sessions sessions sessions.... AHHHH

FourthChapter

hi all,

This login script works perfectally, im a beginner but with help of people here it now works. What i need help with, is creating a session if the login is authenticated.

This session must expire after 2 hours (+7200) and hold the username and the word "auth" if they are logged in, this is so i can place a script on the other pages to make sure no hackers can just type in "./secure/index.php"

(i dont mind cookies aswell, but i would prefer if it dint need them, but ur the experts lol)

Thanks very much

Matt

<? 

if( (!username) or (!password) )
{ header("http://mydomain.com/denied.php"); exit(); }

$conn=@mysql_connect("host", "username", "password")
     or die("could not connect");

$rs = @mysql_select_db("database", $conn)
     or die("could not select database");

$sql="select * from table_name where username=\"$username\" and password = password( \"$password\" )";

$rs=mysql_query($sql,$conn)
     or die("could not execute query");

$num = mysql_numrows($rs);

if($num != 0)

//session needed here and for the below link to carry the (SID) aswell as the username

{ $msg = "<meta http-equiv=\"refresh\" content=\"0; url=./secure/index.php?usn=$username\">"; }
else
{ $msg = "<meta http-equiv=\"refresh\" content=\"0; url=./denied.php\">"; }

 ?>

<html>
<head><title>Log-In Authentication...</title>
<?php echo($msg); ?>
</head><body></body></html>

RGBlackmore

a good method is mantain in database a table like

ID, nick, name, mail, ..., phpsessid, ip, time

if the user logs fine, you open a phpsessid (session_id(); after session_start()😉, get the ip and update both in the database, and then save an mktime for the time you want to be logged (in timestamp).. so you can use a simple function that in every page that need secutiry, check if the user is the same in the table with the $PHPSESSID, and ip. It's not easy to spoof an ip. Less easy is try to get the phpsessid. Also it must check if timestamp for NOW is less than the saved in the db. If it's greater, simply change que phpsessid a/o ip, and then the user is not logged

Anyway, i'ts just an idea. 🙂

PS: sorry for my poor english

FourthChapter

thanks, i got the script to log NOW(), PHP_SESSID, IP and USERNAME.

I now need to write a script to go on each page that will check the PHPSESSID, username, IP Addreass and NOW() with the ones on the database.

The script is only valid for +7200 seconds after it is logged in the database. If the details are incorrect, the page ../denied.php needs to be displayed. I have written the connect script that is all...

can sum 1 help me with my script below:

<?			
$conn = @mysql_connect("host", "username", "password")
     or die("could not connect");

$rs = @mysql_select_db("database", $conn)
     or die("could not select database");

$sql="select * from table_name";

$rs=mysql_query($sql,$conn)
		 or die("could not execute query");;

If $PHPSESSID == ......

//I have noooooooo idea how to do this

as you can see i dont know what im doing. It is complicated, but im trying!

Thanks for your help

Matt

cgraz

Not sure exactly what you're tryign to do, but have a look

http://www.webmasterbase.com/article/319/78

and

deinfately look here: http://www.php.net/manual/en/ref.session.php

Cgraz

RGBlackmore

-- file.php --

<?
if (eregi("verificar.php",$PHP_SELF)) {
	Header("Location: ../index.php");
	die();
}

include ("includes/config.php");


$ip=getenv("REMOTE_ADDR");

$db = mysql_connect($host,$mysqluser,$mysqlpassword);
$result = mysql_db_query($mysqldb,"SELECT * FROM users WHERE phpsessid='$PHPSESSID' AND ip='$ip'", $db);
$a=mysql_num_rows($result);

if ($a==0)
{
$usuario = "anonymous";
}
else 
{
$usuario = "registered";
}
mysql_close($db);
?>

so if you want to select from anonymous and registered users, you use

... you are a <? include ("file.php"); echo $usuario; ?> user.

You can then have a function for get the nick, id, email, ... ... ...

I'ts your an idea, it's not the securely truth, ok? Just I used it in a webpage, and work.