Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

PHP Sessions
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> PHP
Author Message
Donovan
Client



Joined: Oct 07, 2003
Posts: 735
Location: Ohio
PostPosted: Sun Feb 13, 2005 2:33 pm Reply with quote
Trying to look at how sessions are handled in a login form with PHP.

Code:
//From a login form


$name = $_POST['name']; 





// Register session key with the value 


$_SESSION['name'] = $name;


Now I could display Your are now logged in: <strong><? echo $_SESSION['name']; ?></strong>!<br />

Now if I start a session on each of my admin pages:
Code:
// start the session 


session_start();


I can tell if a person is logged in or not...correct?

If a user in my table is identified by a field called uniqueid can I set my session_id to correspond to this value as well to link up what user is logged in and try to assign admin rights?

Is it best to track user by session_id?

I am trying to set up admin access to my module by using sessions and learning the best way to implement this.
 
View user's profile Send private message Visit poster's website ICQ Number
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
PostPosted: Tue Jan 31, 2006 3:55 pm Reply with quote
LOL: How about after a year you get a reply.

I was going to post something in the security area about sessions but I did a search first and found your post and what I was going to post is related so here it goes.

Basically, in reply to your post first, what you are trying to do should work. Core Nuke doesn't use sessions but it appears to me that Forums and modules such as Gallery do. I was working on a couple of systems using PHP and MYSQL and learning from the book PHP and MYSQL Web Development by Luke Welling and Laura Thompson. They cover the use of sessions and I had some login screens similar to what you apparently have. When I found Nuke, I converted my modules over to Nuke but I kept security for them based on sessions so I have both working.

In the index.php of my modules I check the user-id of the user against a little security_groups table I use. For those users who I want to give administrative privileges to, I have a field (in that table) with a string value for their privileges (rc_admin for instance). So if they have privileges for that module I will set a session value like this:

Code:
$_SESSION['rc_admin'] = "1";


Then throughout the module I do the session_start you mentioned and I check whether $_SESSION equals 1 (actually I just if $_SESSION(rc_admin) since 1 equals true.

I've run these systems for over a year now with no security glitches so it works pretty well. It avoids incessantly calling the mainfile functions is_admin or is_user and it also keeps my modules relatively independent of Nuke's core code and Nuke table structure changes that sometimes come with upgrades. Both of those are desirable to me.

What I was going to query the experts here about was whether they knew of intrinsic weaknesses of the sessions based approach to security. I know that my online brokerage uses sessions so it is used in some applications that require pretty tight security. At any rate I hope this helps a bit, if you are even still interested.
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> PHP


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©