$_SESSION['sid'] = session_id() authentication

SFDonovan

I am trying a different way to authenticate users on my system. This is just the first draft of the code and will need more tweaking. I want to make sure when they close the browser the session_id is destroyed, so they need to login for every session. This is because they may use a public computer somewhere on campus and I don't want others able to use the same computer and possibly the same session.
I don't want them to open a browser and be able to see data they are not supposed to see from someones elses login.

I first see if they have an account on the ldap server when they login.

$authuser = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);

//make connection to ldap

$bind=ldap_bind($conn,"cn=$authuser,ou=people,o=xxxx",$pass);

if this is successful I check to see if they are a medical student

$sql = $db->sql_query("SELECT * FROM ".$prefix."_tl_students WHERE LDAP_USER = '$authuser'");
   		if  ($db->sql_numrows($sql) == 1) {
        	// if a row was returned
       	 	// authentication was successful
        	// set session variable				

		$session_id = ( isset($_GET['sid']) ) ? $_GET['sid'] : '';
		$current_time = time();			
		$_SESSION['authuser'] = $authuser;						
		$user_ip = $_SERVER['REMOTE_ADDR'];

So if the session exist and it matches the IP of the user then update the session.

$sql = "UPDATE ".$prefix."_user_sessions SET
			session_user_id = `$authuser`,
			session_start = `$current_time`,
			session_time = `$current_time`			
		WHERE session_id = `$session_id`
		 AND session_ip = `$user_ip`";

if this fails then is must be a different session or different IP so..

if (!$db->sql_query($sql) || !$db->sql_affectedrows()) {

//  first for security lets close all old sessions
		session_write_close();		
		session_start();
		$_SESSION['sid'] = session_id();		

	$sql = "INSERT INTO ".$prefix."_user_sessions (
	session_id,
	session_user_id,
	session_start,
	session_time,
	session_ip)". "VALUES (
	`".$_SESSION['sid']."`,
	`".$_SESSION['authuser']."`,
	`$current_time`,
	`$current_time`,
	`$user_ip`)";
if (!$db->sql_query($sql)){
			//die('Error creating new session');
			die("<p>Error creating new session: " . mysql_error() . "</p>");
		}
	}

I keep getting this error.

Error creating new session: Unknown column '69448cfe6f4886f2c6f9492fa67781d8' in 'field list'

Like I said this needs work to make sure it is secure, but it's a start. How do I fix this error and how do I make sure that the session is destroyed if they don't "Log Out" but instead just close the browser.

bradgrafelman

The first problem I see is that you're surrounding values with backticks (`). In MySQL, backticks are used to identify databases/columns/tables/views/etc., whereas strings are identified by single quotes.

SFDonovan

yeah... I saw that.

This works.

$sql = "INSERT INTO atlas_user_sessions (
		session_id,
		session_user_id,
		session_start,
		session_time,
		session_ip)". "VALUES (
		'".$_SESSION['sid']."',
		'".$_SESSION['authuser']."',
		'$current_time',
		'$current_time',
		'$user_ip')";

If they authenticate to my LDAP server

$_SESSION['authuser'] = $authuser;

I thought I could fix this by using this

ini_set("session.gc_maxlifetime", "0");

to set the session life to zero. So when the browser closes the session is deleted, but I can still see the page in a new browser.

Right now the UPDATE statement never executes and I keep adding the same sid over and over.

bradgrafelman

The gc_maxlifetime has nothing to do with the session/cookie life - that is a configuration related to garbage collection ('gc'). 'session.cookie_lifetime' is the directive that you're after.