Jump to content

Archived

This topic is now archived and is closed to further replies.

TronB24

Sessions problems with PHP 4.0.6

Recommended Posts

Info: Server Linux, PHP 4.0.6, register global on

I can't figure out whether my login page is not passing the the sessions and or cookie or if there is a problem with the logged in page syntax. Now this runs fine on my local server which runs PHP 4.3.1 but not on my web server (4.0.6). I have omiteed the HTML portions of the pages. Now when I log in, I get redirected to the logged in page but then my header redirect takes me back to the login page which means to me that logged in page did not get the cookie.

I did some searching and most of the links that may a have a promising answer are broken (must be because my issue concerns such a old version of PHP) Unforntately I'm still too new to the language to see the obvious mistake, so any help would be apprieciated.

Login Page:
[code]<?php
if (isset($submit)) {
    require_once ('../../db.php'); // Connect to the db.
    function escape_data ($data) {
        global $dbc;
        if (ini_get('magic_quotes_gpc')) {
            $data = stripslashes($data);
        }
        return mysql_escape_string($data);
    } // End of function.
    $message = NULL;
    if (empty($username)) {
        $u = FALSE;
        $message .= '<p>You forgot to enter your username!</p>';
    } else {
        $u = escape_data($username);
    }
    if (empty($password)) {
        $p = FALSE;
        $message .= '<p>You forgot to enter your password!</p>';
    } else {
        $p = escape_data($password);
    }
    
    if ($u && $p) {
        $query = "SELECT user_id, first_name FROM users WHERE username='$u' AND password='$p'";
        $result = @mysql_query ($query); // Run the query.
        $row = mysql_fetch_array($result, MYSQL_NUM);
        if ($row) {
    
                // Set the cookies & redirect.
                session_name ('samples');
                session_set_cookie_params (900, '/users/', 'mysite');
                session_start();
                $HTTP_SESSION_VARS['first_name'] = $row[1];
                $HTTP_SESSION_VARS['user_id'] = $row[0];
                header ("Location:  http://" . $HTTP_SERVER_VARS['HTTP_HOST'] .  dirname($HTTP_SERVER_VARS['PHP_SELF']) . "/view_registered.php");
                exit(); // Quit the script.
        
        } else { // No record matched the query.
            $message = '<p>The username and password entered did not match those on file.</p>';
        }
    
        mysql_close(); // Close the database connection.
    
    } else {
        $message .='<p>Please try again.</p>';
    }
    
}

?>[/code]

Logged In Page:
[code]<?php
session_name ('samples');
session_start(); // Start the session.
if (!isset($HTTP_SESSION_VARS['first_name'])) {
    header ("Location:  http://" . $HTTP_SERVER_VARS['HTTP_HOST'] . dirname($HTTP_SERVER_VARS['PHP_SELF']) . "/index.php");
    exit(); // Quit the script.
}
?>[/code]

Share this post


Link to post
Share on other sites
You use $submit, $ data, etc etc but haven't assigned any values to them.

I'm guessing that these are values from your HTML form. If os, you need to access them using the superglobals $_POST or $_GET (depending on whether your form is submitted vi GET or POST. So instead of [b]$submit[/b], you need to use [b]$_POST['submit'][/b] for example.

Using form variables directly is a very, very danegrous security hole, as it allows users to inject variables which you weren't planning on into your code.

For example look at this - assuming you have a checkUsernamePassword function which will validate a username and password against your user database, and $username and $password are submitted via form.

[code]
<?php

if checkUsernamePassword($username, $password){
    $loggedinOK = TRUE;
}

if ($loggedinOK){
    //Display some sensitivie information here
}else{
   echo "Go away, I'm not telling you my secret.";
}
?>
[/code]

This checks the username and password and only proceeds if they check out.

Except they also introduce a vulnerability.

What if I called this php script, passing in the following values - username:"me", password:"secret", loggedinOK:"1"

I would fail the username and password check, but that wouldn't matter because I've manually inserted a value for the otherwise uninitialised variable $loggedinOK, which tricks the system into believing that I''ve logged in OK.

Sure, I could ensure that all variables are properly initialised, but as you start to use third-party code, open source libraries etc, this gets more and more difficult to ensure. So, PHP allows you to set a config switch which tells it whether or not to automatically make form data available as global variables. This fleg is called REGISTER_GLOBALS and it is very, very bad practice to set this to true.

If REGISTER_GLOBALS was turned off, then your ill-intentioned visitor couldn't force in the value of $loggedinOK. When he failed to log in, the variable would be uninitialiased and the if statement would fail, keeping him away from the sensitive data. How do you then access the username and password values in order to checkthem? As per the following example:


[code]
<?php

if checkUsernamePassword($_POST['username'], $_POST['$password']){
    $loggedinOK = TRUE;
}

if ($loggedinOK){
    //Display some sensitivie information here
}else{
   echo "Go away, I'm not telling you my secret.";
}
?>
[/code]

All of which is my way of telling you that it looks like your local server may have REGISTER_GLOBALS turned on, and your web server may have it turned off. Check your php.ini file for details.

J

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.