• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 511
  • Last Modified:

Essential PHP Security 'Store Session Data in a MySQL Database' how to impliment

Hiya, I asked about this script previous but decide to cut it short. Change my mind again and wish to impliment and understand it fully.

I understand most of how it works within itself its all DB query and comparing the data to make sure it matches, in short anyway.

But how do I actually implement it throughout my site?
Each function has RETURN. Do I simply call the function before something like an IF statement.
And what about my existing login? Do I call the _open() function before or during the query to check the username and password.

Suppose a lot to yet understand so anything you think can help me get started understand this
be good thanks loads
0
Ryan Bayne
Asked:
Ryan Bayne
1 Solution
 
ray-solomonCommented:
Before you start coding, you really should read more to understand it better.
http://phpsec.org/php-security-guide.pdf
0
 
Vel EousResearch & Development ManagerCommented:
A basic implementation could be:

" session id captured if/when login is successful (modification of your current login probably required)
" session id is stored in a database table (possibly with the session id and a timestamp)
" session id stored in a cookie on the client
" each time a "members" page is accessed, the session id is retrieved from the database and compared to that from the cookie
" upon a successful match the timestamp in the database is updated
" upon an unsuccessful match or the timestamp being greater than 1 hour (for example) session data is deleted from the database, cookie is deleted and user informed accordingly

0
 
Ryan BayneWordPress DeveloperAuthor Commented:
ray-solomon I've looked over most of that already. I have used a lot of what is suggests but I still have no idea where I put _close() and _write() and theres nothing else that seems to explain that. Basically I'm not sure how you bring it all together

Tchuki i was to try and code your steps from what I'm thinking just now I'd have some script such as what I already use for security and sessions then a function is called...


1. session id captured if/when login is successful (modification of your current login probably required)
       function _open()  so my own current login checking POST data with DB data and say setting $auth = 'yes';  on success. 
 
Then do I use _write();
 
2.  session id is stored in a database table (possibly with the session id and a timestamp)
       function _write($id, $data)
 
3.  session id stored in a cookie on the client
            My own implentation of setting the cookie
 
4.  each time a "members" page is accessed, the session id is retrieved from the database and compared to that from the cookie
         _read($id)  and then compare the return with what I find in the cookie 
 
5. upon a successful match the timestamp in the database is updated
         _write($id, $data)    after I'm thinking an IF statement is run regarding outcome
 
6. upon an unsuccessful match or the timestamp being greater than 1 hour (for example) session data is deleted from the database, cookie is deleted and user informed accordingly
             part of the previous IF statement but different outcome

Open in new window

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Vel EousResearch & Development ManagerCommented:
Below is a quick example of how it could be implemented:
<?PHP
 
/*
 *	Create a new session
 *	@param	
 *	@return void
 *
 */
function session_new ( )
{
 
	// perform your user validation here or call the function after validation
	$_SESSION['IN_PF'] = $user_id;
	$s_id = session_id();
	
	$new_session = mysql_query ( "INSERT INTO session (session_id, session_user, session_start) 
										VALUES ('$s_id', '$user_id', '$start')" );
	setcookie ( 'website', $s_id, time() + 3600 );
 
}
 
/*
 *	Check that a session is valid
 *	@param	
 *	@return mixed
 *
 */
function session_check ( )
{
	
	session_clean ( );
	
	if ( $_SESSION['IN'] )
	{
	
		$user_id = $_SESSION['IN'];
		
		$fetch_session = mysql_query ( "SELECT *
												FROM session
												WHERE session_user = '$user_id'" );
	
		$session = mysql_fetch_assoc ( $fetch_session );
		
		$session_id = $session['session_id'];
		$session_user = $session['session_user'];
		
		if ( $session_user !== $_SESSION['IN'] )
		{
			$session_errors[] = 'Invalid user id';
		}
		
		if ( $session_id !== $_COOKIE['website'] )
		{
			$session_errors[] = 'Invalid session id';
		}
		
	} else {
		
		$session_errors[] = 'No session started';
	}
	
	if ( !$session_errors )
	{
		session_update ( );
		return true;
	} else {
		return $session_errors;
	}
 
}
 
/*
 *	Update database as user moves around the website
 *	@param	
 *	@return void
 *
 */
function session_update ( )
{
 
	$time = time();
	$user_id = $_SESSION['IN'];
	
	$update_session = mysql_query ( "UPDATE session
											SET session_start = '$time'
											WHERE session_user = '$user_id'" );
 
}
 
/*
 *	Clean session data
 *	@param	
 *	@return void
 *
 */
function session_clean ( )
{
 
	$time = time()-3600;
	
	$fetch_sessions = mysql_query ( "DELETE
											FROM session
											WHERE session_start < '$time'" );
 
}
 
/*
 *	Destroy all session/cookie data
 *	@param	
 *	@return void
 *
 */
function session_kill ( )
{
	
	$user_id = $_SESSION['IN'];
	
	$remove_session = mysql_query ( "DELETE
											FROM session
											WHERE session_user = '$user_id'" );
	
	session_destroy();
	setcookie ( 'website', '', time()-(3600) );
 
}
 
?>

Open in new window

0
 
Loganathan NatarajanLAMP DeveloperCommented:
Hi,
please have a look at this article,

http://www.sitepoint.com/article/users-php-sessions-mysql

they have explained how to use session with login and implement..

hope this helps

also, http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/
0
 
Ryan BayneWordPress DeveloperAuthor Commented:
Tchuk I understand that script better BUT the script I showed a link to doesnt seem to come into play am I right?!  It looks like just another version of

session_set_save_handler('_open',
                         '_close',
                         '_read',
                         '_write',
                         '_destroy',
                         '_clean');

Whatever, it looks like I could use your script as it is or atleast adapt it to my site a lot easier than what I was looking at already and I'm understanding it all more. Especially how I went to sleep for a bit lol

Thanks
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now