Forum Moderators: coopster
The same problem keeps coming back to me, or "so called" problem as I don't know what the solution is.
There must be one because there's plenty of sites using sessions in the day to day running of the site. :)
So, I want a shopping cart where a session is started upon sign in and is kept valid as long as the user loads another page
For a session, only a sessionid will be registered per successful signin, which is compared to one in a mysql table for when that user logged in.
If there is a matching sessionid in the mysql table, then the user is logged in (with the respective session id).
This is all good for cookies, since the sessionid variable is kept on their local machine and is only valid for a set amount of time. AFAIK, the chances of someone spoofing a sessionid in a cookie are very small.
But when a users browser refuses to accept cookies, after a successful signin the sessionid has to be passed along in the URL.
Just as good for authentication.....the session still dies after 10 mins and the sessionid in the URL is still validated against the mysql table.
But what about my nightmare scenario that stops me finishing off this script? :)
// A user refuses cookies, signs in successfully and the appropriate sessionid is made
// The same user does his stuff on the site, sees something cool and bookmarks it, and/or pastes the URL to a friend he's chatting to
// The sessionid is still valid and the "real" user associated with it is still logged in, and the friend clicks on the link.
// The friend can see the real users shopping cart and details!
So I've read here and there, and would love to know the answer to this. Seems quite a few of the tutorials out there don't mention the fact that not all browsers accept cookies and people actually do use bookmarks.
Is the solution simply to refuse login to browsers not supporting cookies?
I hope this isn't the answer, as I'd like anyone to spend money at a site of mine. :)
where is your $auth stored in?
u said, session
why the session owned by you? u onwn the id(key) of session.
but u said throw sessionid away. then u lost your session
but u said, won't lost session. how do u keep it?
u lost session when u throw sessionid, u lost $auth when u throw session.
u didn't point out how to keep $auth
[edited by: heini at 4:37 pm (utc) on Dec. 8, 2002]
[edit reason] see sticky mail ¦ thanks! [/edit]
$auth is stored in the session which is either passed threough the URL or Cookies (as Andreas said) -- If you lose your session, you lose $auth and yuo'l have to log in again.
More on sessions [php.net] at the PHP manual...
Nick
the topic is "validating sessions"
not check login, even a guest can have a session
there's no help to use $auth for this topic
again:
when u use session, u have to keep sessionid in client (which is also in server), right?
when cookie disabled, u have to trans sesionid in url right?
when u copy this url to your friend, the friend get this url with sessionid, right?
so the real question brotherhood_of_LAN asked is:
when u give session id(by url) to your friend, how do your program to recognize that, your friend is not you. Make sure he/she can't access the account as u can.
IP comparing with IP-restrict checkbox may be the answer to this topic
[H]ave you considered comparing IP and [IP stored in the] session?
I do not see any logical inconsistencies in Nick´s argument.
Andreas
If there browser doesn't support cookies then this is what would happen.
Somehow I want to fit in the "HTTP_REFERER" bit.......anyways something along this lines has sorted the prob :)
I've ended up with something like this....$s is the session.
<?php
$form = '<form method="POST"><p>Username<br><input type="text" name="username" size="20"><br>Password<br><input type="password" name="password" size="20"><input type="submit" value="GO"></p></form>';
$message1 = '<h2>Welcome, Guest</h2><p>Sign in below</p>'.$form;
if(empty($s))
{
if(empty($username)Ĥempty($password))
{
if(empty($username)&empty($password))
{}
$message1 = '<h2>Welcome, Guest</h2><p>Make sure you fill in both fields</p>'.$form;
}
else
{
$link = mysql_connect("localhost","root");$db = mysql_select_db("temp");
$result = mysql_query("SELECT id,firstname FROM users WHERE username='$username' AND password='$password'");
$result = mysql_fetch_array($result);
if($result[0]!= 0)
{
session_start();
$message1 = '<h2>Welcome, '.$result['firstname'].'</h2>';
$ip = preg_replace ("'\.\d{1,3}$'","",$_SERVER['REMOTE_ADDR']);
$s = str_replace("s=","?s=",SID);$sid = str_replace("s=","",SID);
mysql_query("UPDATE sessions SET sessid='$sid',ip='$ip' WHERE userid='{$result['id']}'");
}
else
{
$message1 = '<h2>Welcome, Guest</h2><p>Either your username or password were incorrect.</p>'.$form;
}
}
}
else
{
if(preg_match("'$SERVER_NAME'","$HTTP_REFERER"))
{
$link = mysql_connect("localhost","root");$db = mysql_select_db("temp");
$time = date("YmdHis");$ip = preg_replace ("'\.\d{1,3}$'","",$_SERVER['REMOTE_ADDR']);
$result = mysql_query("SELECT userid,logtime FROM sessions WHERE sessid='$s' AND ip='$ip' AND $time-logtime < 600");
$result = mysql_fetch_array($result);
if($result[0] == 1)
{
$s='?s='.$s;
echo 'still logged';
}
else
{
$s = "";
}
}
else
{
$message1 = '<p>Sorry, your computer is not providing a secure way for us to authenticate you. Click here to learn more</p>';
$s = "";
}
}
?>
/added
the $message1 bit is the output for further down the page, as this script would be included at the top of any page to kick off a session on login.
[edited by: brotherhood_of_LAN at 8:01 pm (utc) on Dec. 8, 2002]
If not then $time = date("YmdHis"); and $time-logtime < 600 won´t work. But you probably changed it and tested the script before posting.
Andreas
ive swapped round the if's at the bottom for http referer, so if someone doesnt accept cookies and has no referer, then they're out of luck.
However, have you considered comparing IP and seesion id?
Or, better still, not using the session id at all, use the username and password instead and just use sessions to register a var like $authenticated
to brotherhood_of_LAN:
HTTP_REFERER may be blocked by some firewall, and can be spoof by client
and, if u don't turn off trans-sid, sid will still be in url
btw: your script should write as: $sid = session_id();
$ip = preg_replace ("'\.\d{1,3}$'","",$_SERVER['REMOTE_ADDR']);
