Jump to content


Photo

SuperGlobal Array Help


  • Please log in to reply
6 replies to this topic

#1 parkin_m

parkin_m
  • New Members
  • Pip
  • Newbie
  • 4 posts

Posted 18 March 2006 - 12:15 AM

Hi

I have just got into PHP and i am using it along with mySQL to create a website the will allow the administrator to upload new mp3s with name title and description.

The public will be able to view these entrys of the database in a nicely formatted php webpage using css etc etc.

I have created all the scipts and forms to allow someone to do this uploading and editing of the database, but have now gotten stuck while trying to create a secur(ish) php login script so that only a user in members table (the administrator) can access this.


I decided the way to do this is to:

1. Have a log in page
2. take the username and password from the user
3. check this infomation against the mySQL database to see if it exists
4. create a new session if they match OR report an error if they do not
5. retrieve the IP address of the user
6. save the session ID and the ip address into the database

this is where it gets a little confusing.

at the start of every new page i can then check to make sure that the user who is on this page has a session ID and that the IP address is the same as the one that is stored in the database..

but how??

session_start() creats a $_SESSION array everytime it is run. Where is this infomation stored? How does the server know which session is linked to which computer user if there are more than one sessions currently open?

by using an IP check i think i will stop any hacker being able to steal a valid session ID and force their way in. is this correct?

any help asap would be great, i did do a forum search but couldnt find anything in relation

thanks

mike





#2 ToonMariner

ToonMariner
  • Members
  • PipPipPip
  • Advanced Member
  • 3,342 posts
  • LocationNewcastle upon Tyne, UK

Posted 18 March 2006 - 12:23 AM

Yopu don't have to!!!

Once a session is created it is associated with that client and that conncetion to the server - these sessions stay alive til the browser closes.

All you need do is set a session once login is confirmed as ok, set session variables for the user id and their admin level. Then on each page check that the admin level is correct for access.
<?php
session start();

if (isset($_SESSION['admin_level']) && $_SESSION['admin_level'] == 1) {
// everythings ok
....
} else {
// kick em out
 header("Location: [url=http://www.ursite.com/loginpage.php");]http://www.ursite.com/loginpage.php");[/url]
}
?>

follow me on twitter @PHPsycho

#3 parkin_m

parkin_m
  • New Members
  • Pip
  • Newbie
  • 4 posts

Posted 18 March 2006 - 12:41 AM

[!--quoteo(post=356064:date=Mar 18 2006, 12:23 AM:name=ToonMariner)--][div class=\'quotetop\']QUOTE(ToonMariner @ Mar 18 2006, 12:23 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Once a session is created it is associated with that client and that conncetion to the server - these sessions stay alive til the browser closes.
[/quote]
What do you mean by "it is associated", I thought the only association between a client and a server, is the IP address.

I have been reading a tutorial online:

[a href=\"http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/\" target=\"_blank\"]http://www.devshed.com/c/a/PHP/Creating-a-...P-Login-Script/[/a]

"Users with shell access to the web server can scan valid session id's if the default /tmp directory is used to store the session data. "

If the session IS associated with that connection, then why is it possible for a hacker to browse through valid session IDs?



When a session is created what is generated and where is it all stored?

if you could just explain at the most fundamental level possible it would be a great help

thanks

#4 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 18 March 2006 - 02:31 AM

Did you read the [a href=\"http://www.php.net/session\" target=\"_blank\"]section on sessions[/a] in the PHP manual?

Ken

#5 parkin_m

parkin_m
  • New Members
  • Pip
  • Newbie
  • 4 posts

Posted 18 March 2006 - 03:04 AM

[!--quoteo(post=356091:date=Mar 18 2006, 02:31 AM:name=kenrbnsn)--][div class=\'quotetop\']QUOTE(kenrbnsn @ Mar 18 2006, 02:31 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Did you read the [a href=\"http://www.php.net/session\" target=\"_blank\"]section on sessions[/a] in the PHP manual?

Ken
[/quote]

Yes

#6 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 18 March 2006 - 01:04 PM

When you use session_start a special random string is generated called a sessionid. This is either stored in a cookie on the clients computer (if the computer/browser accepts cookies) or it is sent over the url (if the cookie couldn't be set).

Now when you use session_start ts will check wether the client has the same session id stored in the cookie or the url against the session file (which is automatically generated and stored in location that is specified in the php.ini on the server) and is given the same name as the value of the sessionid but is prepended with sess_ So if you have session id of cdum2u7lqifl3s9h6s7s2kcqs3 then a file called sess_cdum2u7lqifl3s9h6s7s2kcqs3 will be automaticaly created. So if the two match then it'll use the current session otherwise it'll create a new blank session.

This is how session_start works evertime you use it.



#7 parkin_m

parkin_m
  • New Members
  • Pip
  • Newbie
  • 4 posts

Posted 19 March 2006 - 04:31 AM

[!--quoteo(post=356149:date=Mar 18 2006, 01:04 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Mar 18 2006, 01:04 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
When you use session_start a special random string is generated called a sessionid. This is either stored in a cookie on the clients computer (if the computer/browser accepts cookies) or it is sent over the url (if the cookie couldn't be set).

Now when you use session_start ts will check wether the client has the same session id stored in the cookie or the url against the session file (which is automatically generated and stored in location that is specified in the php.ini on the server) and is given the same name as the value of the sessionid but is prepended with sess_ So if you have session id of cdum2u7lqifl3s9h6s7s2kcqs3 then a file called sess_cdum2u7lqifl3s9h6s7s2kcqs3 will be automaticaly created. So if the two match then it'll use the current session otherwise it'll create a new blank session.

This is how session_start works evertime you use it.
[/quote]

Thank you very much, exactly what i was looking for and loads of help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users