[RESOLVED] Understanding SESSIONS right?

@LandslydeFeb 26.2015

When I start a session for a user, and once that user has logged in and session varibles (memberid, username, password) are set, how does PHP know one user session from another? Is there even a remote chance that userA’s session will collide, somehow, with userB’s? Trying to wrap my mind around this.

to post a comment

PHP

15 Comments(s) _↴

@NogDogFeb 26.2015 — #When PHP creates a new session, it generates a unique, pseudo-random token to identify it. That token is exchanged with the client via a cookie (the "session cookie"). As long as that session cookie is not intercepted (e.g. by a man-in-the-middle attack, which becomes much, much more difficult if you limit access to HTTPS), the session data for that user will stay local to only that user.

@LandslydeauthorFeb 26.2015 — #Thanks, NogDog.

So when a session starts, a unique session-token cookie is created, sent to the browser and identity's held with this relationship. I get that. Thanks for your explanation.

@rootFeb 26.2015 — #When using sessions and your user is logged in, you will only need the ID of that member passed between pages and maybe the users "display" name but not their actual username and password.

If a session were to get Hijacked then that hacker would get access to and see those details, like handing your keys to your pride and joy to a thief.

A third parameter might be the users current IP address and should it vary, get that user to log in again and deal with as needed.

@NogDogFeb 26.2015 — #Note that the only session "data" exchanged with the client is the session ID in the cookie. All the data in $_SESSION stays on the web server (in a file by default, in the DB if you configure/code it that way). So, as long as you protect that cookie (HTTPS, again), a user's session data should not be accessible by any other user. That being said, I'd still never store a password in the session data, as it should never be needed and is therefore an unnecessary risk (in case someone does sneak a peak into the session data one way or another).

@LandslydeauthorFeb 27.2015 — #Hey NogDog: I store their username and password in SESSION varibales so they can login to MySQL. When they register, I create an acct for them with their user-psecific info. Do I have everything set up wrong? Now you have me thinking, but I can't see any other way to do this...and I'm the one that brought down the Google servers with all this ? So what am I missing?

@NogDogFeb 27.2015 — #Generally, once they log in, you just need [i]something[/i] in $_SESSION that you can check for to see if they've already logged in -- could be the user name, or simply a boolean "logged_in" array element. Then your typical logic would be something like:

[code=php]
 <?php
 session_start();
 if(empty($_SESSION['user_name']))
 {
 // load login form, display non-logged in page, or whatever
 }
 else {
 // user is logged in, so we're good to go
 }
 [/code]

@ginerjmFeb 27.2015 — #To add to nogdog's posts:

You don't need to have the user and password values in SESSION vars. You simply retrieve them from the POST array in your script and save them in local vars, sanitize them and use them in your query to authenticate the user. Once that is done you don't need the password anymore, so lose it. How you remember whether the user is logged in or who the user even is then becomes a simple chore of keeping the user id or some other token(s) obtained from the login process or your script's logic, depending upon what your appl needs to keep track of.

@LandslydeauthorFeb 27.2015 — #I guess I need to explain further. I am hosting a database for a bunch of therapists. They keep track of payment history, etc. I have one db for all this, but each user has their own login username and password (encrypted) and user credentials. So each time they go to do something, update this, add that, they need db access. I certainly can't give them root, so I have another login file that uses $uname and $password that is associated with two SESSION variables of the same.

[code=php]
 <?php
 $db = new PDO('mysql:host=localhost;dbname=somedb', $uname, $password);
 $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
 $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
 ?>
 [/code]

Since they have to continuosly keep logging as they go from page to page, I don't see any other way of doing this. However, since all of you say this is a bad security risk, I'd love to know another way of doing it. I only know the things I've read online, not to mention I'm brand-new to all of this. So all of your suggestions are taken seriously by this old man.

@ginerjmFeb 27.2015 — #What you do is log them in and create a session var ($_SESSION['is_logged_in'] perhaps) with a value of their user id. Then whenever they use the system, they first login, the session var gets assigned a value and the rest of your code checks for that value when it needs to verify they have logged in or if your code needs their specific user id in order to access a record from the db or post to the db.

If the different users are sharing a terminal, then you have a new problem with enforcing good user skills in that they should logoff as soon as they are done so that the next user doesn't use the wrong login creds.

I dont' see why you think they have to log in as they go from page to page. The session var will exist thru all those pages and you simply check for the var I mentioned above.

PS - what do you mean by 'can't give them root'? What root? How does root come into play when accessing a db? Root what?

@NogDogFeb 27.2015 — #Are we talking about different [i]database[/i] logins/passwords for each user? (Normally I would say that's not necessary, as there are other ways to compartmentalize user-specific data; but for now let's just narrow down on the precise issues. ? )

@LandslydeauthorFeb 27.2015 — #NogDog: I use a single db for the combined users, just different login/pass for each.

ginerjm: when i said 'root', i was referring to my MySQL admin username/password. Sorry for using that terminology. No, the users are located around the country, not from a single terminal at all. So the way I'm beginning to see it, from what you told me, is that I can (and already do) set a SESSION variable with their memberID. I have to do this to make sure they only see their respective records in the various tables. So I guess I cld use that variable to keep them logged in too.

I dont' see why you think they have to log in as they go from page to page.[/QUOTE]

I was under the impression that when they did a select on one page, then went to another to do an update, that they had to login again. I thought that after the php script concluded for one query that the user was closed out of the db, that their login somehow expired. That's why I log them in before each thing they do.

@ginerjmFeb 27.2015 — #At the top of every script (that doesn't use classes) you do a session start so that you always have it ready when you need it. You don't put it in the included files, just the main script that gets called from the url. That way your session userid var will be there (once a login has happened) and your code and just check for it and perhaps check for any other qualifying values you might need to recognize privileged users or such.

@LandslydeauthorFeb 28.2015 — #Thank you, ginerjm. That makes sense, and it ought to make it easier, too. Much appreciated, sir.

@ThomasMnMar 05.2015 — #[url=http://goo.gl/asv38F]How to write an essay[/url]?

Thank you for help!

Also in #PHP _↴

Random code generator for unique URLs ftp_put() problem [RESOLVED] Mysql Error

Success!

Help @Landslyde spread the word by sharing this article on Twitter...

Tweet This

[RESOLVED] Understanding SESSIONS right?

15 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

[RESOLVED] Understanding SESSIONS right?

15 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

15 Comments(s) _↴

Also in #PHP _↴