Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 398
  • Last Modified:

php login problems : Session not destroyed !

Hello, well i've got this little problem : i've set up a reserved zone for some members on a website.
The users log on with a simple form (login/pass) on index.php, are logged by login.php et are accessing the reserved zone
(intra/intra.php).
They can log out through a logout.php, accessible from the reserved intra/intra.php.

But here comes my problem : if the user #1 goes back to the log page index.php from the reserved zone,
without clicking on logout.php, (by typing the url on the address bar or something) and user #2
on the same host tries to log in with a new login/pass pair, the user #2 has user #1's settings (same session!).

How could I destroy the old session before registering a new one ?

Thanks for your help,
Eric.

Here's some code I use :

------------------------ index.php (the login form) ------------

<form method="POST" action="./login.php">
        <font size="2" face="Tahoma, Arial"><font color="#FFFFFF">Login:
        <input type="text" name="username" size="20">
        Passw:
        <input type="password" name="password" size="20">
        </font>
        <input type="submit" value="OK" name="login">
        </font>
      </form>

----------------------------------------------------------------


------------------------------------ login.php  
<?PHP

//check that the user is calling the page from the login form and not accessing it directly
//and redirect back to the login form if necessary

header("Cache-Control: no-cache, must-revalidate");

if (!isset($username) || !isset($password))
 {
  header( "Location: http://eirikur.planet-work.com/telecom/index.php" );
 }

//check that the form fields are not empty, and redirect back to the login page if they are

elseif (empty($username) || empty($password))
 {
  header( "Location: http://eirikur.planet-work.com/telecom/index.php" );
 }

else
 {
//convert the field values to simple variables

//add slashes to the username and md5() the password
$user = addslashes($_POST['username']);
$pass = md5($_POST['password']);

//set the database connection variables

$dbHost = "****************";
$dbUser = "*******";
$dbPass = "*******";
$dbDatabase = "*******";

//connet to the database

$db = @mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");

@mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

$result=@mysql_query("select * from Users where username='$user' AND password='$pass'", $db);

//check that at least one row was returned

$rowCheck = @mysql_num_rows($result);
if($rowCheck > 0)
  {
   while($row = @mysql_fetch_array($result))
     {
  //start the session and register a variable

  session_start();
  session_register('username');

  //successful login code will go here...
  //echo 'Success!';

  //we will redirect the user to the reserved zone
  header( "Location: generic.php?file=intra/intra.php" );
     }

  }
  else
  {

  //if nothing is returned by the query, unsuccessful login code goes here...

  echo 'Incorrect login name or password. Please try again.';
  }
}
?>



0
eirikur
Asked:
eirikur
  • 2
1 Solution
 
VGRCommented:
my ugly suggestion (at least, it works)

in the intra/* zone, put your pages in a frameset. The other frame (invisible, rows=0) contains nothing visible but some javscript code for OnUnload event.
OnUnload, call a PHP page in an auto-closing spawned form. This PHP page will destroy the session.

Example : index.html/index.php
[here HEAD stuff, title, etc]
</head>
  <frameset rows="*, 0" frameborder=0 border=0 framespacing=0>
    <frame name=main src="index2.php">
    <frame name=b scrolling=no noresize src="fauxblank.php">
  </frameset>
</html>

fauxblank.php :
<?
session_start();
?>
<html>
<head>
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide from JavaScript-Impaired Browsers
function ByeWin() {
window2=window.open('./index.php/byeuser','','width=50,height=50');
}
// End Hiding -->
</SCRIPT>
</head>
<body onUnload="ByeWin()">
</body>
</html>


(yes, for me closing a session is done via calling "index.php/byeuser" : adapt to your needs)
here's the code :
<?
if (($action=="byeuser")OR(isset($byeuser))) {
    LogAction($sess_pseudo,$REMOTE_ADDR,"byeuser : $sess_pseudo closed session (gone).",5);
    session_destroy();
    // I recommend to manually unset() all important variables
    echo "<SCRIPT>self.close();</SCRIPT>";
    exit;
} // byeuser case (en if pour l'instant, c'est mieux)
?>
0
 
foreverfreshCommented:
hi,

i will try to explain,

1. you must use 1 session variable like $sid
and add 1 more field to user table like sid VARCHAR(35)
after login check
if login&password is okey

$sid = md5(microtime());
mysql_quey("UPDATE user_table set sid='$sid' WHERE username='$user' AND password='$pass'", $db);
session_start();
session_register('sid');

after you have to check in all protected pages $sid
and compare with database,if another user wants to login
he will take new $sid,nobody can access with old $sid
because sid will change when new login.

whit this method nobody can use same user/pass same time.


I hope this method can halp you

sorry for my bad english :)
0
 
eirikurAuthor Commented:
Well the 1st solution was really too dirty and didn't work on me ^^

The 2nd solution was more interesting but my db got a problem with generating the sid,

so I took a solution with cookies, and i don't have that problem anymore. Thanks again, the 2nd one got the points, because it worked w/ someone else...
0
 
VGRCommented:
i will stay polite and not answer to the "dirty" word

i already have "fun pals to fight with" on fuckfrance.com

0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now