@bunny1authorMar 12.2007 — #wanted to set a session variable so that if a user logs out or closes the browser the variable is reset and they must re-login.
If movement through your site is by using Hyperlinks, how about also passing a variable through the URL? and comparing it with a $_SESSION variable held on the Host.
... mydomain.com/index.php?SID=12345
If SID doesn't exist or if the URL code SID did not match the $_SESSION SID, then create a new one.
@bunny1authorMar 12.2007 — #if a user bookmarks the page will they be able to access it?It's for a CMS so i want it to be secure.I dont want someone being able to access any page without logging in.
Hmmm, not sure. I'm just trying to come up with something off the top of my head. ?
What you could do is, when a user first starts a session create a session variable [B]SID[/B] (session ID) and a second one, say [B]SID2[/B] which would be blank.
On loading a secure page attempt to set [B]SID2[/B] to the value passed through the URL.
If [B]SID2[/B] is not equal to [B]SID[/B] or even better if [B]SID2[/B] is not equal to the MD5 of [B]SID[/B] (one way encrypted version of [B]SID[/B]) assume that the user is not logged in and redirect them to the login page.
This will happen on the first page because there will be no value in [B]SID2[/B] initially.
This would also happen with a bookmarked page because the two values would not match.
Once the User is successfully logged in, include the MD5'd (encrypted) version of [B]SID[/B] in the URL as [B]?SID2=MD5'd(SID)[/B].
This time when they go to a page, [B]SID2[/B] should equal [B]MD5(SID)[/B] so they would be logged in.
That would be the crux of my idea.
Alternatively, a simpler method, just set an expiring [B]LoggedIn[/B] cookie and check for that. If cookie expired then Log In.
@TaschenMar 12.2007 — #Session IDs are set to automatically end when a user leaves your site. This means that if a user has finished viewing a page and they navigate away from the page, the session will expire (unless told to do otherwise in PHP ini settings, and dependent on whether the session_id is set as a cookie or in the URL). If you are trying to build a CMS I would recommend reading the PHP.net manual (for sessions try www.php.net/sessions).
However, as a general rule it is not a good idea to simply set a true or false token and allowing access if the token is presesnt. The token needs to be evaluated and permission granted depending on this evaluation. Even better, grant a one time, time limited token for each action.
Building on my original idea, if I ever have to do this for real, it may be prudent to generate [B]SID2[/B] from [B]MD5(SID+OneOffKeyPerPage)[/B]. That, in theory, should make it more secure. ?
As you identitified evaluating one SESSION value against another is important. A basic flow is something along the lines of:
1. Set a session_id as a cookie to maintain page state. (session_id can available in the URL or as a cookie).
2. User logins in, if succesful set a unique session_id[user] identifier and link the identifier to your user. Mark the login time in the db. When you set this user id, use an algorithm where the parameters are hard to determine [e.g. the id shouldn't be character value of user name X todays date that's too easy to work out]. Once you have your session_id[user] value, md5 hash it.
Now you have a means to identify your user which is linked to a user but isn't the users name/password, it is a value that is created (changes) at each login, and the method of creation isn't obvious.
3. When a user attempts to load a page, send a form, perform an action: does the session_id[user] exist -> yes, evaluate the session_id[user] value -> if the value exists -> evaluate if the time stamp is within a predefined limit -> perform action.
Using a similar model you could set different permissions on an action for different users.