session problem...

Started by Hyperion (noobKID), February 23, 2013, 08:22:16 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Hyperion (noobKID)

ok, so just to be a rookie again, and sound a little like i am back at 2 years old age..

it IS that exacly line that does so the $CURUSER appears and can be used on pages on TBdev, right?...

and if so, is it possible to get it to be working with the sessions i am about to make?...
would be ALOT of help later on with mods making and stuff like that also...

just thinking of making a unique system, that i actually can build on, later on, so it wont stop due to some stupid rookie idea i had...

elephant

#6
Quote$GLOBALS["CURUSER"] = $row;

and like my friend said, it can only be used for the purpose of a cookie. is this true?...

This line is has no effect on the login mechanism you use. It is just adding the values of $row to global scope in $CURUSER. http://php.net/manual/en/reserved.variables.globals.php

Hyperion (noobKID)

hmm... just to clarifie...
im re-doing it all into an another project, so i dont have the clean-up file just yet, hehe :P...

anyways...
just a stupid question, could you give an examble with the CURUSER idea?...
i mean, i get the idea. but have a little trouble making it, since one of my friends told me that it could be done with cookies, but not with sessions since you would be needing this:

$GLOBALS["CURUSER"] = $row;

and like my friend said, it can only be used for the purpose of a cookie. is this true?...
and have i got it right?, that exacly this code part is the one that give me the uportunity to make CURUSER variable avaiable?...

elephant

#4
Quoteis it not the same?, and what do you mean by that with a custom made session handler?...
you mean same as if inside TBdev you would type: $CURUSER['username']
You would have another table called 'sessions' with the userid, sessionid (a random string), browser, os, lastupdate (a timestamp), and ip. Instead of storing the passhash in a cookie you would store the sessionid and userid. This allows users to log in from multiple machines / browsers / locations and they can all be tracked individually. When a user successfully authenticates at takelogin you insert all the info for that particular session.

On each page load you check that the cookie userid and sessionid pair are valid, if they are - then query the `users` table by userid to populate the $CURUSER array as normal. You can also manage the life of each session in cleanup using lastupdate.

Quote2. md5 on passwording... that was also my idea to begin with, but would it not be safer with sha1, if i remember the name right...?
sha1 is a bit better, it is more important that they are salted. However, both are relatively fast hashing algorithms which makes them bad for passwords. Bcrypt has an adjustable 'work' factor to slow things down and will also be the basis of the new password hashing functions in php 5.5.

Hyperion (noobKID)

i know about the passwords...
and i have not secured anything yet, i know, but i have also just begun, hehe :)...

in anyways, just to be clear on something... call me a noob when asking stupidly...

1.
You could roll your own custom session handler rather than use php sessions.

is it not the same?, and what do you mean by that with a custom made session handler?...
you mean same as if inside TBdev you would type: $CURUSER['username']???

and just asking, is that possible anyways?... because i was actually thinking about trying to make something similar...

2. md5 on passwording... that was also my idea to begin with, but would it not be safer with sha1, if i remember the name right...?

elephant

You could roll your own custom session handler rather than use php sessions. Either way, you will probably still need to use cookies to identify the session (passing session id via a URL parameter is a bad idea).

$pass = strip_tags($pass); /*Securing The Data...*/

Strip tags will not secure anything in this case. That will only be of use when echoing back strings. < and > are perfectly reasonable characters to have in a password.

It appears that you are not hashing passwords as you are directly comparing the posted value to the one stored in the database. This could be the reason you are getting the 'password or user is wrong' error; if not I suggest you add a minimum of an md5 salted hash, or ideally, bcrypt https://github.com/ircmaxell/password_compat

Hyperion (noobKID)

Hello U-232 again.

i am currently trying for fun to make sessions instead of cookies on the TBdev Project for fun, so i might be able to use it on one of my own projects that is ALSO based on TBdev... or, not indirectly, but the coding-base that TBdev used, how they had setup their codes in functions, that is almost same thing i will do here.

anyways, this is my login.php file:

require_once("include/bittorrent.php");

    $HTMLOUT .= "
    <form method='post' action='takelogin.php'>
    <table border='0' cellpadding='5' align='center' class='table_center'>

      <tr>
        <td>Username:</td>
        <td align='left'><input type='text' size='40' name='username' /></td>
      </tr>
 
      <tr>
        <td>Password:</td>
        <td align='left'><input type='password' size='40' name='password' /></td>
      </tr>
 
      <tr>
        <td colspan='2' align='center'>
          <input type='submit' name='Submit_Login' value='Login' />
        </td>
      </tr>
 
    </table></form>";

print stdhead('Login','1') . $HTMLOUT . stdfoot($stdfoot);


and this is my takelogin.php file:

require_once("include/bittorrent.php");
require_once "include/password_functions.php";
session_start();
ob_start();

$HTMLOUT .= "<center><img class='img_center' src='pics/login_loading.gif'></center>";
$HTMLOUT .= "<center>Loading...</center>";

/*==========RUN LOGIN PROCEDURE===============*/
$uname = sqlesc($_POST['username']); /*Form Names...*/
$pass = sqlesc($_POST['password']); /*Form Names...*/

if(isset($uname)&&($pass))
{
$uname = strip_tags($uname); /*Securing The Data...*/
$pass = strip_tags($pass); /*Securing The Data...*/
}
else
{
$error = "Unknown user orr password!...";
}

$query = "SELECT * FROM users WHERE username = $uname AND passhash = $pass AND enabled = 'yes' AND status = 'confirmed'";

$query_result = mysql_query($query)or die(mysql_error());//Running query to the DB...

if(mysql_num_rows($query_result) == 1)/*if the DB returns somfthing, then run...*/
{
$row = mysql_fetch_array($query_result);

$_SESSION['uid'] = $row['u_id'];
$_SESSION['username'] = $row['username'];
$_SESSION['pass'] = $row['passhash'];
$_SESSION['status'] = $row['status'];
$_SESSION['enabled'] = $row['enabled'];
$_SESSION['email'] = $row['email'];
$_SESSION['ip'] = $row['ip'];
$_SESSION['class'] = $row['class'];
$_SESSION['time_offset'] = $row['time_offset'];
$_SESSION['dst_in_use'] = $row['dst_in_use'];
$_SESSION['auto_correct_dst'] = $row['auto_correct_dst'];

header('Refresh: 3; url=index.php');//with time delay...
}
else/*Error messeage...*/
{
$HTMLOUT .= "<center>Error reading login-session coding base, or a wrong username/pass inserted...</center>";
header('Refresh: 3; url=index.php');//with time delay...
}

//header("Location: index.php");
//header('Refresh: 3; url=index.php');//with time delay...
/*==========RUN LOGIN PROCEDURE===============*/

print stdhead('Loggin in...','1') . $HTMLOUT . stdfoot($stdfoot);


and what i am trying to do basicly, is to make sessions here, instead of cookies...
to see if its possible, but every time im trying to do this, its telling me the password or user is wrong, but i think its not wrong, and its the SQL...
can you tell me why ect?...

-thanks with any help i can get!...