PHP - Value For Session.save_path (/tmp) Is Not Writable For Web Server :: Security-risk!?

Hi all ! 

I have a business social network site on hosting server. I am wondering if sessions are enough secure.
ini_set('session.use_only_cookies', 1); //this prevent Session Fixation?
session_start();

if($_SESSION['loggedIn'] && $_SESSION['userIP']==$_SERVER["REMOTE_ADDR"]) // extra security
//user is logged in, assign all data to this profile from session
else
//user is not logged in, no data are assigned

Would you consider that as enough secure?

Hi guys,    I would like to have a security measure in place to prevent unauthorized access to my site without a valid log on.      At the moment, it would let anyone in without destroying the session and redirecting to index page.      What would i "use" that's created in the session? what's the "best" practice    My understanding is that the session variable is stored in the browser, after a successful log in, that session variable is like baton or a key that's "passed" onto the next page.  - if someone tried to bypass the log on with the session then access is denied or redirected away.      So on my index page to start i have: 

<?php
session_start();


/* clear all session variable */
$_SESSION = array();

/* set a session variable for later use */
$_SESSION['what_page'] = "admin00";
?>

What do i need to have to use the session against unauthorized access?    my guess is: 

if(!isset($_SESSION['what_page']) || $_SESSION['what_page'] != "index.php") {
	$_SESSION = array();
	session_destroy();
	header("Location: index.php");	
	exit();
}

So to me that means;    - if 'what_page' is not set from the index page, don't go any further, re-direct (back to index)       If i remove this and use a known username and password, i am able to log into the correct page, but this session validation is the bit that's not working   please could you help?            

I have issues with a user being logged in and staying logged in, When logging in I create these $_SESSION variables

Array
(
    [usr_login] => username
    [usr_fname] => first
    [usr_lname] => last
    [usr_email] => email
    [ses_usrid] => 1
    [loggdin] => Yes
    [loginremember] => 
)

And after login it looks great till I refresh the page or go anywhere else on the site. All variables above are gone.

Consequently, this works with no issues on the prod server, just not on my machine.

Code I've been playing with since it started, specifically the setting of the cookie. (this code runs before anything else)

	// =================================================================
	// Sesssion start
	// =================================================================
			session_set_cookie_params(
			    0,
			    "/; SameSite=Strict",
			    ".killgorack.com",
			    true,
			    true
			);
			session_start();
	// =================================================================
	// Security stuff
	// =================================================================
			header("strict-transport-security: max-age=31536000");
			header('X-Frame-Options: sameorigin');
			header("X-XSS-Protection: 1; mode=block");
			header('X-Content-Type-Options: nosniff');
			header("Content-Security-Policy: default-src BLA BLA BLA ");
			header("Feature-Policy: vibrate 'none'");
			header("Referrer-Policy: no-referrer");
			header("Access-Control-Allow-Origin: https://www.MYWEBSITE.com/");
			header("Expect-CT: max-age=86400, enforce");
			header_remove("X-Powered-By");
	// =================================================================

Any ideas?

Edited May 19, 2019 by KillGorack

Hi,

I'd like to know the security of assuming session variables and using them for secure membership systems.

Could a malicious user not create a session, then change the session username to another user and effectively login as that user?

As I see it, no. Because session data is stored on the server and only a session id is stored on the client by way of a cookie.

But what if we used cookies? What is the solution to this? Because I know I could easily change ANY variables within a cookie.

I guess storing cookie data via db would help. But what is the best practice solution?

I see a lot of code which simply checks for a cookie with the variable 'logged_in' to true. It then manages the user by username or userid which are stored within the cookie but which can be changed with ease by a malicious user.

I'm trying to create a simple session on a form page that determines if you've signed in. If you haven't, it kicks you to the login page. But for some reason, what I have isn't doing that. When I open the page, it loads, but only prints the url on a blank page, instead of actually going to the url.

Code: [Select]
<html>
<title>form</title>
<link rel="stylesheet" type="text/css" href="style.css">
<body>

<?php
session_start();

if(isset($_SESSION['id']) && is_numeric($_SESSION['id'])) {
      

if (isset($_POST['submitted'])) {
$errors = array();


if (empty($_POST['scientific_name'])) {
$errors[] = 'you forgot to enter the scientific name';

} else {
$sn = trim($_POST['scientific_name']);
}

if (empty($_POST['common_name_english'])) {
$errors[] = 'you forgot to enter the common name';

} else {
$cne = trim($_POST['common_name_english']);
}

$description4 = trim($_POST['common_names_spanish']);
$description5 = trim($_POST['common_names_french']);
$description6 = etc. etc.

if (empty($errors)) {

require_once ('3_z_mysq1_c0nn3ct.php');

$query = "INSERT INTO plantae (scientific_name, common_name_english, etc.)
 VALUES ('$sn', '$cne', '$description4', '$description5', '$description6', '$description7', etc.)";

$result = @mysql_query ($query);


if ($result) {

if(isset($_POST['scientific_name']))
{
$plant_id=mysql_insert_id();
}


exit();
} else {
echo 'system error. No plant added';

echo '<p>' . mysql_error() . '<br><br>query:' . $query . '</p>';


exit();

}
 mysql_close();

} else {

echo 'error. the following error occured <br>';
foreach ($errors as $msg) {

echo " - $msg<br>\n";

}

} // end of if

} // end of main submit conditional


echo '<form action="insertaplant1.php" method="post"><fieldset><legend><b>Enter your new plant here</b></legend>


form fields here.

</form>'; 
      } else { 
       
      $url = 'http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);

if((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
          $url = substr($url, 0, -1);
        }

$url .= '/login.php';

echo $url;
     
       exit(); 
       }

?>

I have a website uploaded onto Host Gator hosting and the sessions are carried over to the other pages ok.
When using the same website in XAMPP it does not carry over the session to the next page and need to login again.

If i log in it puts the following after the URL - ?sid=3b71942d410d84c45f9f4433561c325a
The when i go to another link it loses the sid and i'll need to manualy past it into the next URL to get it working unless i log in again on the new page.

This is only happening with XAMPP but working fine in the Host Gator hosting environment.

Please help!

My login is integrated with the phpbb3 login.

This is the code at the beginning of every page -

Code: [Select]
<?php
ob_start();
define('IN_PHPBB', true);
$phpbb_root_path = './phpbb3/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);
// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup();
?>

Hi all,

I have the following code to check whether the client has javascript enabled in their browser:

page.php:
Code: [Select]
<?php
session_start(); 
if(isset($_SESSION['gocheck'])) {$gocheck = $_SESSION['gocheck'];} else {$gocheck = 'no';}
//echo $gocheck;
if($gocheck=='no'){header ("Location: ./gocheck.php"); exit;}
//----Execution only reaches this line if gocheck.php has been run and Javascript is enabled.--------
unset($_SESSION['gocheck']);
//rest of page
?>

gocheck.php:
Code: [Select]
<?php
session_start(); 
$_SESSION['gocheck'] = 'yes';

echo"
<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">
<head>
<script type=\"text/javascript\" language=\"JavaScript\">
window.location.replace('page.php');
</script>
</head>

<body>
This website requires Javascript to be enabled in your browser. <br />
Please enable Javascript and try again.
</body>

</html>

";

?>

So what should happen is the user is always redirected from page.php to gocheck.php, which sets the session variable $gocheck to 'yes' and directs back to page.php via Javascript. Because $gocheck is then equal to 'yes', page.php shouldn't direct back again tio gocheck.php.

This worked fine on my PC (using WAMP), but when I upload the files to the webhost, it seems to get stuck in an infinite redirect loop between page.php and gocheck.php. Also, if I echo $gocheck in page.php, it returns 'no', so it seems as if for some reason the session variable $gocheck is not being set properly by gocheck.php.

Could somebody please shed some light on this? Is there an error in my code? Is there something I need to change in php.ini on the webhost's server?

Thanks!

P.S. WAMP on my PC uses PHP v.5.3.0, but the webhost uses PHP v.5.2.12 - don't think this can be the problem though.

I need to know if this is even possible.  I have found conflicting information on this online. 

Anyway, here is what I want to do.  I have two websites that reside on the same dedicated server.  Both have different IP's.  www.mywebsite1.com and www.mywebsite2.com. 

I need a user that logs in at www.mywebsite1.com to be able to pass the $_SESSION from www.mywebsite1.com to www.mywebsite2.com.  Any help on this would be cool.  Thanks in advance.

Ryan

I'm looking for a secure way to share session data across two different domains (not subdomains) on the same server.

I've looked at passing the session id through a GET var to the other domain. It works but it looks to open the possibility of session hijacking and I don't really like having the session id in the URL string. Any way to make this secure?

The other option I'm looking at is using cURL to load a script on the other domain that sets a cookie with the session id. When the person loads the other domain, check for the cookie, get the session id, connect to session then delete the cookie. Can anyone see anything wrong with this?


Thanks.

This is a two parter... mostly a discussion as I am currently not employing the purpose of these "things"   I am creating an autoparsing webapp that has unlimited use... whatever a person can think of   It accesses camera, microphone, gyro/accelerometer, flash etc... mostly it takes in data and does something to it according to the parsing tool   I'm not saying this is new, in fact I spent a while using Touch Develop which is a scripting "thing" by Microsoft, the problem was lag   That is another thing that concerns me, without web access the web-app is useless right? So I'm wondering if it is possible to copy your current setup and either translate it to the mobile languages like Java, C#/XML, Objective C or somehow a platform independent alternative   Anyway...   I'm not sure if I can access front end code, like <div class="whatever"> safely using injection   Well injection you just bind parameters but what if the incoming string is literally malicious ?   Also as far as autoparsing optimization goes, what I mean by that is I intended to create a character by character comparison, obviously or at least to me, starting with easier stuff first like   for example a link is entered   http://www.something.com   then the autoparser compares each character one at a time from left to right   |1|2|3|4|5|6|7|8|9|10| |h|t|t|p|:|/|/|w|w|w|...etc...   But I would check for existing formats starting with the shortest first and also checking from right and left, eg. .mp4 is obvious as a file type   I'll have more once I actually know what I need just looking to discuss I suppose... sorry if that is not appropriate feel free to delete this thread   In the future the users who have modified their personal accounts would benefit from an "AI" thing that is specific to their personalities based on what they have enabled
Edited by greenace92, 28 December 2014 - 09:37 AM.

I have a PHP web system that store in a windows server. In the system, there is a function for user to upload files to another server (Shared server in Unix).

When i try to upload a file, it gives warning:

Warning: move_uploaded_file(\\unixserver/sharedfolder/upload/test.txt) [function.move-uploaded-file]: failed to open stream: Permission denied in C:\wamp\www\upload\index.php on line 40

For your information, my username has been assigned in xxx's group that has access to read and write on that folder. Besides, i'm able to open,create and delete files on that folder's server manually (samba).

The safe mode setting is off.

Does anybody has any idea why this thing happen?

I'm trying to make a simple website where people register to my website.

When the user doesn't fill anything inside the boxes they get a message "Please fill all required fields" on the register.php page

On my local host require_once works good. It shows up.

 

But when i upload the files to my sever the require_once does not show up on the register.php

It just refreshes and i dont get the message "Please fill all required fields"

 

This is the code that works in local host but not in a live server

<?php require_once 'messages.php'; ?>

 

 

Here is my full code

 

Register page:

<html>


<?php require_once 'messages.php'; ?>

<br><br>


<form action="register-clicked.php" method="POST">

Username:<br>
<input type="text" name="usernamebox" placeholder="Enter Username Here">
<br><br>
Email:<br>
<input type="text" name="emailbox" placeholder="Enter email here">
<br><br>
Password:<br>
<input type="password" name="passwordbox" placeholder="Enter password here">
<br><br>
Confirm Password:<br>
<input type="password" name="passwordconfirmbox" placeholder="Re-enter password here">
<br><br>

<input type="submit" name="submitbox" value="Press to submit">
<br><br>

</form>

</html>

 

 

Register clicked

<?php


session_start();



$data = $_POST;

if( empty($data['usernamebox']) ||
    empty($data['emailbox']) ||
    empty($data['passwordbox']) ||
    empty($data['passwordconfirmbox'])) {
    $_SESSION['messages'][] = 'Please fill all required fields';
    header('Location: register.php');
    exit;

}




if ($data['passwordbox'] !== $data['passwordconfirmbox']) {
    $_SESSION['messages'][] = 'Passwords do not match';
    header('Location: register.php');
    exit;
}


$dsn = 'mysql:dbname=mydatabase;host=localhost';
$dbUser='myuser';
$dbPassword= 'password';

try{
$connection = new PDO($dsn, $dbUser, $dbPassword);
} catch (PDOException $exception){
    $_SESSION['messages'][] = 'Connection failed: ' . $exception->getMessage();
    header('Location: register.php');
    exit;
}

 

 

messages.php

<?php
session_start();

if (empty($_SESSION['messages'])){
    return;
}

$messages = $_SESSION['messages'];
unset($_SESSION['messages']);
?>



<ul>
    <?php foreach ($messages as $message): ?>
        <li><?php echo $message; ?></li>
    <?php endforeach; ?>
</ul>

 

Edited Wednesday at 12:49 AM by bee65

Hi,  I am not a PHP programmer.

I took on a new client with a simple PHP site, without any databases.
The site is up and running on the web.
I would like to get it running on my local machine for further development.
I have latest version of WAMP installed, running Apache version 2.2.11 and PHP version 5.3.0
I created a directory in the WAMP "www" project directory and it shows up there like it's supposed to when I browse to "localhost"

Problem:

The home page of website displays text but no, images, styles, footer, header, nav links, etc.


Here is the code for the home page:

<?
  define("NAV","home");
require_once('local/local.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title>TITLE</title>
    <meta name="keywords" content="">
    <meta name="Description" content="">

<? include("common/dochead.php"); ?>

    </head>

<body onLoad="<? include('common/preloads.php'); ?>">

<!-- ============================ main ============================= -->
<div id="main-frame"><div id="main" class="noCollapse">

<? include("common/sign.php"); ?>

<div id="right-frame">

<? include("common/navigation.php"); ?>

<div id="content-frame">
<div id="content">


<h1>Welcome</h1>
<p>This is the content area. This is the content area. This is the content area. </p>


</div><!-- end content -->
</div><!-- end content-frame -->

</div><!-- end right-frame -->

<div class="clearFloats"></div>

</div><!-- end main --></div><!-- end main-frame -->

<? include("common/footer.php"); ?>

   </body>
</html>



Any help would be greatly appreciated. I have spent many hours on this.

Regards

Hi folks,

I'm curious if I can for example, save a file from my server and it will save to all other servers - obviously if they accepted the connection first. It's for a software I developed and is almost complete and know there will be frequent updates to it. Instead of users downloading upates, I want the update files from my server to somehow synchronize to their server automatically?

Anything called this??

Thanks for info.