Solved

Essential PHP Security 'Store Session Data in a MySQL Database'  how to impliment

Posted on 2008-06-18
6
505 Views
Last Modified: 2013-12-12
Hiya, I asked about this script previous but decide to cut it short. Change my mind again and wish to impliment and understand it fully.

I understand most of how it works within itself its all DB query and comparing the data to make sure it matches, in short anyway.

But how do I actually implement it throughout my site?
Each function has RETURN. Do I simply call the function before something like an IF statement.
And what about my existing login? Do I call the _open() function before or during the query to check the username and password.

Suppose a lot to yet understand so anything you think can help me get started understand this
be good thanks loads
0
Comment
Question by:Ryan Bayne
6 Comments
 
LVL 10

Expert Comment

by:ray-solomon
ID: 21818719
Before you start coding, you really should read more to understand it better.
http://phpsec.org/php-security-guide.pdf
0
 
LVL 14

Expert Comment

by:Vel Eous
ID: 21818738
A basic implementation could be:

" session id captured if/when login is successful (modification of your current login probably required)
" session id is stored in a database table (possibly with the session id and a timestamp)
" session id stored in a cookie on the client
" each time a "members" page is accessed, the session id is retrieved from the database and compared to that from the cookie
" upon a successful match the timestamp in the database is updated
" upon an unsuccessful match or the timestamp being greater than 1 hour (for example) session data is deleted from the database, cookie is deleted and user informed accordingly

0
 
LVL 2

Author Comment

by:Ryan Bayne
ID: 21818806
ray-solomon I've looked over most of that already. I have used a lot of what is suggests but I still have no idea where I put _close() and _write() and theres nothing else that seems to explain that. Basically I'm not sure how you bring it all together

Tchuki i was to try and code your steps from what I'm thinking just now I'd have some script such as what I already use for security and sessions then a function is called...


1. session id captured if/when login is successful (modification of your current login probably required)
       function _open()  so my own current login checking POST data with DB data and say setting $auth = 'yes';  on success. 
 
Then do I use _write();
 
2.  session id is stored in a database table (possibly with the session id and a timestamp)
       function _write($id, $data)
 
3.  session id stored in a cookie on the client
            My own implentation of setting the cookie
 
4.  each time a "members" page is accessed, the session id is retrieved from the database and compared to that from the cookie
         _read($id)  and then compare the return with what I find in the cookie 
 
5. upon a successful match the timestamp in the database is updated
         _write($id, $data)    after I'm thinking an IF statement is run regarding outcome
 
6. upon an unsuccessful match or the timestamp being greater than 1 hour (for example) session data is deleted from the database, cookie is deleted and user informed accordingly
             part of the previous IF statement but different outcome

Open in new window

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 14

Accepted Solution

by:
Vel Eous earned 500 total points
ID: 21818917
Below is a quick example of how it could be implemented:
<?PHP
 
/*
 *	Create a new session
 *	@param	
 *	@return void
 *
 */
function session_new ( )
{
 
	// perform your user validation here or call the function after validation
	$_SESSION['IN_PF'] = $user_id;
	$s_id = session_id();
	
	$new_session = mysql_query ( "INSERT INTO session (session_id, session_user, session_start) 
										VALUES ('$s_id', '$user_id', '$start')" );
	setcookie ( 'website', $s_id, time() + 3600 );
 
}
 
/*
 *	Check that a session is valid
 *	@param	
 *	@return mixed
 *
 */
function session_check ( )
{
	
	session_clean ( );
	
	if ( $_SESSION['IN'] )
	{
	
		$user_id = $_SESSION['IN'];
		
		$fetch_session = mysql_query ( "SELECT *
												FROM session
												WHERE session_user = '$user_id'" );
	
		$session = mysql_fetch_assoc ( $fetch_session );
		
		$session_id = $session['session_id'];
		$session_user = $session['session_user'];
		
		if ( $session_user !== $_SESSION['IN'] )
		{
			$session_errors[] = 'Invalid user id';
		}
		
		if ( $session_id !== $_COOKIE['website'] )
		{
			$session_errors[] = 'Invalid session id';
		}
		
	} else {
		
		$session_errors[] = 'No session started';
	}
	
	if ( !$session_errors )
	{
		session_update ( );
		return true;
	} else {
		return $session_errors;
	}
 
}
 
/*
 *	Update database as user moves around the website
 *	@param	
 *	@return void
 *
 */
function session_update ( )
{
 
	$time = time();
	$user_id = $_SESSION['IN'];
	
	$update_session = mysql_query ( "UPDATE session
											SET session_start = '$time'
											WHERE session_user = '$user_id'" );
 
}
 
/*
 *	Clean session data
 *	@param	
 *	@return void
 *
 */
function session_clean ( )
{
 
	$time = time()-3600;
	
	$fetch_sessions = mysql_query ( "DELETE
											FROM session
											WHERE session_start < '$time'" );
 
}
 
/*
 *	Destroy all session/cookie data
 *	@param	
 *	@return void
 *
 */
function session_kill ( )
{
	
	$user_id = $_SESSION['IN'];
	
	$remove_session = mysql_query ( "DELETE
											FROM session
											WHERE session_user = '$user_id'" );
	
	session_destroy();
	setcookie ( 'website', '', time()-(3600) );
 
}
 
?>

Open in new window

0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 21819512
Hi,
please have a look at this article,

http://www.sitepoint.com/article/users-php-sessions-mysql

they have explained how to use session with login and implement..

hope this helps

also, http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/
0
 
LVL 2

Author Comment

by:Ryan Bayne
ID: 21824617
Tchuk I understand that script better BUT the script I showed a link to doesnt seem to come into play am I right?!  It looks like just another version of

session_set_save_handler('_open',
                         '_close',
                         '_read',
                         '_write',
                         '_destroy',
                         '_clean');

Whatever, it looks like I could use your script as it is or atleast adapt it to my site a lot easier than what I was looking at already and I'm understanding it all more. Especially how I went to sleep for a bit lol

Thanks
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Dynamic Dropdowns 15 32
Redirect 301 from one address  to another 5 25
Undefined variable problem 5 22
MySQL InnodDB Import from mysqldump takes forever. 2 32
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question