Jump to content

Recommended Posts

Can someone help me with my mailform? It uses a Flash mailform, together with php and session id.

 

First things first: in the index.php page it starts by setting the session:

 

<?php
session_start();
$_SESSION["domino"] = true;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
//rest of page showing flash movie

 

When inputed the flash form and clicking send the php script processes the data by first checking for the existence of this session id. If it's not ok, an error message returns.

 

If everything is ok and a session id is present, the session id itself is unset. I've been told that you should immediatelly unset a session id after using it for security reasons.

 

<?php 
session_start(); 
if(!isset($_SESSION["domino"])){ 
//error message 'forbidden access' 
exit; 
} else { 
session_destroy(); 
unset ($_SESSION["domino"]); 
//rest of script: processing the form input 
}

 

But now, when I input the flash form once more and click send, of course nothing happens because the session id is cleared. And I can't set the session id in Flash itself I think.

 

Is there any way to fix this?

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/
Share on other sites

It's to make sure that the form processing php is accessed from the flash website itself. So I've set the session id in the index.php. Then, when the flash form is filled in and 'send' is clicked, the form processing script 'sees' that it is accessed from index.php, which is ok. My code worked in my html form because after sending it unset the session id and upon return to the form it was set again. But in my flash page it of course doesn't change location.

 

So I thought, is unsetting it really necessary. Without it it works fine: upon resending a flash form from my site, the session id is still there (until the browser is closed).

 

But then someone told me: "always unset the session when finished using the data to keep it from being hijacked no need for the browser to remember the data when the user browses to a site other than yours"

 

What's true about that? Should I still keep on using unset/destroy?

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380237
Share on other sites

What exactly is the session used for ?

if you link to another site then its possible for them to get the session id, but you can improved the security simple example would be also store the IP and compare to the users IP..

 

it really depends what your using them for..

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380258
Share on other sites

How would that solve my problem? When I use only unset:

 

<?php 
session_start(); 
if(!isset($_SESSION["domino"])){ 
//error message 'forbidden access' 
exit; 
} else { 
unset ($_SESSION["domino"]); 
//rest of script: processing the form input 
}

 

... the session id 'domino' is still cleared. And upon re-submitting the flash form, the php script still sees the 'domino' session id as non-existent, exiting the script

 

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380261
Share on other sites

i don't think you really need to worry about hi-jacking then.. worst case.. someone hi-jacks a open session that allows use for x minutes  from another site.. when the session timesout.. its over..

 

i would probably go for a .htaccess protection to stop other using scraping mysite..

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380266
Share on other sites

ok, but in theory... would it be really necessary for security reasons to unset the session id immediately after sending form output? Because someone said to me "always unset the session when finished using the data to keep it from being hijacked no need for the browser to remember the data when the user browses to a site other than yours"

 

or would it be perfectly safe without it?

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380275
Share on other sites

Ok.. just say i login and that data is stored in a session.. than data needs to be secure.. to stop others getting the session id.. but we don't unset until the use logs out..

 

"always unset the session when finished using the data to keep it from being hijacked no need for the browser to remember the data when the user browses to a site other than yours"

Okay this isn't 100% correct.. the browser holds the session ID ONLY... this session will expire (defined by your server) if you want it more secure you could add a cookie with a random key and have the same random key in the session and then compare them..

 

theirs a ton of thing you could do but i really don't think its worth it..

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380281
Share on other sites

Ok, sorry for not immediately understanding it , I'm relatively new to this.  ;D

So you're saying that when I show the form, the session id is set and as long as it's not unset, others could theoraticlly get hold of it? So in that respect it would be better to unset it as quickly as possible, which now happens after I submit the form?

 

And deleting those unset/destroy lines would keep the session id set, vulnerable for others to get it?

 

Just in theory  ;D Am I understanding you correctly so far?

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380284
Share on other sites

From a site about session id's:

http://www.php-learn-it.com/php_sessions.html

 

"Remember sessions are destroyed automatically after user leaves your website or closes the browser, but if you wish to clear a session variable yourself, you can simple use the unset() function to clean the session variable"

 

This would mean I could easily delete those two unset/destroy lines? Because after leaving index.php or closing the browser it is destroyed anyway? So it doesn't make my php script less secure after all? Am I correct?

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380300
Share on other sites

But that would be ok I guess? I want them only to be able to access my php script if they are on my site showing the flash mailform. If they leave my site the session would indeed be gone. But what would be the downside of that then? "if you link to another site then its possible for them to get the session id, but after you leave the site your session is gone.." Isn't that what should happen I mean?

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380306
Share on other sites

Just didn't understand what you mean by "if you link to another site then its possible for them to get the session id, but after you leave the site your session is gone.." and how that could be a problem. Or was I reading you incorrectly?  ;D

 

I mean:

1. entering site: setting session

2. leaving site: unsetting session

3. closing site: unsetting session

4. having a link inside your site, clicking it to go to new site: unsetting session

 

That's what happening, right?

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380318
Share on other sites

"Remember sessions are destroyed automatically after user leaves your website"

 

Tested it but it isn't true.

When I access the php script directly I get an error message

When I enter my site the session id is set

When I access the php script again I don't get an error message and can access it

When I leave my site to visit another and again access my php script, I still get access

 

...so this automatically destroying of the session after leaving the website isn't true?

Link to comment
https://forums.phpfreaks.com/topic/75187-unset-session-id/#findComment-380417
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.