session stupid question

itworks

i'm making a site that uses sessions and it's working good, but i have thought of something that is bodering me.

the whole site is in index.php and the scripts are loaded to it, this is the code i have in index.php:

<?php
session_start();
session_register("login_status");
session_register("login_user");
?>

is this enough for tracking users? i meen, will this identify which user is which?

isn't there a chance that someone who enters the site get's somebody else login?

this is for a online e-commerce site and i'm concerned that this is not being done right?

thanks in advance.

itworks

i've searched for about two hours now, for documentation about this, and i cant get a simple explanation for my questions, are the questions that stupid?

Teen0724

I would suggest putting a userid from the Database. That way you can access the user from the DB and since it should be a Primary key, it will be unique. No problems.

itworks

besides from that session code i have posted i must say that i have a table in the database called users and each users profile is stored there (username and password included) so when they do login, it queries the table for that user authentication.

so with that and the session code i posted, is that enough?

ednark

yes that should be enough if you are reading in from a databse...

as long as they go through a secure password and check once thats ok...

if you want to be more safe... store their ip address they used then they submitted the login form.... then if at any time the ip used to access that page does not match with the ip address stored in the session, then dump them

itworks

thanks! your reply was very conforting.

do i need to make big changes in order to add that funtionalaty (storing ip)? could you example that?

thanks! 🙂

ednark

its stored for you here

$_SERVER['REMOTE_ADDR'] or something very similar

do this to look at what you have at your disposal

print "<pre>";
print_r($_SERVER)
print "</pre>";

m_tt

that should be plenty...

session_start();
$user_ip = getenv("REMOTE_ADDR");

if (session_is_registered("authed_user") && session_is_registered("authed_pass") && session_is_registered("authed_ip")) {
 ## User is authenticated...
} else {
 ## User is not authenticated..
 ## Do you check here against the database with
 ## username/password

 if (user/pass is verified) {
  $authed_user = username;
  $authed_pass = password;
  $authed_ip = $user_ip;
  session_register("authed_user","authed_pass","authed_ip");
  header("Location: " . $PHP_SELF);
 }

}

something like that :p

m_tt

One thing you might want to do is make a check to see if the session is actually started. If its not started your users cannot be authenticated. I ran into this problem when my server had no space

Something like:

session_start();
$cur_session = session_id();
if (isset($cur_session)) {
 ## Use session authentication
} else {
 ## Use another method of authentication
}

just a thought 😛