|
PHP - Setting Security Session
Hi guys,
I would like to have a security measure in place to prevent unauthorized access to my site without a valid log on.
At the moment, it would let anyone in without destroying the session and redirecting to index page.
What would i "use" that's created in the session? what's the "best" practice
My understanding is that the session variable is stored in the browser, after a successful log in, that session variable is like baton or a key that's "passed" onto the next page.
- if someone tried to bypass the log on with the session then access is denied or redirected away.
So on my index page to start i have:
<?php session_start(); /* clear all session variable */ $_SESSION = array(); /* set a session variable for later use */ $_SESSION['what_page'] = "admin00"; ?>What do i need to have to use the session against unauthorized access? my guess is:
if(!isset($_SESSION['what_page']) || $_SESSION['what_page'] != "index.php") {
$_SESSION = array();
session_destroy();
header("Location: index.php");
exit();
}
So to me that means;
- if 'what_page' is not set from the index page, don't go any further, re-direct (back to index)
If i remove this and use a known username and password, i am able to log into the correct page, but this session validation is the bit that's not working
please could you help?
Similar TutorialsHi all.
i am trying to use php to include a javascript onto different pages, and then "sort of " pass it a var.
The bulk of the code will be in an included footer php file.
The var will be set in the main page.
i have it working as follows: by just using echo 3 times.. the 1st with the first part of the script, the 2nd is the variable, and the 3rd is the rest of the script.
The same endcode.php file needs to also be used for pages that wont have a var set, and wont be using the script - hense the isset.
<!-- mainPage.php -->
<?php $sion_gallery_id = '450'; ?>
<?php include(endcode.php); ?>
<!-- endcode.php -->
<?php if (isset($sion_gallery_id))
{echo "start of javascript.......album/"; echo $sion_gallery_id; echo"/end of script"; }
else { echo "var not on set";} ?>
Hi, I have just started learning about sessions to use with a login system with SQL Now I was wondering if my method is secure? When login in before setting the $_SESSION variables I use the session_regenerate_id() function. All passwords and ids are stored as SHA-256 hashes in the MySql DB. I use the mysql_escape_string() and htmlspecialchars() functions to sanitize the input values of all DB query's and SESSION variables. Also the login page can only have 3 wrong attempts before the user is locked out. with a captcha after the first attempt. Once the user logs in on each 'protected' page it checks the variables in the $_SESSION variable against the DB value on each page if they do not match then it brings the user to login page. Also on start of each page: if (isset($_REQUEST['_SESSION'])) {die('No Hacking');} Just wondering am I missing something? Thanks, mme Hi all ! What is the best method to prevent session hijacking / fixation and all the nasty bugs that come with using session_start(); I am looking at implementing session_start() on a member site, to handle logins if registered. How would I protect the session information? Hi This is the senario: User logs in, if successful connection details for his database are stored in a session variables which are used to access information. Are there any precautions I need to make sure the data in the sessions are safe? Thanks I have issues with a user being logged in and staying logged in, When logging in I create these $_SESSION variables
Array
(
[usr_login] => username
[usr_fname] => first
[usr_lname] => last
[usr_email] => email
[ses_usrid] => 1
[loggdin] => Yes
[loginremember] =>
)
And after login it looks great till I refresh the page or go anywhere else on the site. All variables above are gone. Consequently, this works with no issues on the prod server, just not on my machine. Code I've been playing with since it started, specifically the setting of the cookie. (this code runs before anything else)
// =================================================================
// Sesssion start
// =================================================================
session_set_cookie_params(
0,
"/; SameSite=Strict",
".killgorack.com",
true,
true
);
session_start();
// =================================================================
// Security stuff
// =================================================================
header("strict-transport-security: max-age=31536000");
header('X-Frame-Options: sameorigin');
header("X-XSS-Protection: 1; mode=block");
header('X-Content-Type-Options: nosniff');
header("Content-Security-Policy: default-src BLA BLA BLA ");
header("Feature-Policy: vibrate 'none'");
header("Referrer-Policy: no-referrer");
header("Access-Control-Allow-Origin: https://www.MYWEBSITE.com/");
header("Expect-CT: max-age=86400, enforce");
header_remove("X-Powered-By");
// =================================================================
Any ideas? Edited May 19, 2019 by KillGorackI have a business social network site on hosting server. I am wondering if sessions are enough secure. ini_set('session.use_only_cookies', 1); //this prevent Session Fixation? session_start(); if($_SESSION['loggedIn'] && $_SESSION['userIP']==$_SERVER["REMOTE_ADDR"]) // extra security //user is logged in, assign all data to this profile from session else //user is not logged in, no data are assigned Would you consider that as enough secure? Hi, I'd like to know the security of assuming session variables and using them for secure membership systems. Could a malicious user not create a session, then change the session username to another user and effectively login as that user? As I see it, no. Because session data is stored on the server and only a session id is stored on the client by way of a cookie. But what if we used cookies? What is the solution to this? Because I know I could easily change ANY variables within a cookie. I guess storing cookie data via db would help. But what is the best practice solution? I see a lot of code which simply checks for a cookie with the variable 'logged_in' to true. It then manages the user by username or userid which are stored within the cookie but which can be changed with ease by a malicious user. I'm trying to create a simple session on a form page that determines if you've signed in. If you haven't, it kicks you to the login page. But for some reason, what I have isn't doing that. When I open the page, it loads, but only prints the url on a blank page, instead of actually going to the url. Code: [Select] <html> <title>form</title> <link rel="stylesheet" type="text/css" href="style.css"> <body> <?php session_start(); if(isset($_SESSION['id']) && is_numeric($_SESSION['id'])) { if (isset($_POST['submitted'])) { $errors = array(); if (empty($_POST['scientific_name'])) { $errors[] = 'you forgot to enter the scientific name'; } else { $sn = trim($_POST['scientific_name']); } if (empty($_POST['common_name_english'])) { $errors[] = 'you forgot to enter the common name'; } else { $cne = trim($_POST['common_name_english']); } $description4 = trim($_POST['common_names_spanish']); $description5 = trim($_POST['common_names_french']); $description6 = etc. etc. if (empty($errors)) { require_once ('3_z_mysq1_c0nn3ct.php'); $query = "INSERT INTO plantae (scientific_name, common_name_english, etc.) VALUES ('$sn', '$cne', '$description4', '$description5', '$description6', '$description7', etc.)"; $result = @mysql_query ($query); if ($result) { if(isset($_POST['scientific_name'])) { $plant_id=mysql_insert_id(); } exit(); } else { echo 'system error. No plant added'; echo '<p>' . mysql_error() . '<br><br>query:' . $query . '</p>'; exit(); } mysql_close(); } else { echo 'error. the following error occured <br>'; foreach ($errors as $msg) { echo " - $msg<br>\n"; } } // end of if } // end of main submit conditional echo '<form action="insertaplant1.php" method="post"><fieldset><legend><b>Enter your new plant here</b></legend> form fields here. </form>'; } else { $url = 'http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); if((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr($url, 0, -1); } $url .= '/login.php'; echo $url; exit(); } ?>
I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one: The value for session.save_path (/tmp) is not writable for the web server. Make sure that PHP can actually save session variables.
That seems to be the problem.
session.save_path: writeable You need set permission for your var directory.
well - i guess that the default ownership may be incorrect on the session folder: Example; php on some Linux-Server defaults to apache user. If using nginx or other need to switch the folder ownership. Also as a note you have to change the user/group setting in www.conf.
chown -R root:nginx /var/lib/php/7.0/ sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf service php-fpm-7.0 restart
But wait: what about the security - is it save to make the session.save_path writeable!? my server-admin says that this is a big big hole and makes the server unsecure. love to hear from you yours dil_bert by the way: years ago i have had this issue on the server. but the question is - is this a securitiy risk!? I need to know this. Look forward to hear from you Edited March 21, 2020 by dil_bertI have created a test account in my database with a user level of -1 and i think my code might be wrong but i am hoping someone can spot where i have gone wrong as i cannot, also a similar problem with another session variable loggedIn this is what i get when i login this is on the index page.
Notice: Undefined index: loggedIn in C:\xampp\htdocs\Login\index.php on line 11 Notice: Undefined index: loggedIn in C:\xampp\htdocs\Login\index.php on line 17 You must be logged in to view this page!Index page source code:
<?php
session_start();
error_reporting(E_ALL | E_NOTICE);
ini_set('display_errors', '1');
require 'connect.php';
if($_SESSION['loggedIn'] == 1) {
//Do Nothing
exit();
} else if($_SESSION['loggedIn'] != 1) {
echo "You must be logged in to view this page!";
exit();
}
if($_SESSION['user_level'] == -1) {
header("Location: banned.php");
} if(isset($_SESSION['username'])) {
echo "<div id='welcome'> Welcome, ". $_SESSION['username'] ." <br> </div> ";
}
?>
Also if you need my login source code:
<?php
error_reporting(E_ALL | E_NOTICE);
require 'connect.php';
session_start();
if (isset($_POST['submit'])) {
$username = trim($_POST['username']);
$password = trim($_POST['password']);
if (empty($username)) {
echo "You did not enter a username, Redirecting...";
echo "<meta http-equiv='refresh' content='2' URL='login.php'>";
exit();
}
if (empty($password)) {
echo "You did not enter a password, Redirecting...";
echo "<meta http-equiv='refresh' content='2' URL='login.php'>";
exit();
}
//Prevent hackers from using SQL Injection to hack into Database
$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, $_POST['password']);
$result = $con->query("SELECT * FROM $tbl_name WHERE username='$username' AND password='$password'");
$row = $result->fetch_array();
$user_level = $row['user_level'];
// check to make sure query did execute. If it did not then trigger error use mysqli::error to see why it failed
if($result->num_rows > 0)
{
//Set default user
$_SESSION['loggedIn'] == 1;
$_SESSION['user_level'] == 1;
$_SESSION['username'] == trim($_POST['username']);
header("Location: index.php");
exit();
} else if($row['user_level'] == 1) {
$_SESSION['user_level'] == 1;
//Location admin
header("Location: admin.php");
exit();
} else if($row['user_level'] == -1) {
$_SESSION['user_level'] == -1;
$_SESSION['username'] == trim($_POST['username']);
//Location banned
header("Location: banned.php");
exit();
} else if($_SESSION['loggedIn'] == true) {
//Location default user home page
header("index.php");
} else {
echo "Invalid Username/Password";
}
//Kill unwanted session
} if(isset($_POST['killsession'])) {
session_destroy();
echo "<br> <br> The Session Destroyed. (Basically means you have been logged out)";
exit();
}
?>
I appreciate all help
I have a form where users enter name, username, password etc. The values are posted to a MySQL table where I also have a field called 'ID' that auto increments. I want to store that ID in a SESSION variable that I can carry over to other pages. Need help in doing this please. Hey guys, Currently Im using: $row = mysql_fetch_array($result) or die(mysql_error()); echo $row['user_family']. " - ". $row['user_registered']; $row['user_family'] = $fam; $_SESSION['family'] = $fam; to take data from a mysql table & set it as SESSION family. However, I cant seem to get this to set. The information IS being taken from mysql because its being echo'd earlier up in the code, but its just not passing to the session. Any ideas? Record set has 2 text fields in the form which is set in a full repeat recordset browse. So, we get a long list of every record in the database. However, I want to be able to click on a single record and make another page appear. I can do this if the display is set as a table without using a text field form -- just the record variable and using a hyperlink. But, I want to use the text field. Wrapping the form only gets me the value of the last record displayed. Help would be appreciated. Hi all, Yesterday I moved a web application from a normal cookie session to a use_trans_sid session because some users' browser didn't accept cookies. This works great, but the session used to last for 45 minutes (set with session.gc_maxlifetime), but after the change the session times out faster. (How) can I set the session length if I use use_trans_sid? Thanks, Base PS: PHP version 5.2.13-1 Hi girls and boys I am trying to set a variable if a session OR a cookie has been set, but am unsure on how to write the statement... if (isset($_SESSION['name'])||isset($_COOKIE['name'])) {$variable = $_SESSION['name']||$_COOKIE['name'];} Obviously not working there, but just need a pointer here. any help is appreciated... i'm creating a page counter which updates a value in a database each time the page is loaded. I'm trying to make it so that it checks to see if a session has been set, if not, it updates the database, and then sets the session. This way it wont update every time someone refreshes the page. $id=$_GET['id']; if(!isset($_SESSION[$id])){ $_SESSION[$id]= $id; $views = $row['views'] + 1; $update_views=mysql_query("UPDATE topic SET views='".$views."' WHERE topic_id='".$id."'") i want to set the session variable as that of the page id ($id) The problem is that it keeps updating the database everytime the page is reloaded. I'm not sure if i'm setting the session variable correctly. Any ideas would be great Thanks I am having trouble resolving an error. Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/s519970/public_html/header.php:27) in /home/s519970/public_html/admin/login.php on line 2 What I can gather is I can't use "header (Location: 'admin.php')" after i've used session_start(). I have tried to replace the header (Location: 'admin.php') with this: echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; I've been trying to read up on solutions but haven't been able to get it sorted. If anyone can offer some advice that would be greatly appreciated as im new to php. Code: [Select] <?php session_start(); if(isset($_SESSION['user'])) echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; ?> <div id="loginform"> <form action="dologin.php" method="post"> <table> <tr> <td><span>Username:</span></td> <td><input type="text" name="username" /></td> </tr> <tr> <td><span>Password:</span></td> <td><input type="password" name="password" /></td> </tr> <tr> <td colspan="2" align="right"><input type="submit" name="login" value="Login" /></td> </tr> </table> </form> </div> I have tried using require_once('yourpage.php'); before my <head></head> tags in the header document where I've specified the html information but this doesn't seem to work. I've been advised to use ob_start("ob_gzhandler"); but I am not sure how to implement this. Any advice is greatly appreciated! in this page http://maximaart.com/newscp/ i have this problem Code: [Select] Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/maximasy/public_html/newscp/index.php:1) in /home/maximasy/public_html/newscp/index.php on line 2 my source code is <?php session_start(); include_once("config.php"); include_once("functions.php"); $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { if ($_POST['txtUserId'] === "$user" && $_POST['txtPassword'] === "$pass") { // the user id and password match, $_SESSION['basic_is_logged_in'] = true; require("main.php"); exit;?> I am trying to create an index page which contains registration and login field the problem that i get is on successful login a warning is displayed session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\xampp\htdocs\Eventz.com\index.php:116) in C:\xampp\htdocs\Eventz.com\index.php on line 235 This is the login part of my index.php this tag is inside an html table below the login form I also have a registration form and its php code above the login form Code: [Select] <?php if (isset($_REQUEST['pass'])) { $id=$_POST['id']; $pass=$_POST['pass']; $conn =mysql_connect("localhost","root",""); if (!$conn) { die('Could not connect: ' . mysql_error()); } /* checking connection....success! */ $e=mysql_select_db('test', $conn); if(!$e) { die(''.mysql_error()); } else { echo 'database selected successfully'; } if (isset($_REQUEST['id']) || (isset($_REQUEST['pass']))) { if($_REQUEST['id'] == "" || $_REQUEST['pass']=="") { echo "login fields cannot be empty"; } else { $sql=mysql_query("Select email,password from login where email='$id' AND password='$pass'"); $count=mysql_num_rows($sql); if($count==1) /* $count checks if username and password are in same row */ { session_start(); $_SESSION['id']=$id; echo "</br>Login Successful</br>"; } else { echo "</br>invalid</br>"; echo "please try to login again</br>"; } } } } ?> Any help or suggestion would be appreciated |
|||||||