sessions

rhaggert

lets say i have a log in screen. gets form data, goes to a proc page. tests user name and pass against a db and then relocates the user to a "private page" (it, and other private pages). all private pages call a function to do session checking.

first question.. is this a bad way of doing it

function session_check(){
session_start();
if (!session_is_registered("MEMBER_SESSION")){
header("Location: index.php");
exit();
}
}

second question... lets say i have many ppl "loging" on to the site... can the sessions get confused with another use. they will be getting stuff from a db bassed on thier ID number in the db.. this number is obtained at log in time when i do the user pass look up.

$status = authenticate($user, $pass);

if ($status != 0){
// initiate a session
session_start("PLAYER_SESSION");
session_register("PLAYER_SESSION");
$PLAYER_SESSION = "PLAYER".$user;

session_register("SESSION_UNAME");
$SESSION_UNAME = $user;

session_register("SESSION_UID");
$SESSION_UID = $status;

// redirect to protected page
header("Location: ../player.php");
exit();
}

and thats how i log ppl in

so if many ppl log on.. do i have a problem?

thanks for any input

FrozNic

in answer to ur first question..

i don't think that's a bad way to do it. i haven't studied a whole lot about sessions, but i see no problems with it.

second question

every user who visits ur site is given a different session id number 'sid' if u will. i'm not sure exactly how it's generated, but i do know everyone will get different ones no matter how many ppl log into your site, so, that won't cause any problems either.

stevesweetland

if you're really paranoid... i mean the chances of a repeated session id is something like 1 in a million or something.... you can generate a new one.

try this:

(get ipaddress. date+time (*nix timestamp), and randomize a 4 digit number ($randnumber);

$string = str_replace(".","/",$ipaddress$randnumber$datetime);

md5 ($string);

bing! random, session id.

now worry about the fact that its likely (altho how likely is unsure) that there is more than one way of getting to an md5 result.

for example...

(fakes, just for arguments sake)

md5(aa) = "a2dhdkj2";
md5(absadkb) = "a2dhdkj2";

enjoy!

rhaggert

thanks a lot for the help
i cant rest easy now about those things

again thanks