Jump to content

session doesn't end upon leaving site

digitalecartoons

By digitalecartoons
in PHP Coding Help

 Share

Recommended Posts

digitalecartoons Member

digitalecartoons

Posted
Posted

"A session ends when the user loses the browser or after leaving the site, the server will terminate the session after a predetermined period of time, commonly 30 minutes duration"

 

The 'session ends after user leaves the site' part doesn't work with me

 

In the starting page, setsession.php, the session is first set.

 

<?php
session_start();
$_SESSION["domino"] = true;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>rest document
</html>

 

The php script, getsession.php, checks for the existance of this session id:

 

<?php
session_start();
if(!isset($_SESSION["domino"])){
echo "session is unset";
exit;
} else {
echo "sessionis is set";
rest php script
} ?>

 

When typing getsession.php into the address bar, I get a 'session is unset', which is ok since the session hasn't been set yet.

 

On visiting setsession.php and typing getsession.php again, I get a 'session is set', which is ok too cause the session has been set in setsession.php

 

But when I do the following in the exact same order:

 

- go to setsession.php (session is set)

- go to any other page e.g. www.startrek.com

- type in getsession.php in the address bar

 

Then I still get a 'session is set' as if the session id hasn't ended on leaving the website.

 

How is this possible?

Link to comment
Share on other sites
digitalecartoons Member

digitalecartoons

Posted
  • Author
Posted

You're right, it doesn't end upon changing a website. But I now don't completely understand how to use session for securing a form script. This is what I've got now:

 

<?php
session_start();
$_SESSION["domino"] = true;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
//rest of page showing flash movie

 

This sets the session upon visiting my site. When the form sends its data to the mailform.php:

 

<?php 
session_start(); 
if(!isset($_SESSION["domino"])){ 
//error message 'forbidden access' 
exit; 
} else { 
session_destroy(); 
unset ($_SESSION["domino"]); 
//rest of script: processing the form input 
}

 

This checks for the session-id. This should verify that the user sent the form through my website. According to tutorials and the use of sessions in mailforms anyway.

 

But I've found a way to bypass this. If I know the mailform is at www.test.com/mailform.php, I wouldn't get access to it accessing it directly. As it shouldn't. But when I know it's at www.test.com/mailform.php, all I have to to is type www.test.com (or www.test.com/index.php) to have the session set. Then I could do anything I want, visit other sites, whatever. As long as I don't close the browser. And finally, to abuse the mailform.php file, I just have to type in www.test.com/mailform.php and I get access, cause the session is still set. That way I could always make use of the php script even when I'm not supposed to. Am I using session not correctly? I thought session-id's should prevent such a thing?

 

Link to comment
Share on other sites
calabiyau Member

calabiyau

Posted
Posted

Maybe you could say a little about what this is all about?  I'm not really clear on what you're trying to accomplish.  Sessions are normally used to either maintain information about a user between pages or to restrict access to certain parts of your website. If you are trying to restrict acces to a mail form( just an educated guess), then you need some kind of membership system of usernames and passwords and if they enter the correct combination,  THEN you set the session variable.  What are you trying to do?

Link to comment
Share on other sites
digitalecartoons Member

digitalecartoons

Posted
  • Author
Posted

What I'm trying to do is allowing my mailform.php script only to be access if the user is on my website and submitting it's form.

 

What I don't want to allow:

1. typing www.test.com/mailform.php... it should echo an error message

2. using my mailform.php script in another website

3. a user first setting the session id by visiting my site and then do point 1 or 2

 

I thought that that's was what sessions are all about, but I was able to bypassing in by doing point 3

 

Here's where I've learned about sessions and protecting my php script:

http://apptools.com/phptools/forms/forms7.php

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.