. The others should be left alone (i. e. set to the default values). Changing the parameters at runtime is generally a bad idea, especially when you're doing it in individual scripts. This can easily lead to conflicting settings. Instead, set the parameters in the php.ini to make sure they're the same everywhere. A lot of PHP function calls must be checked for errors. You can't just assume that session_start() or session_renegerate_id() always succeeds. Learn basic debugging skills like inspecting the cookies and HTTP messages with the developer tools of your browser. Then you can tell us more than "it doesn't work". Quote Link to comment Share on other sites More sharing options...
perky416 Posted June 21, 2017 Author Share Posted June 21, 2017 I tried several things. Initially i had my script set up to redirect me to the home page if a user tries to access the members area without logging in. As soon as i added session_set_cookie_params and session_regenerate_id the script it was continually returning me to the home page. I then removed the redirect and echoed $_SESSION['username'] whiched displayed the value ok but stopped displaying it with session_set_cookie_params and session_regenerate_id. Thinking it may be some conflict with the login form i created a $_SESSION['test'] as soon as the page loads and again this displayed the value ok but with session_set_cookie_params and session_regenerate_id nothing. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted June 21, 2017 Share Posted June 21, 2017 Can we see a sample of your code with error checking turned on and some of this debugging? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 21, 2017 Share Posted June 21, 2017 Did you read anything of what I just said? Quote Link to comment Share on other sites More sharing options...
perky416 Posted June 21, 2017 Author Share Posted June 21, 2017 (edited) This is the code that echos the $_SESSION['username'] without the session_set_cookie_params and session_regenerate_id, but with these lines added it keeps re-directing me to my home page. Remove the re-direct and it still takes me to the members area but does not echo anything: session_set_cookie_params(time()+3600,'/','example.com',false,true); session_start(); session_regenerate_id(true); include('connect.php'); $error = array(); //validate login form if ($_POST['submit']){ !$_POST['username'] ? $error['error'] = "<div class='error'>Enter a username & password!</div>" : ""; !$_POST['password'] ? $error['error'] = "<div class='error'>Enter a username & password!</div>" : ""; $sql = "SELECT * FROM users WHERE username = '$_POST[username]'"; $query = mysqli_query($conn, $sql); $row = mysqli_fetch_assoc($query); if ($_POST['username'] && $_POST['password']){ $_POST['username'] != $row['username'] || md5($_POST['password']) != $row['password'] ? $error['error'] = "<div class='error'>Username or password incorrect!</div>" : ""; } $error = array_filter($error); if (empty($error)){ $_SESSION['username'] = $_POST['username']; echo "<script type='text/javascript'>document.location.href='members.php';</script>"; } } //if logged in re-direct to members area, otherwise re-riect to home page if (!isset($_SESSION['username']) && basename($_SERVER["SCRIPT_FILENAME"]) != "index.php"){ echo "<script type='text/javascript'>document.location.href='http://www.example.com';</script>"; } echo $_SESSION['username']; Using the following I am getting no errors: In script: error_reporting(E_ALL); ini_set('display_errors', 1); In php.ini: display_errors = On Did you read anything of what I just said? Yes I read ALL of it. Edited June 21, 2017 by perky416 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 21, 2017 Share Posted June 21, 2017 Yes I read ALL of it. Then how am I supposed to interpret the fact that you're coming back with the exact same code after I've just pointed out the mistakes? Actually, forget about session security. You have an entire zoo of vulnerabilities ranging from SQL injections to completely unprotected user passwords. If that application is anywhere on the Internet, now is the time to shut it down, tell your users that their passwords need to be changed immediately, check the server for signs of attacks (or event better: nuke it from orbit) and don't even think about putting it back online until you have a solid understanding of security. Something like this: $sql = "SELECT * FROM users WHERE username = '$_POST[username]'"; is just unacceptable. Quote Link to comment Share on other sites More sharing options...
perky416 Posted June 21, 2017 Author Share Posted June 21, 2017 What mistakes are you referring to? Your post seems more like advice rather than actually pointing out errors in the code? The script is still in development...it is no where near finished yet...the question in point was about session security...this is why i left out the irrelevant code in the first post. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 21, 2017 Share Posted June 21, 2017 What mistakes are you referring to? I'm not going to repeat myself. You can either solve the problem or spend the rest of the day trying to debug code that shouldn't be there in the first place. That's up to you. The script is still in development...it is no where near finished yet...the question in point was about session security...this is why i left out the irrelevant code in the first post. The code is much more important than your tiny session problem. Given the fundamental security problems and the obvious lack of a security concept, you definitely have better things to do than fine-tune the session cookie parameters. Quote Link to comment Share on other sites More sharing options...
perky416 Posted June 22, 2017 Author Share Posted June 22, 2017 Don't override all parameters, only the ones you're actually interested in. Mistake? What if I am interested in all of them? Changing the parameters at runtime is generally a bad idea Mistake? Sounds more like advice to me. A lot of PHP function calls must be checked for errors. Mistake? Nope...more advice. Learn basic debugging skills Mistake? Again....advice. The code is much more important than your tiny session problem. Given the fundamental security problems and the obvious lack of a security concept, you definitely have better things to do than fine-tune the session cookie parameters. Like I said...not finished. How do you know im not going to resolve the security problems? How do you know I didn't throw together the code for test purposes? You know absolutely nothing about what I am doing with my application. All you know is I had an issue with what I was trying to achieve with the sessions. The rest of the code is irrelevant for the sake of this thread. You gave me some "advice" about coding...how about I give you some advice on human decency...when somebody comes asking for help how about you actually help them instead of displaying overwhelming arrogance? Problem solved by the way....thanks for not helping me. Dont worry I wont be back...this clearly isnt the place for people to get help with problems. Its seems like just another forum where the geek with a few thousand posts thinks hes gods gift. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 22, 2017 Share Posted June 22, 2017 How do you know im not going to resolve the security problems? Because you don't understand problem solving at even the most fundamental level. Your idea of "problems" and how to solve them is that you encounter a symptom, go to an online forum, get people to make a few changes here and there until the symptom goes away, and that's the "solution". As long as everybody tells you what you want to hear, you're happy, otherwise they're evil, unhelpful nerds. This is amazingly naive for somebody who has spent quite a lot of time writing code, even if we assume that you have literally done nothing during the years you weren't here. Programming is about seeing the bigger picture, prioritizing problems and solving them systematically. When the whole approach is bullshit, the solution is not to shuffle lines around until some symptom goes away. It's to take a different approach, at which point the symptom is simply irrelevant. What you get here is the chance to stop playing around and finally start programming. Writing a simple web application isn't exactly rocket science. Many users before you have done it, and many users after you will do it. But if you cannot or don't want to learn, there's indeed not much we can do for you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.