Session mgt problem. Help appr

sabaka

Let me ask for your pardons for the length of this post and give my appreciations to those that actually read it ...

I am trying to implement session management and the problem I'm running into at the moment goes follows:

I have 4 files:

login.php
- the page with the login form
proc_login.php
- a php file for starting a session
mystart.php
- a secured area page that can only be viewed with an active session
header.inc
- a file that contains a function to redirect the user back to the login.php page if they do not have a specific session variable

How I attempt to handle the validation of a session:

The [login.php] page submits it's data to [proc_login.php]. [proc_login.php] simply starts a session and then sets and registers a variable called $uid that stores the user's login id. I've removed all the id validation stuff, so all it does is start the session and then redirects the user to the [mystart.php] page.

There is a validateSession() function I've defined in [header.inc]. This function will be called from every page that is a members-area/secure page. In this example, [mystart.php] is the members page. I check for the existence of a session variable $uid in validateSession(). If it is not defined I redirect the request to the [login.php] with an error message saying they need to login to get to that page.

It's not working the way I'm thinking it should.

The basic question is:

What do I need to do in each of the four files to make the scenario work as I expect it to? If I can I understand it in this trivial example, then I'm guessing/hoping that I will be able to implement full secure session managment.

So here's the situation:

If I open my Internet Explorer 5 and try to go directly to the [mystart.php], I get sent back (as I expect to) to the login page. But from there on out, I can never login. And now, after putting together this explanation, I cannot log in at all? I'm not sure what I changed along the way.

Basically I get strange/unexpected/inconsistent results - inconsistent from what I'm expecting based on the online stuff I've read. I would appreciate it if someone could take a look at my demo example and tell me where my logic is skewed. I'm relatively new to PHP, and I've been scrounging around for a detailed explanation of session management (in the sense of login/secure stuff), but the best I could do was pick up bits and peices from different sources. Can anyone recommend a good all around reference book and/or site for PHP education - especially something with all the code (the complete listing) to implement a demo dynamic, database back end, session management website(s).

Below is the source code of each file. I created demo_* files that do not have any of the database or extra stuff. All it is doing is going from the login page into the process_login page that will start a session, and then have that process page redirect the user to a members page. The intention is that if the user attempts to first access the members page, they get a login message. However, it's not working out that way.

demo_login.php

<BODY>
<? if (isset($err_msg)) { echo "<FONT COLOR=red>$err_msg</FONT></P>"; } ?>
<FORM METHOD="GET" ACTION="demo_proc_login.php">
<TABLE>
<TR>
<TD>user id:</TD>
<TD><INPUT TYPE="text" SIZE="15" NAME="login_uid"></TD>
</TR>
<TR>
<TD>password:</TD>
<TD><INPUT TYPE="password" SIZE="15" NAME="pwd"></TD>
</TR>
</TABLE>
<INPUT TYPE=submit VALUE=login></FORM></BODY>

demo_proc_login.php

<?php
session_start();
$uid = $login_uid;
session_register("uid");
Header ("Location: demo_mystart.php");
exit;
?>

demo_header.inc

<?php
function validateSession ()
{
global $uid;
if (!isset($uid))
{
session_destroy();
$err_msg=urlencode("This is a restricted area. You must login to access it.");
//$err_msg=urlencode("The current value of \$uid is '$uid'");
Header ("Location: demo_login.php?err_msg=$err_msg");
exit;
}
}
?>

demo_mystart.php

<?php
session_start();
include_once("demo_header.inc");
validateSession();
?>
<BODY><H1>Welcome To My Start <? echo $uid ?></H1></BODY>

neville

The hack to your login would be to call the demo_mystart.php file in the url with the uid variable like this
http://.../demo_mystart.php?uid=1

This way your check for $uid being set will evaluate to true in the demo_mystart.php
file which calls the validate session function. I feel you will have to check this weakness first before you try to solve the problem you are having .... by the way what are the results that you are getting??....

Issues that you will have to deal with among others are:

1.session variable is not getting unregistered
2.You are continuing with someone else's session
3. what if the client has got the cookies turned off ?... will your sessions work?

Though I have not given you the solution to your problem, I hope that these points will help you think from a different point of view and solve your problem that way.

sabaka

the hack makes sense, and I will try that. however, some of the other things you mention, I'm not clear on your meaning - though I definitely appreciate your input and timely response ...

When you say "check this weakness", you mean that I need to make sure this hack will work?
In the "Issues you have to deal with" part, are numbers 1 and 2 related? Why is unregistering a variable important if you are going to call session_destroy when the user is done (that was in a 5th module for terminating a session when the user clicks a would-be 'logout' link?
3 in "Issues you have ..." - this question is one that I'm having problems with. I've read a lot of online tutorial excerpts about cookies, I even worked on a project where I set and unset them ... but conceptually, I'm still not so clear on how it works. As I mentioned in the initial post, is there any particular reference that you can recommend - online or book -wise? The cookie concept (among likely others) is somewhat difficult for me. Cookies as opposed to what? I know about embedding parameters in the url, this makes sense to me. Is it just as valid as using cookies for sess. mgt? If so, then I would just as soon use that so as to work with something I understand/comprehend.
And the last thing is that you mention you hope I look at the problem from a different angle. My problem is that I don't know any other angles because I find the documentation for session management incredibly sparse. Every lead I pick falls short of providing the details I need. I can make a counter, but I can't make a login environment. For all the examples that I've checked out, not one has point-blank laid it out step by step. There is some implicit stuff going on every time which is very frusterating for a person unfamiliar with the language. They usually use a single page to demonstrate and usually it's with counters as opposed to a login type of scenario - which is what session mgt. seems most usefull for? That is why I was hoping to be refered to some solid PHP reference material for website development.

Thanks again,

sabaka

neville

In point 1 what I meant was that any one can login with just setting the variable $uid and not actually having the right password or username
In point 3 you may need to propogate the session thru the url... thats the only option

A complete login scenario is too large to write down here ..... why don't you try some of the books available on it .... you can find some names on php.net

Read the comments there (php.net) on sessions to understand how they work... some of them will guide you correctly.

Neville.