Cookies and sessions; understanding how to keep secure sessions.

XMLnewbi

Im working with a script template and im trying to figure out how to add an additional sessions variables.

I want to be able to call session info once a user is logged in.

Right now the template is set up for

<p>user_id: <?php echo $_SESSION['user_id'];?></p>
<p>user_name: <?php echo $_SESSION['user_name'];?></p>
<p>user_level: <?php echo $_SESSION['user_level'];?></p>

Im trying to add

<p>user_email: <?php echo $_SESSION['user_email'];?></p>

The default code looks like this

// before we allow sessions, we need to check authentication key - ckey and ctime stored in database

/* If session not set, check for cookies set by Remember me */
if (!isset($_SESSION['user_id']) && !isset($_SESSION['user_name']) ) 
{
	if(isset($_COOKIE['user_id']) && isset($_COOKIE['user_key'])){
	/* we double check cookie expiry time against stored in database */

$cookie_user_id  = filter($_COOKIE['user_id']);
$rs_ctime = mysql_query("select `ckey`,`ctime` from `users` where `id` ='$cookie_user_id'") or die(mysql_error());
list($ckey,$ctime) = mysql_fetch_row($rs_ctime);
// coookie expiry
if( (time() - $ctime) > 60*60*24*COOKIE_TIME_OUT) {

	logout();
	}
/* Security check with untrusted cookies - dont trust value stored in cookie. 		
/* We also do authentication check of the `ckey` stored in cookie matches that stored in database during login*/

 if( !empty($ckey) && is_numeric($_COOKIE['user_id']) && isUserID($_COOKIE['user_name']) && $_COOKIE['user_key'] == sha1($ckey)  ) {
 	  session_regenerate_id(); //against session fixation attacks.

	  $_SESSION['user_id'] = $_COOKIE['user_id'];
	  $_SESSION['user_name'] = $_COOKIE['user_name'];
	/* query user level from database instead of storing in cookies */	
	  list($user_level) = mysql_fetch_row(mysql_query("select user_level from users where id='$_SESSION[user_id]'"));

	  $_SESSION['user_level'] = $user_level;
	  $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);

   } else {
   logout();
   }

  } else {
	header("Location: login.php");
	exit();
	}
}
}

I tried defining this right after the user_id is set

$_SESSION['user_email'] = $_COOKIE['user_email'];// add email to session

But im thinking that Im going to need to add to $cookie_user_id
and $rs_ctime is keeping the session secure from session hijacking by comparing the cookies.

How would I go about manipulating this code to allow the recording of the $_SESSION['user_email'] while still keeping it secure?

dalecosp

How would I go about manipulating this code to allow the recording of the $_SESSION['user_email'] while still keeping it secure?

😃

$_SESSION['user_email']=mysql_result(mysql_query("select email from usertable where id=".$_SESSION['user_id'].";"),0);

But ... seriously (I guess), if you have the user_id, he/she is already registered, and his/her email is already in the DB, right?

XMLnewbi

$_SESSION['user_email']=mysql_result(mysql_query("select email from usertable where id=".$_SESSION['user_id'].";"),0);

But ... seriously (I guess), if you have the user_id, he/she is already registered, and his/her email is already in the DB, right?[/QUOTE]

yea i'm trying to display info stored in the DB for an account and have it display session specific. ig. I don't want a single user have the ability to display everyone Else's email.

second thought, Id probably just want to just call the user_ID and query the address from inside side the protected page. probably why its set up like that.