session_ip

The_broken

Hello Everybody.

I have a problem with a script. Some customers are telling me that when they login they can see other peoples signup form.

I did look into this and found that they are on the same ip. Our script at this time uses ip's for session.

Is there a way to add or to auto delete these when a customer logs out or closes browser. Maybe a timeout or something.

Thanks
The_broken

Bijan

I suppose by saying "they can see other peoples signup form" you mean they can see the private pages of other ppl, am I right?

So, did you write your authentication system based on user IPs?? I mean you don't session ppl, instead you just check their ip and compare it in all the pages with the original ip that you had in your login page?

Well, an authentication system shouldn't rely on ppl's ip. You should session each user when he enters a valid username/password and in all the pages you check to see if he is sessioned, if yes, he can continue working with the site, if not, he should be banned. Something like this:

# Do your password check in here
if ( !isSet($password) )
    exit();

# now session him
$_SESSION["allowed"] = true;
$_SESSION["username"] = $username;

Now in all the pages you should check to see if he is sessioned:

# other pages, on top of the page
if ( !isSet($_SESSION["allowed"]) )
    exit();

I can provide you with more links if you wana learn more about this authentication thingie! Just drop a note, I'll be there for ya!

okuto1973

$SESSION['something'] is deprecated isn't it?
I suggest you to use session_register(something) instead!
$SESSION give me also some problems........to register session variables!

Bijan

Originally posted by okuto1973
$SESSION['something'] is deprecated isn't it?
I suggest you to use session_register(something) instead!
$SESSION give me also some problems........to register session variables!

No, it's session_register that is deprecated! If you have any problem with $_SESSION, the chances are your PHP is old and doesn't support this super global array.

The_broken

Here what I found in the PHP script.

// SESSION CONTROL AND VALIDATION
if ($session_id=="") {
unset($session_id);
$session_id = generate_session_id($aid);
setcookie("session_id",$session_id,time()+864003);
} else {
// CHECK THAT THE LOGIN SESSION HASN'T EXPIRED, AND THAT IT IS A VALID SESSION...
if (!validate_session($session_id)) {
// FAILED, CREATE A NEW RECORD
$old_sess = $session_id;
unset($session_id);
$session_id = generate_session_id($aid);
setcookie("session_id",$session_id,time()+864003);
}
}

// STORE THE AFFILIATE TRACKING COOKIE IF SENT...
if (isset($aid) && ($aid != "")) {
setcookie("aid",$aid,time()+86400*360);
}

// STORE THE COUPON AS A COOKIE
if (($action=="coupon_add") && (validate_coupon($coupon))) {
setcookie("coupon",$coupon,time()+86400);
}

Now the html file. This is the first sreen called when a custome comes to site. If a customer comes from the same ip, it gives them the same session Id.

<form method="post" action="">
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="field_t">
<tr>
<td width="31"> <b> www.
<input type="hidden" name="page" value="signup_2">
<input type="hidden" name="session_id" value="<? echo $session_id ?>">
</b></td>
<td width="182"> <b>
<input type="text" name="desired_domain" class="fields" size="26" maxlength="64">
</b> </td>
<td width="541">
<input type="submit" name="search" value="Go!" class="fields">
</td>
<td width="489"> </td>
</tr>
<tr>
<td width="31"> </td>
<td width="182">e.g. <i><b>search.com </b></i>or<i><b> search </b></i></td>
<td width="541"> </td>
<td width="489"> </td>
</tr>
</table>
<table width="100%" border="0" cellspacing="1" cellpadding="1" class="field_t">
<tr>
<td height="20"><a href="?page=domain_suggest&session_id=<? echo $session_id ?>"></a></td>
</tr>
</table>
</form>

Is there a way to make the ids timeout or be removed if the browser closes.

Thanks
RobM

DeadlySin3

<?php

$dbQuery = mysql_connect($server,$user,$password);
mysql_select_db ($db) or die ("Cannot connect to database");

/* We have now connected, unless you got an error message */


$query = "SELECT `username` , `userpass` , `userurl` FROM `allusers` WHERE `username` = '$name' AND `userpass` = '$pass'";

$result = mysql_query($query);

while ( $row = mysql_fetch_array($result) ) {

/* Setting  User Information as Variables */

$username=$row['username'];
$userpass=$row['userpass'];
$userurl=$row['userurl'];

session_register("username");
session_register("userpass");
session_register("userurl");

/* Printing What the user w/the right credits should see */

if(session_is_registered("username")) {
echo "<html><head><head><meta http-equiv=\"REFRESH\" content=\"5;url=$baseurl\"></head><body>";

echo "<span class=\"formtext\">Welcome <b>$username</b><br />Redirecting in 5 Seconds...</span>\n";

} // End While Loop
mysql_close($dbQuery);
}

if(!isset($userpass)) 
{
echo "<div align=\"center\"><a href=\"$baseurl\" class=\"navLink\">Back to home page</a><br />"; die("You are not logged in"); 
}

$self=$_SERVER['PHP_SELF'];
?>

Now just have a form for them to log in with

<form action="<?=$self?>" method="POST">
<input type="text" name="name"><br />
<input type="password" name="pass"><br />

That would do it unless I completely mis understood your question; if so sorry ;x

okuto1973

I have found a web pages that show what's deprecated in the new version of php.....
Could someone tell me again?I have lost the link!

Bijan

The_broken, I looked at your code and to be honest it looks too old, and there are some sort of things that I really do not understand. I mean why you're using cookies, not sessions and there are also some functions that you didn't bring their code in here, like generate_session_id. Did you write the code yourself or are you using a ready code? Because if you wana do it yourself, you need to read some online tutorials on how to make a user based system, because your code is old and not safe in my mind. But if you are looking for a quick remedy, I think changing this line:

setcookie("session_id",$session_id,time()+86400*3);

setcookie("session_id",$session_id);

would help, because it clears the cookie when the user closes the browser window.

okuto1973, you can go to www.php.net and find whatever you want, but I suggest you to download the chm manual from their site, this way you can find things much quicker.

The_broken

Hi Bijan...

No I did not write this code. It came with a script I bought. Some people been having problems with it.

The owners are updating the script to new standards.

They told everybody that the new script won't be ready until Mid-Oct

I will try your code.

Thank For The Help

The_broken

Bijan

Well, it's not a hard script that you need to buy from anyone, I mean an authentication system is not that complicated and you can search more to find a better script, actually this one sucks (my idea though) and I don't know how they want to fix it. I have an authentication system myself, but the thing is that yours is mixed with your selling program, so, implementing my script might add to your nightmares for correcting the rest of the script, but if you thing you can handle it, I can send it to you with some comments that you know what to do. I'm busy these days, so, unfortunately I can't do the favor for you, you have to go for it yourself.

Good luck my friend,
bijan