Completely fustrated with sessions

Elhombrebala

I'm generating a session variable for a password access.
1- User logins in html form.
2- Password and user are sent to php and php checks in database. If ok allowes to go somewher else if not comes back to form.
3- If you log correctly then you are in new page, but as soon as you seen the adress you can come back as much as you want cause it is not protected!!
How can I make a number of pages protected with just one password imput?

vr4lyfe

I am not sure what you are tryint to do .. but to have many pages protected, when you log in, you can register a variable using the session_register() command .. then you could have a php script in each page that validates the variable .. if its not validated, meaning didnt log in, then send them to another page.

Drakla

If I'm getting this right this sounds more like a log-in cookie scheme. Are you just trying to keep people logged in and allow them to see 'protected' pages on the site?

Elhombrebala

If I pass the session trough url ... (No cookies)
What I have done is the following:
1- I check pass in database.
2- If password is ok I open session and I stored session_id in database and I also send it to page 3.
3 - If password is wrong back to form.
4 - If they access to 3erd page, I get the session from url and I check with session stored in DB.

I REALLY BELIEVE THERE'S SOMETHING EASIER THAN THIS!

<?
session_register('usuario');
?>
<?
$conn = mysql_connect("bla","bla","bla");
mysql_select_db("bla",$conn);
$ssql = "SELECT * FROM Clientes WHERE Inmo='$Inmo' and Password='$Password'";
$rs = mysql_query($ssql,$conn);
if (mysql_num_rows($rs)!=0){
session_start();
session_register("autentificado");
$autentificado = "SI";
$Sesion=session_id();
$Sesioname=session_name();
$Bothsesiones=$Sesioname."=".$Sesion;
$Fecha = date("Y-d-m h:i:s");
$sql = "INSERT INTO Sesiones ( Fecha, Sesion, Inmo)" .
"VALUES ('$Fecha', '$Sesion', '$Inmo')";
$result = mysql_query($sql) or die(mysql_error().'<p>'.$sql.'</p>');
header ("Location: uploader.html?$Bothsesiones");
}else {
header("Location: acceso2.html?errorusuario=si");
}
mysql_free_result($rs);
mysql_close($conn);

Drakla

You could just do it with a cookie.

1 Generate a random sequence, basically creating something simulating the session ID

2 put that value in the database and also set a cookie on the users machine with that value. Put a time in the database of when that value expires, like an automatic logout.

3 check the value of the cookie each page with $_COOKIE['whatever'];

Make sure you have a timeout on the cookie. Set the cookie lifetime to zero if you want it to last only as long as the browser is open.

It's essentially the same scheme without the session data.

keith73

Originally posted by Elhombrebala
If I pass the session trough url ... (No cookies)
What I have done is the following:
1- I check pass in database.
2- If password is ok I open session and I stored session_id in database and I also send it to page 3.
3 - If password is wrong back to form.
4 - If they access to 3erd page, I get the session from url and I check with session stored in DB.

I REALLY BELIEVE THERE'S SOMETHING EASIER THAN THIS!

<?
session_register('usuario');
?>
<?
$conn = mysql_connect("bla","bla","bla");
mysql_select_db("bla",$conn);
$ssql = "SELECT * FROM Clientes WHERE Inmo='$Inmo' and Password='$Password'";
$rs = mysql_query($ssql,$conn);
if (mysql_num_rows($rs)!=0){
session_start();
session_register("autentificado");
$autentificado = "SI";
$Sesion=session_id();
$Sesioname=session_name();
$Bothsesiones=$Sesioname."=".$Sesion;
$Fecha = date("Y-d-m h:i:s");
$sql = "INSERT INTO Sesiones ( Fecha, Sesion, Inmo)" .
"VALUES ('$Fecha', '$Sesion', '$Inmo')";
$result = mysql_query($sql) or die(mysql_error().'<p>'.$sql.'</p>');
header ("Location: uploader.html?$Bothsesiones");
}else {
header("Location: acceso2.html?errorusuario=si");
}
mysql_free_result($rs);
mysql_close($conn);

?>

what is the session name? if you haven't modified php.ini, the default is PHPSESSID.
you have to pass the SID to all urls as PHPSESSID=SID
If you want to change the name you can do it in php.ini or you can call session_name() before session_start().

also, you're redirecting to a page with a .html extension. Unless you told your web server to send .html files through the php parser, you aren't going to have any luck with those pages.

keith