Users getting other users' login (session)?

juanmi

Hey guys!!

I'm building a forum using php (4.1.2.) and I have the this problem.

Some people is logging into other's accounts, without using (or even knowing) the other people's passwords or usernames. They just open the site and they are already logged in. I'm sure they used different computers (so it's not just question of logging out).

The server is Apache (of course) running on RedHat 7.3 with default installation.

I think something is missing.

Please,please help.

Thanks a lot, men

JuanMi

dalecosp

Hmm, seems a curious issue. How are you controlling logins? Sessions, you say....just a few questions to spark thought:

Are there commonalities between the users? For example, if some users are sharing ISP's, and the ISP's are caching web pages, and you're putting the SESSID in the URL ("Get")..... try
using a transparent session if you aren't....
What are the php.ini settings for session 'garbage collection'? Is it an extremely HIGHLY trafficked server? Is your /tmp dir full? Is PHP generating the SESSID's?

Flailing about in the dark,

juanmi

well, the server is me!!!

I also noticed this myself: I was using a connection to the local network (172.16.x.x) and somebody was outside my net. I got her session.

The php.ini session section is:
[Session]
; Handler used to store/retrieve data.
session.save_handler = files

; Argument passed to save_handler. In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
session.save_path = /tmp

; Whether to use cookies.
session.use_cookies = 1

; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; The path for which the cookie is valid.
session.cookie_path = /

; The domain for which the cookie is valid.
session.cookie_domain =

; Handler used to serialize data. php is the standard serializer of PHP.
session.serialize_handler = php

; Percentual probability that the 'garbage collection' process is started
; on every session initialization.
session.gc_probability = 1

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440

; Check HTTP Referer to invalidate externally stored URLs containing ids.
session.referer_check =

; How many bytes to read from the file.
session.entropy_length = 0

; Specified here to create the session id.
session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

; Set to {nocache,private,public} to determine HTTP caching aspects.
session.cache_limiter = nocache

; Document expires after n minutes.
session.cache_expire = 180

; use transient sid support if enabled by compiling with --enable-trans-sid.
session.use_trans_sid = 1

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

here's the login part:

<html>
<head>
</head>
<body bgcolor=orange>
<?php
$conexion=mysql_connect(xxx,xxxx,xxx)
or die("Error de conexión a la base de datos");
mysql_select_db("xxxxxx");
$consulta="Select * from usuarios where nick=\"".$Nick."\" and password=MD5(\"".$Password."\");";
$resultado=mysql_query($consulta);
$num_filas=mysql_num_rows($resultado);
if ($num_filas == 1){
$usuario=$Nick;
session_name();
session_start();
session_register("usuario");
echo "<script language=\"JavaScript\">parent.frames[0].location.href=\"top2.php\";</script>";
echo "<script language=JavaScript>parent.frames[1].location.href='contenido.php';</script>";
echo "<script language=JavaScript>parent.frames[2].location.href='anuncios.php?categoria=comunicados';</script>";
}else{
echo "<center><h1>Falló</h1><br>";
echo "Pinche <a href=login.html>aqui</a> para volver a intentarlo</center>";
}
?>
</body>
</html>

and finally one of the page that make use of the session variables

<?php
session_name();
session_start("usuario");

if(!(session_is_registered("usuario"))){
session_unset();
session_destroy();
}
?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Peña Valencianista Che Quin X@t</TITLE>
<META NAME="GENERATOR" CONTENT="OpenOffice.org 1.0.1 (Linux)">
<META NAME="CREATED" CONTENT="20021028;17560100">
<META NAME="CHANGED" CONTENT="20021028;17570000">
</HEAD>
<BODY LANG="es-ES" bgcolor="orange">
<?php
if (session_is_registered("usuario")){
echo "<script language=JavaScript>location.href='top2.php'</script>";
}
?>
<P ALIGN=CENTER><IMG SRC="chequinxat.gif" NAME="Imagen1" WIDTH=314 HEIGHT=95 BORDER=0></P>
<P ALIGN=RIGHT><A HREF=login.html target=destino>Login</A> - <A HREF=registro.html target=destino>Registrate</A>
</BODY>
</HTML>

thanks again

dalecosp

Hmm, I don't see a lot of issues with the code, but I'm no expert by any means. The only question I had is the use of session_name, but I'll need to go to the handbook on that one. Shouldn't it be called with a parameter?

If it's not something in your code, it may be a issue of network topography (as in the caching issue I mentioned). You might tell PHP to not use cookies:

; Whether to use cookies. 
session.use_cookies = 0

I am sorry I'm not more help here....