|
PHP - Session Start & Security
I have issues with a user being logged in and staying logged in, When logging in I create these $_SESSION variables
Array
(
[usr_login] => username
[usr_fname] => first
[usr_lname] => last
[usr_email] => email
[ses_usrid] => 1
[loggdin] => Yes
[loginremember] =>
)
And after login it looks great till I refresh the page or go anywhere else on the site. All variables above are gone. Consequently, this works with no issues on the prod server, just not on my machine. Code I've been playing with since it started, specifically the setting of the cookie. (this code runs before anything else)
// =================================================================
// Sesssion start
// =================================================================
session_set_cookie_params(
0,
"/; SameSite=Strict",
".killgorack.com",
true,
true
);
session_start();
// =================================================================
// Security stuff
// =================================================================
header("strict-transport-security: max-age=31536000");
header('X-Frame-Options: sameorigin');
header("X-XSS-Protection: 1; mode=block");
header('X-Content-Type-Options: nosniff');
header("Content-Security-Policy: default-src BLA BLA BLA ");
header("Feature-Policy: vibrate 'none'");
header("Referrer-Policy: no-referrer");
header("Access-Control-Allow-Origin: https://www.MYWEBSITE.com/");
header("Expect-CT: max-age=86400, enforce");
header_remove("X-Powered-By");
// =================================================================
Any ideas? Edited May 19, 2019 by KillGorackSimilar TutorialsI am having trouble resolving an error. Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/s519970/public_html/header.php:27) in /home/s519970/public_html/admin/login.php on line 2 What I can gather is I can't use "header (Location: 'admin.php')" after i've used session_start(). I have tried to replace the header (Location: 'admin.php') with this: echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; I've been trying to read up on solutions but haven't been able to get it sorted. If anyone can offer some advice that would be greatly appreciated as im new to php. Code: [Select] <?php session_start(); if(isset($_SESSION['user'])) echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; ?> <div id="loginform"> <form action="dologin.php" method="post"> <table> <tr> <td><span>Username:</span></td> <td><input type="text" name="username" /></td> </tr> <tr> <td><span>Password:</span></td> <td><input type="password" name="password" /></td> </tr> <tr> <td colspan="2" align="right"><input type="submit" name="login" value="Login" /></td> </tr> </table> </form> </div> I have tried using require_once('yourpage.php'); before my <head></head> tags in the header document where I've specified the html information but this doesn't seem to work. I've been advised to use ob_start("ob_gzhandler"); but I am not sure how to implement this. Any advice is greatly appreciated! in this page http://maximaart.com/newscp/ i have this problem Code: [Select] Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/maximasy/public_html/newscp/index.php:1) in /home/maximasy/public_html/newscp/index.php on line 2 my source code is <?php session_start(); include_once("config.php"); include_once("functions.php"); $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { if ($_POST['txtUserId'] === "$user" && $_POST['txtPassword'] === "$pass") { // the user id and password match, $_SESSION['basic_is_logged_in'] = true; require("main.php"); exit;?> I am trying to create an index page which contains registration and login field the problem that i get is on successful login a warning is displayed session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\xampp\htdocs\Eventz.com\index.php:116) in C:\xampp\htdocs\Eventz.com\index.php on line 235 This is the login part of my index.php this tag is inside an html table below the login form I also have a registration form and its php code above the login form Code: [Select] <?php if (isset($_REQUEST['pass'])) { $id=$_POST['id']; $pass=$_POST['pass']; $conn =mysql_connect("localhost","root",""); if (!$conn) { die('Could not connect: ' . mysql_error()); } /* checking connection....success! */ $e=mysql_select_db('test', $conn); if(!$e) { die(''.mysql_error()); } else { echo 'database selected successfully'; } if (isset($_REQUEST['id']) || (isset($_REQUEST['pass']))) { if($_REQUEST['id'] == "" || $_REQUEST['pass']=="") { echo "login fields cannot be empty"; } else { $sql=mysql_query("Select email,password from login where email='$id' AND password='$pass'"); $count=mysql_num_rows($sql); if($count==1) /* $count checks if username and password are in same row */ { session_start(); $_SESSION['id']=$id; echo "</br>Login Successful</br>"; } else { echo "</br>invalid</br>"; echo "please try to login again</br>"; } } } } ?> Any help or suggestion would be appreciated Hi all, I have a session problem on my development site. Whenever I go to my login screen at www.mydomain.com/my/path/index.php, i get the following error messages: Quote Warning: session_start() [function.session-start]: open(/tmp/sess_f89c3850adf5a752b13f5c6b9022d8c4, O_RDWR) failed: Permission denied (13) in /home/account/public_html/shop_lite/admin/index.php on line 2 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/account/public_html/shop_lite/admin/index.php:2) in /home/account/public_html/shop_lite/admin/index.php on line 2 However, when I go to mydomain.com/my/path/index.php, the error messages aren't there. I am very confused. We don't have an SSL (which google suggested it could be) or any whitespace between the opening php tag. I have chmoded the /tmp directory to 777 but to no avail. Any ideas? My opening code is below: Code: [Select] <?php session_start(); require_once("includes/db_connector.php"); include("includes/cms_class.php"); include("includes/login_class.php"); loginForwarder(); $issue = checkLoginIssue(); if (isset($_POST["login"])) { loginUser($_POST["email"], $_POST["password"]); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/my_template.dwt.php" codeOutsideHTMLIsLocked="false" --> Hi, I have just started learning about sessions to use with a login system with SQL Now I was wondering if my method is secure? When login in before setting the $_SESSION variables I use the session_regenerate_id() function. All passwords and ids are stored as SHA-256 hashes in the MySql DB. I use the mysql_escape_string() and htmlspecialchars() functions to sanitize the input values of all DB query's and SESSION variables. Also the login page can only have 3 wrong attempts before the user is locked out. with a captcha after the first attempt. Once the user logs in on each 'protected' page it checks the variables in the $_SESSION variable against the DB value on each page if they do not match then it brings the user to login page. Also on start of each page: if (isset($_REQUEST['_SESSION'])) {die('No Hacking');} Just wondering am I missing something? Thanks, mme Hi This is the senario: User logs in, if successful connection details for his database are stored in a session variables which are used to access information. Are there any precautions I need to make sure the data in the sessions are safe? Thanks What is the best method to prevent session hijacking / fixation and all the nasty bugs that come with using session_start(); I am looking at implementing session_start() on a member site, to handle logins if registered. How would I protect the session information? Hi all ! I keep having the same problem when i run my script on the server. the error is Code: [Select] Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/alliapop/public_html/ekloges2010/ekloges2010/eisagogi.php:1) in /home/alliapop/public_html/ekloges2010/ekloges2010/includes/session.php on line 1I know i have to put session start at he very first line and i did but the problem keeps showing up. What else should i check?
I'm trying to start a session in a simple php file.
Here's *all* the code:
Here's the URL: hey guys, Im trying to register a session from a login im making and for some reason its not working. here is my code: <?php session_start(); if(isset($_POST['username'])){ $username = $_POST['username']; //name of the text field for usernames $password = $_POST['password']; //likewise here just for the password //connect to the db $user = 'root'; $pswd = ''; $db = 'chat'; $conn = mysql_connect('localhost', $user, $pswd); mysql_select_db($db, $conn); //run the query to search for the username and password the match $query = "SELECT * FROM users WHERE username = '$username' AND password ='$password'"; $result = mysql_query($query) or die("Unable to verify user because : " . mysql_error()); //this is where the actual verification happens if(mysql_num_rows($result) == 1){ //the username and password match //so e set the session to true $_SESSION['username'] = $username; $_SESSION['uID'] = $result['user_id']; //$_SESSION['email'] = $result['email']; //and then move them to the index page or the page to which they need to go header('Location: index.php'); }else{ $err = 'Incorrect username / password.' ; } //then just above your login form or where ever you want the error to be displayed you just put in echo $err; } else ?> Im trying to make it so it also gets the user_id of the user logging in and creates a session for it. It works for the username part, and Im able to echo the username im logged in with, but for some reason it does want to work for the user_id part. This is what doesnt register $_SESSION['uID'] = $result['user_id']; Thanks for the upcoming help. I have a business social network site on hosting server. I am wondering if sessions are enough secure. ini_set('session.use_only_cookies', 1); //this prevent Session Fixation? session_start(); if($_SESSION['loggedIn'] && $_SESSION['userIP']==$_SERVER["REMOTE_ADDR"]) // extra security //user is logged in, assign all data to this profile from session else //user is not logged in, no data are assigned Would you consider that as enough secure? Hi guys,
I would like to have a security measure in place to prevent unauthorized access to my site without a valid log on.
At the moment, it would let anyone in without destroying the session and redirecting to index page.
What would i "use" that's created in the session? what's the "best" practice
My understanding is that the session variable is stored in the browser, after a successful log in, that session variable is like baton or a key that's "passed" onto the next page.
- if someone tried to bypass the log on with the session then access is denied or redirected away.
So on my index page to start i have:
<?php session_start(); /* clear all session variable */ $_SESSION = array(); /* set a session variable for later use */ $_SESSION['what_page'] = "admin00"; ?>What do i need to have to use the session against unauthorized access? my guess is:
if(!isset($_SESSION['what_page']) || $_SESSION['what_page'] != "index.php") {
$_SESSION = array();
session_destroy();
header("Location: index.php");
exit();
}
So to me that means;
- if 'what_page' is not set from the index page, don't go any further, re-direct (back to index)
If i remove this and use a known username and password, i am able to log into the correct page, but this session validation is the bit that's not working
please could you help?
Hi, I'd like to know the security of assuming session variables and using them for secure membership systems. Could a malicious user not create a session, then change the session username to another user and effectively login as that user? As I see it, no. Because session data is stored on the server and only a session id is stored on the client by way of a cookie. But what if we used cookies? What is the solution to this? Because I know I could easily change ANY variables within a cookie. I guess storing cookie data via db would help. But what is the best practice solution? I see a lot of code which simply checks for a cookie with the variable 'logged_in' to true. It then manages the user by username or userid which are stored within the cookie but which can be changed with ease by a malicious user. I'm trying to create a simple session on a form page that determines if you've signed in. If you haven't, it kicks you to the login page. But for some reason, what I have isn't doing that. When I open the page, it loads, but only prints the url on a blank page, instead of actually going to the url. Code: [Select] <html> <title>form</title> <link rel="stylesheet" type="text/css" href="style.css"> <body> <?php session_start(); if(isset($_SESSION['id']) && is_numeric($_SESSION['id'])) { if (isset($_POST['submitted'])) { $errors = array(); if (empty($_POST['scientific_name'])) { $errors[] = 'you forgot to enter the scientific name'; } else { $sn = trim($_POST['scientific_name']); } if (empty($_POST['common_name_english'])) { $errors[] = 'you forgot to enter the common name'; } else { $cne = trim($_POST['common_name_english']); } $description4 = trim($_POST['common_names_spanish']); $description5 = trim($_POST['common_names_french']); $description6 = etc. etc. if (empty($errors)) { require_once ('3_z_mysq1_c0nn3ct.php'); $query = "INSERT INTO plantae (scientific_name, common_name_english, etc.) VALUES ('$sn', '$cne', '$description4', '$description5', '$description6', '$description7', etc.)"; $result = @mysql_query ($query); if ($result) { if(isset($_POST['scientific_name'])) { $plant_id=mysql_insert_id(); } exit(); } else { echo 'system error. No plant added'; echo '<p>' . mysql_error() . '<br><br>query:' . $query . '</p>'; exit(); } mysql_close(); } else { echo 'error. the following error occured <br>'; foreach ($errors as $msg) { echo " - $msg<br>\n"; } } // end of if } // end of main submit conditional echo '<form action="insertaplant1.php" method="post"><fieldset><legend><b>Enter your new plant here</b></legend> form fields here. </form>'; } else { $url = 'http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); if((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr($url, 0, -1); } $url .= '/login.php'; echo $url; exit(); } ?> I have several pages on my site using the exact same code at the very top, which works fine except for one page: <?php include_once("../members/dbinfo.php"); The top of dbinfo looks like this: <?php session_start(); And then the connection strings for the database However it is giving me this error on this one page: Quote Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Inetpub\WebSites\premierathome_com\products\FrenchTalkingDictionary.php:1) in C:\Inetpub\WebSites\premierathome_com\members\dbinfo.php on line 1 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Inetpub\WebSites\premierathome_com\products\FrenchTalkingDictionary.php:1) in C:\Inetpub\WebSites\premierathome_com\members\dbinfo.php on line 1 Now the session does actually start and doesn't prevent anything from working, I just get those messages. I'm at a loss as to why a different page with the exact same code, save for searching the database for a different product version would have this problem. I have had this code in place as well which works fine on other pages but doesn't help my problem at all: if(!isset($_SESSION['OK'])){ session_start(); } OK being a variable I set up during log in. I'm at a loss, is anyone able to help me out with this?
I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one: The value for session.save_path (/tmp) is not writable for the web server. Make sure that PHP can actually save session variables.
That seems to be the problem.
session.save_path: writeable You need set permission for your var directory.
well - i guess that the default ownership may be incorrect on the session folder: Example; php on some Linux-Server defaults to apache user. If using nginx or other need to switch the folder ownership. Also as a note you have to change the user/group setting in www.conf.
chown -R root:nginx /var/lib/php/7.0/ sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf service php-fpm-7.0 restart
But wait: what about the security - is it save to make the session.save_path writeable!? my server-admin says that this is a big big hole and makes the server unsecure. love to hear from you yours dil_bert by the way: years ago i have had this issue on the server. but the question is - is this a securitiy risk!? I need to know this. Look forward to hear from you Edited March 21, 2020 by dil_bertHi Everyone I am having a few issues with my website. I have developed in on my xampp local host and it works ok but when I upload the files and try to renew a membership using stripe I get the following messages. Warning: session_start(): Cannot start session when headers already sent in /customers/a/d/f/mywebsite.co.uk/httpd.www/mywebsite/inc/settings.php on line 2 Warning: Cannot modify header information - headers already sent by (output started at /customers/a/d/f/mywebsite.co.uk/httpd.www/mywebsite/procedures/payments/charge.php:1) in /customers/a/d/f/mywebsite.co.uk/httpd.www/mywebsite/procedures/payments/charge.php on line 141 I have some includes that appear on every page. This is the bootstrap.php file. This file holds the settings.php which connects to my database and other function files. In this settings page I call the session_start() php function and then connect to my database. I call the bootstrap.php file on every page to there for call the session_start() on every page. I am using sessions alot so is this the right thing to do? I have attached the renew_membership payment page which holds the form. The user fills out the payment page and the form data gets sent to a script called charge.php which uses the stripe objects to make the payment. I then want to do a redirect to the paymentSuccess.php page to output to the user that the payment was made successfully. This is where the issues arrise. I have split the charge file into 3 screen shots so it is more readable. Hope someone can help me. Thanks a lot David
Edited April 26 by Irish_Dave |
|||||||