Re: [PHP] PHP authenticating and session management
> 1.) > I see from www.php.net , people said they will generate a Session ID by > themselves > srand((double)microtime()*100); > $unique_str = md5(rand(0,999)); > why not to generate by ourself ? > PHP will create itself . Once upon a time, a long time ago, there was no built-in PHP session support. Thus, one had to generate session IDs for oneself. When I was a newbie, we *walked* to school. In the snow. Uphill. Both ways. :-) -- WARNING [EMAIL PROTECTED] address is an endangered species -- Use [EMAIL PROTECTED] Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
o ic check the IP to prevent . But I have another Q . 1.) I see from www.php.net , people said they will generate a Session ID by themselves srand((double)microtime()*100); $unique_str = md5(rand(0,999)); why not to generate by ourself ? PHP will create itself . 2.) Will Session have problem when people browse from a http page to a https page and go out again? thx ""Christopher Ostmo"" <[EMAIL PROTECTED]> ¼¶¼g©ó¶l¥ó 3B337955.15490.27965520@localhost">news:3B337955.15490.27965520@localhost... > Bass??? pressed the little lettered thingies in this order... > > > I have a Q. > > will the Session ID be stolen by hacker when the ID tranfer bewteen client > > and server ? Then can the hacker send the ID to server and veiw the user's > > page ? > > > > Yes. That *can* happen to any non-encrypted transmission that > passes over an untrusted network. It would be difficult to do, so it's > unlikely, but it *can* happen. It would require a packet sniffer on your > network, on the target network or somewhere between. > > If you want to prevent this, you should match session ID with requesting > IP addresss, log both into a database and check both for each page > request. > > If the data being accessed is *that* important that a hacker would go > through that much trouble to hijack a session, you probably should > consider using SSL. > > Christopher Ostmo > a.k.a. [EMAIL PROTECTED] > AppIdeas.com > Meeting cutting edge dynamic > web site needs > > For a good time, > http://www.AppIdeas.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
Bass??? pressed the little lettered thingies in this order... > I have a Q. > will the Session ID be stolen by hacker when the ID tranfer bewteen client > and server ? Then can the hacker send the ID to server and veiw the user's > page ? > Yes. That *can* happen to any non-encrypted transmission that passes over an untrusted network. It would be difficult to do, so it's unlikely, but it *can* happen. It would require a packet sniffer on your network, on the target network or somewhere between. If you want to prevent this, you should match session ID with requesting IP addresss, log both into a database and check both for each page request. If the data being accessed is *that* important that a hacker would go through that much trouble to hijack a session, you probably should consider using SSL. Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Meeting cutting edge dynamic web site needs For a good time, http://www.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
interesting question! I'm also interested in it, cause I read somwhere that its possible to "kidnap" sessions... "Bass???" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag: 9gvt89$pi5$[EMAIL PROTECTED] > I have a Q. > will the Session ID be stolen by hacker when the ID tranfer bewteen client > and server ? > Then can the hacker send the ID to server and veiw the user's page ? > > > "Jason Stechschulte" <[EMAIL PROTECTED]> ? > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > On Fri, Jun 22, 2001 at 08:59:54AM +0430, Arash Dejkam wrote: > > > simply check $username and bring up the user's page ? but this makes it > > > possible for any hacker to send a cookie with username and see that > page. I > > > know that PHP stores a unique random number for each session but how can > I > > > check that it matches with the number in the cookie. > > > > > > Why not just check for username this way: > > > > > if(session_is_registered("username")) { > >// Do stuff > > } > > ?> > > > > Then username has to be registered as a session variable so any hacker > > (sic) can't just send a username to see that page. > > > > -- > > Jason Stechschulte > > [EMAIL PROTECTED] > > -- > > echo "Your stdio isn't very std." > > -- Larry Wall in Configure from the perl distribution > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
no, it works also if your user has cookies disabled. "Jaxon" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag: [EMAIL PROTECTED] > Does this depend on cookies? > > regards, > jaxon > > > > -Original Message- > > From: Style|warrioR [mailto:[EMAIL PROTECTED]] > > Sent: Friday, June 22, 2001 5:09 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [PHP] PHP authenticating and session management > > > > > > I'm not quite sure if this is the perfect way cause I'm pretty new to this > > session stuff, too. > > but my version looks like this: > > > > [login.php] > > a form with username and password field. > > submit --> auth.php > > > > > > [auth.php] > > check if username and password are ok (from a text file or your mysql > > database) [yes|no] > > [no] -> echo "bad login or password."; exit; > > [yes] -> start a session, save username and password in session vars, > > redirect to userpage > > > > > > lets say your userpages look like "aUsername_blah.php" > > > > > > ["aUsername_blah.php"] > > include a script on every userpage that checks if login and password are > > correct [yes|no] > > [no] -> redirect to login.php > > [yes] -> display page > > > > > > comments appreciated :) > > .andi > > > > > > > > > > > > > > "Arash Dejkam" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag: > > 9guhbf$msi$[EMAIL PROTECTED] > > > Hi, > > > > > > I want to use PHP session manager but I have some problems, > > > > > > I want the session start in a login page so I do this for example: > > > > > > after authenticating... > > > session_start(); > > > session_register("username"); > > > > > > then I want the user to be able to see his own pages, what do I > > have to do > > > in those pages? > > > > > > simply check $username and bring up the user's page ? but this makes it > > > possible for any hacker to send a cookie with username and see > > that page. > > I > > > know that PHP stores a unique random number for each session > > but how can I > > > check that it matches with the number in the cookie. > > > > > > help me please I'm really confused ! > > > > > > Thanks > > > > > > Arash Dejkam > > > > > > > > > > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
I have a Q. will the Session ID be stolen by hacker when the ID tranfer bewteen client and server ? Then can the hacker send the ID to server and veiw the user's page ? "Jason Stechschulte" <[EMAIL PROTECTED]> ? [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > On Fri, Jun 22, 2001 at 08:59:54AM +0430, Arash Dejkam wrote: > > simply check $username and bring up the user's page ? but this makes it > > possible for any hacker to send a cookie with username and see that page. I > > know that PHP stores a unique random number for each session but how can I > > check that it matches with the number in the cookie. > > > Why not just check for username this way: > > if(session_is_registered("username")) { >// Do stuff > } > ?> > > Then username has to be registered as a session variable so any hacker > (sic) can't just send a username to see that page. > > -- > Jason Stechschulte > [EMAIL PROTECTED] > -- > echo "Your stdio isn't very std." > -- Larry Wall in Configure from the perl distribution > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP authenticating and session management
Does this depend on cookies? regards, jaxon > -Original Message- > From: Style|warrioR [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 22, 2001 5:09 AM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] PHP authenticating and session management > > > I'm not quite sure if this is the perfect way cause I'm pretty new to this > session stuff, too. > but my version looks like this: > > [login.php] > a form with username and password field. > submit --> auth.php > > > [auth.php] > check if username and password are ok (from a text file or your mysql > database) [yes|no] > [no] -> echo "bad login or password."; exit; > [yes] -> start a session, save username and password in session vars, > redirect to userpage > > > lets say your userpages look like "aUsername_blah.php" > > > ["aUsername_blah.php"] > include a script on every userpage that checks if login and password are > correct [yes|no] > [no] -> redirect to login.php > [yes] -> display page > > > comments appreciated :) > .andi > > > > > > > "Arash Dejkam" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag: > 9guhbf$msi$[EMAIL PROTECTED] > > Hi, > > > > I want to use PHP session manager but I have some problems, > > > > I want the session start in a login page so I do this for example: > > > > after authenticating... > > session_start(); > > session_register("username"); > > > > then I want the user to be able to see his own pages, what do I > have to do > > in those pages? > > > > simply check $username and bring up the user's page ? but this makes it > > possible for any hacker to send a cookie with username and see > that page. > I > > know that PHP stores a unique random number for each session > but how can I > > check that it matches with the number in the cookie. > > > > help me please I'm really confused ! > > > > Thanks > > > > Arash Dejkam > > > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
On Fri, Jun 22, 2001 at 08:59:54AM +0430, Arash Dejkam wrote: > simply check $username and bring up the user's page ? but this makes it > possible for any hacker to send a cookie with username and see that page. I > know that PHP stores a unique random number for each session but how can I > check that it matches with the number in the cookie. Why not just check for username this way: Then username has to be registered as a session variable so any hacker (sic) can't just send a username to see that page. -- Jason Stechschulte [EMAIL PROTECTED] -- echo "Your stdio isn't very std." -- Larry Wall in Configure from the perl distribution -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP authenticating and session management
I'm not quite sure if this is the perfect way cause I'm pretty new to this session stuff, too. but my version looks like this: [login.php] a form with username and password field. submit --> auth.php [auth.php] check if username and password are ok (from a text file or your mysql database) [yes|no] [no] -> echo "bad login or password."; exit; [yes] -> start a session, save username and password in session vars, redirect to userpage lets say your userpages look like "aUsername_blah.php" ["aUsername_blah.php"] include a script on every userpage that checks if login and password are correct [yes|no] [no] -> redirect to login.php [yes] -> display page comments appreciated :) .andi "Arash Dejkam" <[EMAIL PROTECTED]> schrieb in im Newsbeitrag: 9guhbf$msi$[EMAIL PROTECTED] > Hi, > > I want to use PHP session manager but I have some problems, > > I want the session start in a login page so I do this for example: > > after authenticating... > session_start(); > session_register("username"); > > then I want the user to be able to see his own pages, what do I have to do > in those pages? > > simply check $username and bring up the user's page ? but this makes it > possible for any hacker to send a cookie with username and see that page. I > know that PHP stores a unique random number for each session but how can I > check that it matches with the number in the cookie. > > help me please I'm really confused ! > > Thanks > > Arash Dejkam > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]