AOL and sessions

adunphy

I have some code for a login page

$session_name=$row[0];
		$session_password=$row[1];
		session_register("session_name");


	header("Location: http://www.apdt.com/members-only/menu.php");

which then checks to make sure hte session exists like this

session_start();
if(!session_is_registered("session_name"))
{   

     header("Location: http://www.apdt.com/members-only/login/login.htm");
}

my aol users keep getting knocked back to the login form - like their session is either lost or never created. any ideas?

amy

toplay

Well, are you storing their IP as a way to fingerprint/track them? If so, don't use the IP. AOL users can change networks so their whole IP address can change from minute to minute.

If you have PHP version 4.1.0 or higher, then I recommend that you use the $SESSION superglobal array variable instead of session_register() and related functions. The session_register() function requires register_globals to be on (which is a security risk). Just use $SESSION instead.

hth.

PABobo

I was recording the end user's IP Address to ensure no session hacing and AOL was not working correctly, i removed the IP address from the script and it works fine now. Leaves me concerned know about tracking session hacking.

bradgrafelman

If you are concerned about security, enable the session.use_only_cookies directive. Any security measure based on IP's is really not a good idea. AOL is obviously one prime example why, but others include libraries/schools/any place where computers are behind proxies.