PHPSESSID or Cookies?

Donovan · Client Joined: Oct 07, 2003 Posts: 683 Location: Ohio

I need to authenticate users and allows these students to see their grades and post a Peer Evaluation on their team members.

I have 6 or 7 functions on a single index.php page that handle everything.

function DisplayLogin()
function AuthStudent()
function TLStudentGrades()
function TLAddY1PeerEvals()
function TLInsertY1PeerEvals()
function TLViewY1PeerEvals()

The student needs to login thru DisplayLogin then gets passed to AuthStudent then TLStudentGrades and finally TLAddY1PeerEvals.

AuthStudent binds to an LDAP server with their username and password. Once authenticated I need a way to pass the username throughout all my functions.

I was thinking of something like this.

Code:

$sql = $db->sql_query("SELECT * FROM ".$prefix."_tl_students WHERE LDAP_USER = '$authuser'");
if ($db->sql_numrows($sql) == 1) {
// if a row was returned
// authentication was successful
// create session and set cookie with username
session_start();
$_SESSION['auth'] = 1;
setcookie("authuser", $_POST['username'], time()+1800);
TLStudentGrades($authuser);

I believe this sets the name of my cookie for 30 minutes and passes the $authuser to TLStudentGrades.

Could I now call the value of $authuser from any of my functions?

Do I need to worry about passing $authuser from a link? I don't want to include it in the url for security reasons.

Here is where the link is...

Code:

echo "<td width='10%' align='center'><a href='modules.php?name=Your_Account&op=TLAddY1PeerEvals&Course_Number=$Course_Number'><img src='modules/$modname/images/bluecurvedarrow.png' height='16' width='16' border='0' alt='Submit Peer Evals' title='Submit Peer Evals'></a>\n";
echo"</td></tr>\n";

I could go to TLAddY1PeerEvals but I still need to find the value of $authuser.

fkelly · Posted: Tue Apr 08, 2008 7:18 pm

I don't think you need to use both sessions and cookies. You could probably just stick $authuser in a session variable and have it persist as long as the user is signed on. I do that in a custom module I created and it's worked fine for years. All your functions should have access to $_SESSION['authuser']. In development mode I would put echoes in just to make sure the values are being set and read correctly in all the places where you set or access them, then remove the echoes when things work.

Donovan · Client Joined: Oct 07, 2003 Posts: 683 Location: Ohio

My problem lies in here.

I can create the session fine.

Code:

$sql = $db->sql_query("SELECT * FROM ".$prefix."_tl_students WHERE LDAP_USER = '$authuser'");
if ($db->sql_numrows($sql) == 1) {
// if a row was returned
// authentication was successful
// create session
   session_start();
   $_SESSION['authuser'] = $authuser;
   $_SESSION['sid'] = session_id();
   // Lets make it more secure by storing the user's IP address.
   $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];

   TLStudentGrades($authuser);
} else {
// no result
// authentication failed

I can get to TLStudentGrades and it displays the correct account for whoever is logged in.

I can't however get to these other functions with the session intact by using the following links.

Code:

echo "<td width='10%' align='center'><a href='modules.php?name=Your_Account&op=TLViewY1PeerEvals&Course_Number=$Course_Number'><img src='modules/$modname/images/bluecurvedarrow.png' height='16' width='16' border='0' alt='Submit Peer Evals' title='Submit Peer Evals'></a>\n";
echo"</td></tr>\n";

When I do get to this page I get "Session data is invalid"

Code:

function TLViewY1PeerEvals($authuser) {
global $prefix, $db;
include("header.php");
if (isset($_SESSION['authuser'])) {
$authuser = $_SESSION['authuser'];
} else {
die('Session data is invalid!!!');
}

I don't know if I should pass $authuser as an argument.

It worked here by calling the function and passing a value.

TLStudentGrades($authuser);

But how do I do this with a link?

I don't want the session to appear in the url.

You state ...

Quote:

All your functions should have access to $_SESSION['authuser']

Could you give me an example how to retrieve the value?

fkelly · Posted: Wed Apr 09, 2008 8:25 am

Try inserting a session_start(); before you try to retrieve the value. Like after you include header.php in that last code segment. I can't guarantee it but I've had to do things like that.

On the other hand, if you've retrieved authuser from the session variable in the calling program and stuffed it into a $authuser variable and then called the function using that then you shouldn't need to retrieve it from the session variable inside the function.

As you know from Googling there are some excellent and detailed articles about improving the security of sessions by sticking IP's in there and by some other means. You might find some code samples there that you can use, I haven't reread them in quite a while.