4WebHelp
 FAQ  •  Search  •  User Groups  •  Forum Admins  •  Smilies List  •  Statistics  •  Rules   •  Login   •  Register
Toggle Navigation Menu

 $_SESSION varible and the administration section of my site
Post New TopicReply to Topic
View Previous Topic Print this topic View Next Topic
Author Message
LaKaroT
Junior WebHelper
Junior WebHelper


Joined: 29 Sep 2005
Posts: 7

PostPosted: Thu Sep 29, 2005 6:06 pm (12 years ago) Reply with QuoteBack to Top

hi i have been creating a website it works perfect on my localhost (using WAMP) then when i uploaded it to the web it has a bug. When i login it sets a session varible 'status' this varible works fine untill i press the back button on the browser then it resets the varible and i have to log in again.

<?php
session_start();
include ('starting.php'); // just formatting for site
$status = $_SESSION['status'] ;
if ($status != 3)
{
echo "You are not logged in Properly <br/><br/>Please go ";
echo "<a href='javascript: history.go(-1)'>Back</a> and Re-Login";
}
else
{
//does its thing
}


and ill put the login script here too

<?php
session_start();
include ('starting.php');



$username = $_GET['username'];
$password = stripslashes($_GET['password']);
//$password = sha1($password);


$users_query = "select * FROM users WHERE username = '$username' and password = '$password'" ;
$users_result = mysql_query($users_query) or die ('Problem Logging In');
while ($usersrow = mysql_fetch_array($users_result))
{
$userID = stripslashes($usersrow['userID']);
$status = stripslashes($usersrow['status']);
$_SESSION['username']=$username ;
$_SESSION['validated']='true' ;
$_SESSION['status']=$status ;
$_SESSION['userID']=$userID ;
echo "<table border='0' width=90%><tr>";
echo "<td>Username</td></tr>";
echo "<tr><td>You are now logged in as: ".$_SESSION['username'].".";
echo " Now redirecting back</td></tr><tr><td>";
echo "<SCRIPT language='JavaScript'>setTimeout('history.go(-2)',2000);</SCRIPT>" ;
echo "<br/><br/><br/>If this page doesn't redirect you within 5 seconds please click <a href='index.php'>here</a></td></tr></table>" ;

}
if(!mysql_num_rows($users_result))
{
echo "There was a problem Logging in. Please ";
echo "<a href='javascript: history.go(-1)'>go back</a> and try again" ;
}
include ('ending.php');
?>
OfflineView User's ProfileFind all posts by LaKaroTSend Personal MessageSend emailMSN Messenger
Daniel
Team Member



Joined: 06 Jan 2002
Posts: 2564

PostPosted: Thu Sep 29, 2005 8:15 pm (12 years ago) Reply with QuoteBack to Top

What does phpinfo() have to say about sessions? There's a sessions section in phpinfo, which has a line entitled "Session Support". Is that enabled? Also you might want to compare the output from the server with the output you get when running it locally.

________________________________
Image
OfflineView User's ProfileFind all posts by DanielSend Personal Message
LaKaroT
Junior WebHelper
Junior WebHelper


Joined: 29 Sep 2005
Posts: 7

PostPosted: Fri Sep 30, 2005 4:26 am (12 years ago) Reply with QuoteBack to Top

here is the section for sessions u can view the full phpinfo at http://www.riverslea.school.nz/ and hte local host version at the bottom of the index page

localhost session:

session
Session Support enabled
Registered save handlers files user sqlite
Registered serializer handlers php php_binary wddx

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path c:/wamp/tmp c:/wamp/tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0


<hr>
------------------------------------------------------------------------------
Server session:


session
Session Support enabled
Registered save handlers files user

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid On On
OfflineView User's ProfileFind all posts by LaKaroTSend Personal MessageSend emailMSN Messenger
Daniel
Team Member



Joined: 06 Jan 2002
Posts: 2564

PostPosted: Fri Sep 30, 2005 5:56 am (12 years ago) Reply with QuoteBack to Top

Do you have access to /tmp on the server to see if session files are indeed being created?

________________________________
Image
OfflineView User's ProfileFind all posts by DanielSend Personal Message
adam
Forum Moderator & Developer



Joined: 26 Jul 2002
Posts: 704
Location: UK

PostPosted: Fri Sep 30, 2005 8:11 am (12 years ago) Reply with QuoteBack to Top

This isn't related to your question, but directly using a user-supplied variable in an SQL query can be a security risk - it would be easy for a malicious user to add their own SQL to the query and modify your database. Check out the mysql_real_escape_string() function.

________________________________
It's turtles all the way down...
OfflineView User's ProfileFind all posts by adamSend Personal MessageVisit Poster's Website
LaKaroT
Junior WebHelper
Junior WebHelper


Joined: 29 Sep 2005
Posts: 7

PostPosted: Fri Sep 30, 2005 12:47 pm (12 years ago) Reply with QuoteBack to Top

Yes i have full rights to the site, i am in the temp file now and cant find any sessions at all. all i can see is a few graphs for the statistics section of the webserver, and a few folders:

analog
analogbrowrep.png
analogbrowsum.png
analogcode.png
analogdir.png
analogdom.png
analogfailref.png
analogorg.png
analogrefsite.png
analogreq.png
analogsize.png
analogtype.png
awstats
bw-riversle-2005.png
bw-riversle-today.png
webalizer
webalizerftp
--------------------------------------------------
in the folder alalog there is a file called cache

thats all i really see, maybe shoudl the whole website be in the folder cgi-bin? it is currently in public_html and cgi-bin is a sub category... cheers for ur sujestions
OfflineView User's ProfileFind all posts by LaKaroTSend Personal MessageSend emailMSN Messenger
LaKaroT
Junior WebHelper
Junior WebHelper


Joined: 29 Sep 2005
Posts: 7

PostPosted: Fri Sep 30, 2005 12:51 pm (12 years ago) Reply with QuoteBack to Top

i am kinda new to the whole online thing and the whole malicious internet, i kinda thought i would be exposing myself by posting infomation on here, i cant really work out how a sql statment can be run via someone without access to the php code, or how someone can use "sql-injection" as it is called, although i will take those security holes into account, thanks for your input
OfflineView User's ProfileFind all posts by LaKaroTSend Personal MessageSend emailMSN Messenger
adam
Forum Moderator & Developer



Joined: 26 Jul 2002
Posts: 704
Location: UK

PostPosted: Fri Sep 30, 2005 1:23 pm (12 years ago) Reply with QuoteBack to Top

I'm guessing you're on a cPanel server? In which case, the tmp directory you see in FTP isn't the same one which is used by PHP to store session data.

________________________________
It's turtles all the way down...
OfflineView User's ProfileFind all posts by adamSend Personal MessageVisit Poster's Website
LaKaroT
Junior WebHelper
Junior WebHelper


Joined: 29 Sep 2005
Posts: 7

PostPosted: Fri Sep 30, 2005 10:41 pm (12 years ago) Reply with QuoteBack to Top

where abouts would i see session data then i am on a cpanel server...
OfflineView User's ProfileFind all posts by LaKaroTSend Personal MessageSend emailMSN Messenger
adam
Forum Moderator & Developer



Joined: 26 Jul 2002
Posts: 704
Location: UK

PostPosted: Sat Oct 01, 2005 4:00 am (12 years ago) Reply with QuoteBack to Top

You won't be able to unless you're the server administrator. However, I think you can change the place where PHP stores the data though I can't remember exactly how.

________________________________
It's turtles all the way down...
OfflineView User's ProfileFind all posts by adamSend Personal MessageVisit Poster's Website
LaKaroT
Junior WebHelper
Junior WebHelper


Joined: 29 Sep 2005
Posts: 7

PostPosted: Sat Oct 01, 2005 5:17 am (12 years ago) Reply with QuoteBack to Top

i am the administrator of the site
OfflineView User's ProfileFind all posts by LaKaroTSend Personal MessageSend emailMSN Messenger
adam
Forum Moderator & Developer



Joined: 26 Jul 2002
Posts: 704
Location: UK

PostPosted: Sat Oct 01, 2005 11:18 am (12 years ago) Reply with QuoteBack to Top

Administrator of the site and administrator of the server are two different things - the server administrator (i.e. the hosting company you're using) has access to a lot of stuff that you don't.

________________________________
It's turtles all the way down...
OfflineView User's ProfileFind all posts by adamSend Personal MessageVisit Poster's Website
LaKaroT
Junior WebHelper
Junior WebHelper


Joined: 29 Sep 2005
Posts: 7

PostPosted: Sat Oct 01, 2005 12:07 pm (12 years ago) Reply with QuoteBack to Top

oh sweet i get u now, so any adivce to solve my probelm apart from whats given?
OfflineView User's ProfileFind all posts by LaKaroTSend Personal MessageSend emailMSN Messenger
adam
Forum Moderator & Developer



Joined: 26 Jul 2002
Posts: 704
Location: UK

PostPosted: Sat Oct 01, 2005 3:05 pm (12 years ago) Reply with QuoteBack to Top

I'm not sure exactly what the problem is. You say it logs you out when you click the back button? What page does that take you back to? Is there anything on that page that might modify $_SESSION?

Also, as a side note, you might want to use POST rather than GET for the login form. That way the user name and password won't be visible in the URL. (If it's visible in the URL, it will also show up in the browser's history, which could be a big security problem.)

________________________________
It's turtles all the way down...
OfflineView User's ProfileFind all posts by adamSend Personal MessageVisit Poster's Website
RossettiasFIFA
Junior WebHelper
Junior WebHelper


Joined: 23 Dec 2014
Posts: 1

PostPosted: Tue Dec 23, 2014 5:35 am (2 years, 9 months ago) Reply with QuoteBack to Top

Image

________________________________
Runescape Gold Fast Delivery RSGOLDFAST
OfflineView User's ProfileFind all posts by RossettiasFIFASend Personal MessageVisit Poster's Website
Display posts from previous:      
Post New TopicReply to Topic
View Previous Topic Print this topic View Next Topic


 Jump to:   


Go to page 1, 2  Next

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot edit your posts in this forum.
You cannot delete your posts in this forum.
You cannot vote in polls in this forum.


Page generation time: 0.058031 seconds :: 18 queries executed :: All Times are GMT
Powered by phpBB 2.0 © 2001, 2002 phpBB Group :: Based on an FI Theme