Author |
Message |
LaKaroT
Junior WebHelper
Joined: 29 Sep 2005
Posts: 7
|
Posted:
Thu Sep 29, 2005 6:06 pm (18 years, 7 months ago) |
|
hi i have been creating a website it works perfect on my localhost (using WAMP) then when i uploaded it to the web it has a bug. When i login it sets a session varible 'status' this varible works fine untill i press the back button on the browser then it resets the varible and i have to log in again.
<?php
session_start();
include ('starting.php'); // just formatting for site
$status = $_SESSION['status'] ;
if ($status != 3)
{
echo "You are not logged in Properly <br/><br/>Please go ";
echo "<a href='javascript: history.go(-1)'>Back</a> and Re-Login";
}
else
{
//does its thing
}
and ill put the login script here too
<?php
session_start();
include ('starting.php');
$username = $_GET['username'];
$password = stripslashes($_GET['password']);
//$password = sha1($password);
$users_query = "select * FROM users WHERE username = '$username' and password = '$password'" ;
$users_result = mysql_query($users_query) or die ('Problem Logging In');
while ($usersrow = mysql_fetch_array($users_result))
{
$userID = stripslashes($usersrow['userID']);
$status = stripslashes($usersrow['status']);
$_SESSION['username']=$username ;
$_SESSION['validated']='true' ;
$_SESSION['status']=$status ;
$_SESSION['userID']=$userID ;
echo "<table border='0' width=90%><tr>";
echo "<td>Username</td></tr>";
echo "<tr><td>You are now logged in as: ".$_SESSION['username'].".";
echo " Now redirecting back</td></tr><tr><td>";
echo "<SCRIPT language='JavaScript'>setTimeout('history.go(-2)',2000);</SCRIPT>" ;
echo "<br/><br/><br/>If this page doesn't redirect you within 5 seconds please click <a href='index.php'>here</a></td></tr></table>" ;
}
if(!mysql_num_rows($users_result))
{
echo "There was a problem Logging in. Please ";
echo "<a href='javascript: history.go(-1)'>go back</a> and try again" ;
}
include ('ending.php');
?> |
|
|
|
|
Daniel
Team Member
Joined: 06 Jan 2002
Posts: 2564
|
Posted:
Thu Sep 29, 2005 8:15 pm (18 years, 7 months ago) |
|
What does phpinfo() have to say about sessions? There's a sessions section in phpinfo, which has a line entitled "Session Support". Is that enabled? Also you might want to compare the output from the server with the output you get when running it locally. |
________________________________
|
|
|
|
LaKaroT
Junior WebHelper
Joined: 29 Sep 2005
Posts: 7
|
Posted:
Fri Sep 30, 2005 4:26 am (18 years, 7 months ago) |
|
here is the section for sessions u can view the full phpinfo at http://www.riverslea.school.nz/ and hte local host version at the bottom of the index page
localhost session:
session
Session Support enabled
Registered save handlers files user sqlite
Registered serializer handlers php php_binary wddx
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path c:/wamp/tmp c:/wamp/tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0
<hr>
------------------------------------------------------------------------------
Server session:
session
Session Support enabled
Registered save handlers files user
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid On On |
|
|
|
|
Daniel
Team Member
Joined: 06 Jan 2002
Posts: 2564
|
Posted:
Fri Sep 30, 2005 5:56 am (18 years, 7 months ago) |
|
Do you have access to /tmp on the server to see if session files are indeed being created? |
________________________________
|
|
|
|
adam
Forum Moderator & Developer
Joined: 26 Jul 2002
Posts: 704
Location: UK
|
Posted:
Fri Sep 30, 2005 8:11 am (18 years, 7 months ago) |
|
This isn't related to your question, but directly using a user-supplied variable in an SQL query can be a security risk - it would be easy for a malicious user to add their own SQL to the query and modify your database. Check out the mysql_real_escape_string() function. |
________________________________ It's turtles all the way down... |
|
|
|
LaKaroT
Junior WebHelper
Joined: 29 Sep 2005
Posts: 7
|
Posted:
Fri Sep 30, 2005 12:47 pm (18 years, 7 months ago) |
|
Yes i have full rights to the site, i am in the temp file now and cant find any sessions at all. all i can see is a few graphs for the statistics section of the webserver, and a few folders:
analog
analogbrowrep.png
analogbrowsum.png
analogcode.png
analogdir.png
analogdom.png
analogfailref.png
analogorg.png
analogrefsite.png
analogreq.png
analogsize.png
analogtype.png
awstats
bw-riversle-2005.png
bw-riversle-today.png
webalizer
webalizerftp
--------------------------------------------------
in the folder alalog there is a file called cache
thats all i really see, maybe shoudl the whole website be in the folder cgi-bin? it is currently in public_html and cgi-bin is a sub category... cheers for ur sujestions |
|
|
|
|
LaKaroT
Junior WebHelper
Joined: 29 Sep 2005
Posts: 7
|
Posted:
Fri Sep 30, 2005 12:51 pm (18 years, 7 months ago) |
|
i am kinda new to the whole online thing and the whole malicious internet, i kinda thought i would be exposing myself by posting infomation on here, i cant really work out how a sql statment can be run via someone without access to the php code, or how someone can use "sql-injection" as it is called, although i will take those security holes into account, thanks for your input |
|
|
|
|
adam
Forum Moderator & Developer
Joined: 26 Jul 2002
Posts: 704
Location: UK
|
Posted:
Fri Sep 30, 2005 1:23 pm (18 years, 7 months ago) |
|
I'm guessing you're on a cPanel server? In which case, the tmp directory you see in FTP isn't the same one which is used by PHP to store session data. |
________________________________ It's turtles all the way down... |
|
|
|
LaKaroT
Junior WebHelper
Joined: 29 Sep 2005
Posts: 7
|
Posted:
Fri Sep 30, 2005 10:41 pm (18 years, 6 months ago) |
|
where abouts would i see session data then i am on a cpanel server... |
|
|
|
|
adam
Forum Moderator & Developer
Joined: 26 Jul 2002
Posts: 704
Location: UK
|
Posted:
Sat Oct 01, 2005 4:00 am (18 years, 6 months ago) |
|
You won't be able to unless you're the server administrator. However, I think you can change the place where PHP stores the data though I can't remember exactly how. |
________________________________ It's turtles all the way down... |
|
|
|
LaKaroT
Junior WebHelper
Joined: 29 Sep 2005
Posts: 7
|
Posted:
Sat Oct 01, 2005 5:17 am (18 years, 6 months ago) |
|
i am the administrator of the site |
|
|
|
|
adam
Forum Moderator & Developer
Joined: 26 Jul 2002
Posts: 704
Location: UK
|
Posted:
Sat Oct 01, 2005 11:18 am (18 years, 6 months ago) |
|
Administrator of the site and administrator of the server are two different things - the server administrator (i.e. the hosting company you're using) has access to a lot of stuff that you don't. |
________________________________ It's turtles all the way down... |
|
|
|
LaKaroT
Junior WebHelper
Joined: 29 Sep 2005
Posts: 7
|
Posted:
Sat Oct 01, 2005 12:07 pm (18 years, 6 months ago) |
|
oh sweet i get u now, so any adivce to solve my probelm apart from whats given? |
|
|
|
|
adam
Forum Moderator & Developer
Joined: 26 Jul 2002
Posts: 704
Location: UK
|
Posted:
Sat Oct 01, 2005 3:05 pm (18 years, 6 months ago) |
|
I'm not sure exactly what the problem is. You say it logs you out when you click the back button? What page does that take you back to? Is there anything on that page that might modify $_SESSION?
Also, as a side note, you might want to use POST rather than GET for the login form. That way the user name and password won't be visible in the URL. (If it's visible in the URL, it will also show up in the browser's history, which could be a big security problem.) |
________________________________ It's turtles all the way down... |
|
|
|
RossettiasFIFA
Junior WebHelper
Joined: 23 Dec 2014
Posts: 1
|
Posted:
Tue Dec 23, 2014 5:35 am (9 years, 4 months ago) |
|
|
________________________________ Runescape Gold Fast Delivery RSGOLDFAST |
|
|
|
|