xedstr
asked on
Session, cookies and security
I'm missing some good explanation about how to use sessions and cookies for security.
It seems possible to create sessions in different ways. I already received the information (from VGR) that it is not good to use the HTTP Basic Authentication. So I already adapted my login-page that starts with a form with 2 fields for login_id and password.
At the top of this page I have put : session_start(). When I check in a subsequent page (where I have also put the session-start()-statement)
But how do I control in each subsequent page that it is still the same session? When I use the statement : if (session is registered('thenameIgave')
Other, not-registered persons may not have the possibility to enter those protected pages. Suppose that he knows the name of the restricted PHP-files and puts them directly in the browser => until now this person still has access to those pages? How can I avoid this?
Even when a person has passed a succesful login -> I want to verify the time he is not active. After a period of 30 minutes inactivity, I want the session the be destroyed. I think it has to do something with cookies...
Can anyone give me some good examples or reading material about these subjects?
Thanks for any help,
EDS
It seems possible to create sessions in different ways. I already received the information (from VGR) that it is not good to use the HTTP Basic Authentication. So I already adapted my login-page that starts with a form with 2 fields for login_id and password.
At the top of this page I have put : session_start(). When I check in a subsequent page (where I have also put the session-start()-statement)
But how do I control in each subsequent page that it is still the same session? When I use the statement : if (session is registered('thenameIgave')
Other, not-registered persons may not have the possibility to enter those protected pages. Suppose that he knows the name of the restricted PHP-files and puts them directly in the browser => until now this person still has access to those pages? How can I avoid this?
Even when a person has passed a succesful login -> I want to verify the time he is not active. After a period of 30 minutes inactivity, I want the session the be destroyed. I think it has to do something with cookies...
Can anyone give me some good examples or reading material about these subjects?
Thanks for any help,
EDS
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The reason why you recieve an error on all the subsequent pages is due to the fact that to access any valid data within a session, you must first initialize it before anything else.
<?php
session_start();
if ($_SESSION['thenameIgave']
// valid user
} else {
// invalid session
die('Error when validating this user');
// or you can redirect to the login page by commenting this out
// header("location: /login.php");
}
?>
Also, if you require your sessions to last for longer then the default setting, you must have access to modify the php.ini file to set the session.maxlifetime to be 30minutes. The value is in seconds so you would set it to be 1800.
You can check to see the default lifetime of the session by creating a phpinfo.php page that has <?php phpinfo(); ?> in it, and it will describe all your server configuration settings, then simply search for "lifetime" and you will find the value you seek.
<?php
session_start();
if ($_SESSION['thenameIgave']
// valid user
} else {
// invalid session
die('Error when validating this user');
// or you can redirect to the login page by commenting this out
// header("location: /login.php");
}
?>
Also, if you require your sessions to last for longer then the default setting, you must have access to modify the php.ini file to set the session.maxlifetime to be 30minutes. The value is in seconds so you would set it to be 1800.
You can check to see the default lifetime of the session by creating a phpinfo.php page that has <?php phpinfo(); ?> in it, and it will describe all your server configuration settings, then simply search for "lifetime" and you will find the value you seek.
Hi there!
If you don´t have access to the php.ini to change the time, a session is active, you have to tend over to the database-version described earlier.
You need a table having a session_id and several info like the time it was registered (respectively last updated). Everytime the user is active on a page, you update this table´s datetime field. If this is older than 30minutes when accessing a page (i used a function to start every page, where everything is checked), you either "include" the login-page at that point or send the redirect headers like described earlier!
regards heppa
If you don´t have access to the php.ini to change the time, a session is active, you have to tend over to the database-version described earlier.
You need a table having a session_id and several info like the time it was registered (respectively last updated). Everytime the user is active on a page, you update this table´s datetime field. If this is older than 30minutes when accessing a page (i used a function to start every page, where everything is checked), you either "include" the login-page at that point or send the redirect headers like described earlier!
regards heppa
ASKER
Thanks guys,
You are all really experts. I have learned a lot in a short time.
EDS
You are all really experts. I have learned a lot in a short time.
EDS
In this file, you put code simliar to this:
if(!isset($user_id)) {
//redirect to login page.
$msg = "You must login to access this area of the site.";
header("Location: http://www.yoursite.com/login.php&msg=" . urlencode($msg));
exit;
}
You need to call session_start(); at the top of each page that you would like to access the session variables for.
So upon successful login, you might set:
$user_id = some value from database;
session_register("user_id"
Then checking for this existing by including security.php at the top of all pages for 'logged in' users.