Am I right about PHP sessions?

Printable View

Show 40 post(s) from this thread on one page

06-25-2010, 11:46 PM
auriaks

Quote:

Originally Posted by djr33

Two possibilities:
1. $_SERVER['HTTP_HOST'] is an unexpected value or includes http:// already. Try typing the address directly.
2. You were echoing $cookie and $session. A header() redirect only works BEFORE any text is output. I know this is commented out in your post, but if you had this executing while testing, that would cause a problem.

Add exit(); to the end and the script will stop execution there.

where I must use Exit() ??

The problem can be that when I destroy session - both variables became empty, and they are still equal...
06-25-2010, 11:51 PM
djr33

After the redirect. I added it to my previous post-- I forgot when I first posted it.
06-26-2010, 12:35 AM
auriaks

OK, now works... Maybe you know how I can solve the session and cookie question?

When I broke the session my $_COOKIE and $_SESSION values becomes empty... And that means equal:

PHP Code:

if($_COOKIE['hash'] != $_SESSION['hash'])
06-26-2010, 01:34 AM
traq

my bad.

PHP Code:

<?php if(empty($_SESSION['hash'] || $_COOKIE['hash'] != $_SESSION['hash'])){ // end session, redirect to login, stop script } ?>

Also my bad:

If you're using $_SERVER['HTTP_USER_AGENT'], you should check the session hash directly against that value each time, instead of relying solely on the cookie's hash value. It's an extra step the malicious user would have to go through, beyond simply stealing the cookie:

PHP Code:

<?php // things we use to create hash $user = "username"; $pass = "password"; $agent = $_SERVER['HTTP_USER_AGENT']; // don't hash HTTP_USER_AGENT yet $hash = md5($user.$pass); // cookie won't include it setcookie("hash", $hash); // but session will $_SESSION['hash'] = md5($hash.$agent); // when you check later on: if(empty($_SESSION['hash']) || md5($_COOKIE['hash'].$_SERVER['HTTP_USER_AGENT']) != $_SESSION['hash']){ // user/pass/agent combination doesn't match. // destroy session, redirect to re-login, end script } ?>
06-26-2010, 01:49 AM
auriaks

PHP Code:

// when you check later on: if(empty($_SESSION['hash']) || md5($_COOKIE['hash'].$_SERVER['HTTP_USER_AGENT']) != $_SESSION['hash']){ // user/pass/agent combination doesn't match. // destroy session, redirect to re-login, end script }

This part: where I have to check it?

I already use:

PHP Code:

<?php session_start(); if(empty($_SESSION['hash'] || $_COOKIE['hash'] != $_SESSION['hash'])){ header("Location: http://www.share2gether.xz.lt/login.php"); exit(); } ?>

..In every page TOP.

There is a mistake in first script in your comment...
06-26-2010, 02:35 AM
traq

the second bit of code (where the hash is checked separately) is an alternative method which could be used in place of what you're using now. It requires the cookie and session values to be set differently, however.

about the mistake - which comment/ which script are you referring to?
06-26-2010, 09:37 PM
auriaks

Everything is good, thanks :DD
06-26-2010, 11:44 PM
traq

no prob.

You fixed my mistake, or it was okay to start with? If something was broke I'd like to know
06-27-2010, 01:05 PM
auriaks

No it was on mine script :)
06-27-2010, 02:45 PM
traq

okay.

hey, thanks for asking this question. You prodded me to figure out a few things that'll be going into my current project. ::thumbs-up::

Show 40 post(s) from this thread on one page