Re: [PHP] PHP authenticating and session management
I'm not quite sure if this is the perfect way cause I'm pretty new to this
session stuff, too.
but my version looks like this:
[login.php]
a form with username and password field.
submit --> auth.php
[auth.php]
check if username and password are ok (from a text file or your mysql
database) [yes|no]
[no] -> echo "bad login or password."; exit;
[yes] -> start a session, save username and password in session vars,
redirect to userpage
lets say your userpages look like "aUsername_blah.php"
["aUsername_blah.php"]
include a script on every userpage that checks if login and password are
correct [yes|no]
[no] -> redirect to login.php
[yes] -> display page
comments appreciated :)
.andi
"Arash Dejkam" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
9guhbf$msi$[EMAIL PROTECTED]
> Hi,
>
> I want to use PHP session manager but I have some problems,
>
> I want the session start in a login page so I do this for example:
>
> after authenticating...
> session_start();
> session_register("username");
>
> then I want the user to be able to see his own pages, what do I have to do
> in those pages?
>
> simply check $username and bring up the user's page ? but this makes it
> possible for any hacker to send a cookie with username and see that page.
I
> know that PHP stores a unique random number for each session but how can I
> check that it matches with the number in the cookie.
>
> help me please I'm really confused !
>
> Thanks
>
> Arash Dejkam
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
interesting question! I'm also interested in it, cause I read somwhere
that its possible to "kidnap" sessions...
"Bass???" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
9gvt89$pi5$[EMAIL PROTECTED]
> I have a Q.
> will the Session ID be stolen by hacker when the ID tranfer bewteen client
> and server ?
> Then can the hacker send the ID to server and veiw the user's page ?
>
>
> "Jason Stechschulte" <[EMAIL PROTECTED]> ?
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > On Fri, Jun 22, 2001 at 08:59:54AM +0430, Arash Dejkam wrote:
> > > simply check $username and bring up the user's page ? but this makes
it
> > > possible for any hacker to send a cookie with username and see that
> page. I
> > > know that PHP stores a unique random number for each session but how
can
> I
> > > check that it matches with the number in the cookie.
> >
> >
> > Why not just check for username this way:
> >
> > > if(session_is_registered("username")) {
> >// Do stuff
> > }
> > ?>
> >
> > Then username has to be registered as a session variable so any hacker
> > (sic) can't just send a username to see that page.
> >
> > --
> > Jason Stechschulte
> > [EMAIL PROTECTED]
> > --
> > echo "Your stdio isn't very std."
> > -- Larry Wall in Configure from the perl distribution
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] simple questions about sessions
greetings.
Your no [1] question describes exactly the problem I have...and
I thought session_is_registered() would do the job...(but I was wrong)
...
Now my solution looks like this:
session_register("session_uID");
if (isset($session_uID)) {
do something;
}
else {
session_destroy(); // destroy the "accidentely" generated session, which
means I have no session
}
not very nice - I knowbut the only way I found to solve the prob
[2]
if u have "enable-transit-id" enabled, PHP will add the &PHPSESSID=blah to
all your HREFs and forms (I think a hidden field is automatically added) - u
don't need to do anything in addition). if u
want to redirect via header command u have to do it like this:
header ("Location: aDocument.php?".SID);
[3]
that NEVER happened to me - so I have absolutely no idea
greetz,
andi
"kaab kaoutar" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag:
[EMAIL PROTECTED]
>
> Hi!
>
> 1- is there a way with which i can verify that a session variable is
> registered or exists without using start_session cause if it's not
> registered and there is no session it'll create the session !
> i tried isset() but if it's set i have to use start_session so as to get
the
> values and as we know start_session should be at the beginning!
>
> 2- if i create a session in a page can it be used in all the site pages
and
> rames without adding any $phpsessid to all urls?
> in my php.ini the enable-transit-id is enabled !
> byt the way what do u mean by compilin php? i just save the php.ini!
>
> 3-with IE and netscape as i add the phpsessid to urls , sometimes it
> remmbers an old session and displays it to me ! how can i avoid these?
> please help i'm confused!
>
> _
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
