parkin_m Posted March 18, 2006 Share Posted March 18, 2006 HiI have just got into PHP and i am using it along with mySQL to create a website the will allow the administrator to upload new mp3s with name title and description.The public will be able to view these entrys of the database in a nicely formatted php webpage using css etc etc.I have created all the scipts and forms to allow someone to do this uploading and editing of the database, but have now gotten stuck while trying to create a secur(ish) php login script so that only a user in members table (the administrator) can access this.I decided the way to do this is to:1. Have a log in page2. take the username and password from the user3. check this infomation against the mySQL database to see if it exists4. create a new session if they match OR report an error if they do not5. retrieve the IP address of the user6. save the session ID and the ip address into the databasethis is where it gets a little confusing.at the start of every new page i can then check to make sure that the user who is on this page has a session ID and that the IP address is the same as the one that is stored in the database..but how??session_start() creats a $_SESSION array everytime it is run. Where is this infomation stored? How does the server know which session is linked to which computer user if there are more than one sessions currently open?by using an IP check i think i will stop any hacker being able to steal a valid session ID and force their way in. is this correct?any help asap would be great, i did do a forum search but couldnt find anything in relationthanksmike Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted March 18, 2006 Share Posted March 18, 2006 Yopu don't have to!!!Once a session is created it is associated with that client and that conncetion to the server - these sessions stay alive til the browser closes.All you need do is set a session once login is confirmed as ok, set session variables for the user id and their admin level. Then on each page check that the admin level is correct for access.[code]<?phpsession start();if (isset($_SESSION['admin_level']) && $_SESSION['admin_level'] == 1) {// everythings ok....} else {// kick em out header("Location: [url=http://www.ursite.com/loginpage.php");]http://www.ursite.com/loginpage.php");[/url]}?>[/code] Quote Link to comment Share on other sites More sharing options...
parkin_m Posted March 18, 2006 Author Share Posted March 18, 2006 [!--quoteo(post=356064:date=Mar 18 2006, 12:23 AM:name=ToonMariner)--][div class=\'quotetop\']QUOTE(ToonMariner @ Mar 18 2006, 12:23 AM) [snapback]356064[/snapback][/div][div class=\'quotemain\'][!--quotec--]Once a session is created it is [b]associated with that client and that conncetion to the server[/b] - these sessions stay alive til the browser closes.[/quote]What do you mean by "it is associated", I thought the only association between a client and a server, is the IP address. I have been reading a tutorial online:[a href=\"http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/\" target=\"_blank\"]http://www.devshed.com/c/a/PHP/Creating-a-...P-Login-Script/[/a]"Users with shell access to the web server can scan valid session id's if the default /tmp directory is used to store the session data. "If the session IS associated with that connection, then why is it possible for a hacker to browse through valid session IDs?When a session is created what is generated and where is it all stored?if you could just explain at the most fundamental level possible it would be a great helpthanks Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 18, 2006 Share Posted March 18, 2006 Did you read the [a href=\"http://www.php.net/session\" target=\"_blank\"]section on sessions[/a] in the PHP manual?Ken Quote Link to comment Share on other sites More sharing options...
parkin_m Posted March 18, 2006 Author Share Posted March 18, 2006 [!--quoteo(post=356091:date=Mar 18 2006, 02:31 AM:name=kenrbnsn)--][div class=\'quotetop\']QUOTE(kenrbnsn @ Mar 18 2006, 02:31 AM) [snapback]356091[/snapback][/div][div class=\'quotemain\'][!--quotec--]Did you read the [a href=\"http://www.php.net/session\" target=\"_blank\"]section on sessions[/a] in the PHP manual?Ken[/quote]Yes Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted March 18, 2006 Share Posted March 18, 2006 When you use session_start a special random string is generated called a [b]sessionid[/b]. This is either stored in a cookie on the clients computer (if the computer/browser accepts cookies) or it is sent over the url (if the cookie couldn't be set).Now when you use session_start ts will check wether the client has the same session id stored in the cookie or the url against the session file (which is automatically generated and stored in location that is specified in the php.ini on the server) and is given the same name as the value of the sessionid but is prepended with sess_ So if you have session id of [i]cdum2u7lqifl3s9h6s7s2kcqs3[/i] then a file called [b]sess_cdum2u7lqifl3s9h6s7s2kcqs3[/b] will be automaticaly created. So if the two match then it'll use the current session otherwise it'll create a new blank session.This is how session_start works evertime you use it. Quote Link to comment Share on other sites More sharing options...
parkin_m Posted March 19, 2006 Author Share Posted March 19, 2006 [!--quoteo(post=356149:date=Mar 18 2006, 01:04 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Mar 18 2006, 01:04 PM) [snapback]356149[/snapback][/div][div class=\'quotemain\'][!--quotec--]When you use session_start a special random string is generated called a [b]sessionid[/b]. This is either stored in a cookie on the clients computer (if the computer/browser accepts cookies) or it is sent over the url (if the cookie couldn't be set).Now when you use session_start ts will check wether the client has the same session id stored in the cookie or the url against the session file (which is automatically generated and stored in location that is specified in the php.ini on the server) and is given the same name as the value of the sessionid but is prepended with sess_ So if you have session id of [i]cdum2u7lqifl3s9h6s7s2kcqs3[/i] then a file called [b]sess_cdum2u7lqifl3s9h6s7s2kcqs3[/b] will be automaticaly created. So if the two match then it'll use the current session otherwise it'll create a new blank session.This is how session_start works evertime you use it.[/quote]Thank you very much, exactly what i was looking for and loads of help! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.