Jump to content

Handling Unintentionally Destroyed Sessions

MichaelGallagher

By MichaelGallagher
in PHP Coding Help

 Share

Recommended Posts

MichaelGallagher Newbie

MichaelGallagher

Posted
Posted

Hi Guys,

 

I have XAMMP - Latest Apache, PHP and MYSQL..

 

I am having issues with Sessions being destroyed while updating the database.

 

Please note: this is an intranet style site, so all users use FireFox, same OS's, same everything really. And cookies are all enabled, etc.

 

Normally, the user logs in, and session is created (NOTE: The session is unlimited, that is, it only expires if the user logs out, or closes the browser). The user then chooses a sale record, and starts editing the form data presented to them from the database. Once finished, they click the Submit button, and the URL passes ?RecordID=1&action=update to the action page (same page) and the update statement populates the database record with the POST variables passed from the form...

 

The problem is this: if say the server crashes and is restarted, or the router to the server is restarted and the session is destroyed without client interaction, and the user is currently editing a record, and then clicks Submit, it tries to verify if the session is still alive but it is not, so it goes back to the Login form and the POST data is lost, and it updates the database with blank fields..

 

each page is constructed like this:

 

include('../conn.php'); // connection to database

// Valid user check..
if ( verify() ) 
{ 

include('../setglobals.php'); // global vars set

if action = yes { update with POST }

else { display record for editing }

}

 

It appears as though it is still performing the UPDATE on the action page even though the user session is un-verified...

 

This is not logical to me, because the verify encases the page and is checked first, and if session is verified, it performs the next step.. but this is not the case..

 

Now, I am totally unaware of WHY the session is being destroyed or lost, could it be when i perform updates to the pages? Or maybe the resetting of the router (some local users, some external)?  I CAN however recreate the problem, if i log in, choose a record to edit, and then delete the cookie from my browser, and then click Submit. It goes to the login form (with the edit.php?RecordID=1&action=update still on it), and updates even if i dont login.

 

The real question I suppose is, how can i catch this happening? and how can i deal with it?

 

I suppose i could pass the POST vars to the login page also, just incase this happens, but this makes me cringe, and i know in my heart it is BAAAD practice.

 

Or I could test for the session just BEFORE the update, and then redirect to the login form WITHOUT the action=update in the URL...?

 

Any advice on this issue is appreciated.

 

Cheers,

 

Mick

Link to comment
Share on other sites
MichaelGallagher Newbie

MichaelGallagher

Posted
  • Author
Posted

This is the verify  page.. conn.php

 

<?php
session_start();

  
// check to see if user just logged out
$log_out=$_GET['log_out'];

if ( $log_out == 1 )
  {
session_unset();
session_destroy();
$_SESSION = array();
    session_start();
  }

if ( $log_out == 2 )
  {
$_SESSION['current_program'] = "none";
  }


function write_log_in( $text ) 
  {

  	echo "
  	<html>
  	<head>
<link rel='stylesheet' type='text/css' href='style/corporate.css' />
<title>LOGIN</title>
</head>
  	<body onload='document.forms.thisform.UserName.focus()'>
  	<br><br><br><br><br>

  	<form method='post' name='thisform' action=''>
  	<table border='0' height='310' width='443' bgcolor='#ffaeff' align='center'>
  	<tr align='center' valign='middle'>
	  	<td align='center' colspan='2'><span style='font-family: Arial, Helvetica, sans-serif; font-size: 38px; font-weight: bold; color: #00AEFF;'>TShop Global Login</span><br>
	  	<span style='font-family: Arial, Helvetica, sans-serif; font-size: 14px; font-weight: bold; color: #000000;'>Login</span><br><br><br>
	  	<span style='font-family: Arial, Helvetica, sans-serif; font-size: 16px; font-weight: bold; color: #004667;'>$text</span><br><br>
	  	<table>
		  	<tr align='center' valign='middle'>
			  	<td align='right' width='35%'><span style='font-family: Arial, Helvetica, sans-serif; font-size: 14px; font-weight: bold; color: #004667;'>User ID:  </span></td>
			  	<td align='left' width='65%'><input type='text' name='UserName' id='UserName' size='25' onload='javascript:this.focus();' /></td>
			</tr>
		    
		  	<tr align='center' valign='middle'>
			  	<td align='right' width='35%'><span style='font-family: Arial, Helvetica, sans-serif; font-size: 14px; font-weight: bold; color: #004667;'>Password:  </span></td> 
			  	<td align='left' width='65%'><input type='Password' name='Password' size='25' /></td>
			</tr>
		    
		  	<tr align='center' valign='middle'>
			  	<td align='center' colspan='2'><br><input type='submit' value='Log In'></td>
			</tr>
		</table>
	  	</td>
  	</tr>
</table>
</form>
    </body></html>
    ";
  	
  } // end write_log_in function 

function verify() 
  { 
    // check to see if they're already logged in 
    if ( session_is_registered( "valid_user" ) ) return true;
    
    // check to see if user has just tried to log on 
    $UserName = $_POST["UserName"]; 
    $Password = $_POST["Password"]; 

    if ( $UserName && $Password ) 
      {
      	
	$strServer="localhost"; // Server IP Address 'or' Name
	$userDatabase="users"; // USER Database Name
	$strUser="xxxx"; // User ID
	$strPwd="xxxx"; // Password
      	
    //// log in to database and verify password...
    $strDB=mysql_connect($strServer,$strUser,$strPwd)or die 
                 ('Error connecting to mysql..');
    $database=mysql_select_db("$userDatabase",$strDB);        

	// set the query to check username and password match
	$sqlCheckPassword = "SELECT u.UserID, u.Password, a.Active FROM users u INNER JOIN access a ON u.UserID = a.UserID WHERE u.UserName='$UserName' AND u.Password='$Password';"; 

	$resultCheckPassword = mysql_db_query($userDatabase, $sqlCheckPassword ); 

	while ($rCheckPassword = mysql_fetch_array($resultCheckPassword))
	{
		$Active=$rCheckPassword['Active'];
		$UserID=$rCheckPassword['UserID'];
	}

    if ( mysql_num_rows( $resultCheckPassword ) == 1 && $Active==1) 
      {

        // register session variable and exit the verify function
        $_SESSION['valid_user'] = $UserID;
        $_SESSION['start'] = time();
        session_write_close();
        return true;
        
      }
    else
      {
        // bad user and password
        $text = "User Name and Password did not match, or user is not 'Active'."; 
        write_log_in( $text );
      }
      }
    else
      {
        // user must log in 
        $text = "This is a secure server. Please log in."; 
        write_log_in( $text );
      }

  } // end verify function



?>

Link to comment
Share on other sites
schilly Regular Member

schilly

Posted
Posted

try returning false after your two write_log_in( $text ); calls in the two else statements. I'm not too sure what will happen if you don't return anything to that if (verify()) statement. It may continue and execute the update because I assume the action=yes is set

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.