So here is my code that sends an expire time of a year if remember me is clicked.
And if not, then it sets the session_set_cookie_params() to 0. Which means that it should destroy the session when browser is closed. However it isn't working like that for some reason.
This is my login page:
session_start();
if (isset($_POST['username']) && isset($_POST['password'])) {
if (($_POST['username'] == $user) && ($_POST['password'] == $pass)) {
if (isset($_POST['rememberme'])) {
$_SESSION['username'] = $user;
$_SESSION['start'] = time();
$_SESSION['expire'] = $_SESSION['start'] + (60*60*24*365);
}
else{
$_SESSION['username'] = $user;
session_set_cookie_params(0);
}
header('Location: index.php');
} else {
$p->addContent('<font color = red>Wrong</font>');
}
}
This is my index page:
session_start();
if (isset($_POST['rememberme'])){
$user = $_SESSION['username'];
}
else {
$user = $_SESSION['username'];
session_set_cookie_params(0);
}
if ($user == null) {
$user = 'Guest';
$logout = $p->header()->addButton('Login', 'login.php', 'a', 'home', false, false, true);
$logout->rel('external');
}
else{
$logout = $p->header()->addButton('Logout', 'logout.php', 'a', 'delete', false, false, true);
$logout->rel('external');
}
It's quite simple. session_set_cookie_params(0); isn't affecting your session as you call it after calling session_start();.
Just reorder your code to something like this:
if (isset($_POST['username']) && isset($_POST['password'])) {
if (($_POST['username'] == $user) && ($_POST['password'] == $pass)) {
if (isset($_POST['rememberme'])) {
session_start();
$_SESSION['username'] = $user;
$_SESSION['start'] = time();
$_SESSION['expire'] = $_SESSION['start'] + (60*60*24*365);
} else {
session_set_cookie_params(0);
session_start();
$_SESSION['username'] = $user;
}
header('Location: index.php');
} else {
session_start();
$p->addContent('<font color = red>Wrong</font>');
}
} else {
session_start();
}
EDIT:
It's also worth nothing that session_set_cookie_params only work on the current script and has to be called again every time you use session_start(). It might me useful to set a cookie to indicate if it should used.
As of your code, session_set_cookie_params() isn't called in any case. Therefore I propose to do this:
session_set_cookie_params(0);
session_start();
if (isset($_POST['username']) && isset($_POST['password'])) {
...
Note, that's actually useful to call session_set_cookie_params() always for session cookies.
Generate a new session-ID at each user level change
To protect your applications against attackers, it is absolutely required to change the sessionID after each change of the role of a user:
Anonymous user -> Logged in user
Logged in user -> anonymous user
Logged in user -> Administrative logged in user
...
Thus, if user gets logged in or logged off, please regenerate the session ID like so:
session_regenerate_id( true );
Have a look in OWASP's PHP security cheat sheet.
Session-files get deleted regularly
Using PHP's standard session policy, sessions get mapped to regular files, so called session-files. If the user closes his browser, the session-file keeps living in the file system. Quite likely, the operation system is going to delete the session-file once a day (by night).
Thus, if a user comes back a day later, the sessionID cookie points to a session-file, which might no longer be available.
The case of public PCs
Additionally imagine a browser running on a public PC: If user closes his browser and a new user logs in, the other user gets automatically logged in.
Related
I tried to write my own authentication method (school project), and I'm stuck.
Please advise, how to solve a secure authentication:
There is an index.php which contains everything that needs to be "protected". I will copy the relevant parts of my code here.
updated index.php
session_start();
function checkUserAuth(){
$authStatus = false;
if (isset($_SESSION['PHPSESSID'])){
if ($_SESSION['PHPSESSID'] == $_COOKIE['PHPSESSID']){
$authStatus = true;
}
}
return $authStatus;
}
if(!checkUserAuth()){
include_once(dirname(__DIR__).'/admin/authentication/login.php');
exit();
}
If the checkUserAuth() determines, that there is no properly authenticated user, will include the login.php and stop the rest of the script.
updated login.php:
if(array_key_exists($username, $users) && password_verify($password, $users[$username])){
$_SESSION['PHPSESSID'] = $_COOKIE['PHPSESSID'];
$_SESSION['login_user'] = $_POST['user'];
What I imagine that might happen, is that if the login details are correct, the login.php sets a cookie, and refreshes the page. Then the index.php will detect the cookie, and skip the login part.
The login is pretty much figured out, and thanks to Juned, I think it is working now. However I don't know how secure is this?
On a scale from 1 to very, how wrong I am?
There are loads of ways of doing this. The below pseudocode is not the most efficient but should work and I don't think what you've done above will actually work.
Does this help?
login.php pseudocode
<?php
session_start(); // this function checks if there's a session ID already set, if not, sets one.
if(array_key_exists($username, $users) && password_verify($password, $users[$username])){
// do your login details checking here
// if login details correct
// set a flag in the $_SESSION superglobal and whatever else you want to store about the user like their username e.g.
$_SESSION["loggedIn"] = true;
$_SESSION["username"] = "$_POST['user']"; // better practice to fetch a clean version from your database
//else return user to login page
}
?>
index.php pseudocode
<?php
session_start(); // this will fetch the session ID and other variables that you might have set e.g. username, logged in status
function checkUserAuth(){
$authStatus = false;
if (isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] === true){
$authStatus = true;
}
return $authStatus;
}
if(!checkUserAuth()){
// redirect to login page. e.g.
header('Location: login.php');
exit;
}
?>
I created a relatively small php/mysql based website and hosted it on a server running Red Hat 6.4, Apache/2.2.15. In order to access the site, the users are required to authenticate.
Now comes the weird problem. When I start the server, the site initially runs fine, but after about 12-24 hours, the php sessions stop working. When users try to login, their credentials a successfully retrieved from the database and the login script sets up the session variables, but when they are redirected to the home page - the session variables are lost so the home page thinks they aren't logged in and they are redirected back to the login page. The site is not heavily used, there are about 50 registered users and there are under 100 logins daily. Also, the site requires an invitation code to register, so the probability for bots to be on the site is very small.
Below are the PHP functions used to start a session, to log the users in and to check if they are authenticated (the code was inspired from http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL):
function SecSessionStart() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = false;//https is not enforced
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
function Login($username, $password) {
$username=trim($username);
if (CheckUserCredentials($username, $password))
{
$userId=GetUserIdByUsername($username);
$hashedPass=hash("sha512",$password);
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['user_id'] = $userId;
// XSS protection as we might print this value
$username = strtolower($username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $hashedPass.$user_browser);
// Login successful.
session_write_close();
return true;
}
else {
session_write_close();
return false;
}
}
function LoginCheck() {
// Check if all session variables are set
if (isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string']))
{
$user_id = $_SESSION['user_id'];
$login_string = $_SESSION['login_string'];
$username = $_SESSION['username'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$hash=GetPasswordHashByUserId($user_id);
if ($hash==null)
{
session_destroy();
session_write_close();
return false;
}
$login_check = hash('sha512', $hash.$user_browser);
if ($login_check == $login_string) {
// Logged In
session_write_close();
return true;
} else {
// Not logged in
session_destroy();
session_write_close();
return false;
}
}
session_destroy();
session_write_close();
return false;
}
In order to test my assumption that the problem was related to the sessions, I made the following php page and I've set up monitoring on it once every 5 minutes on an uptime checker:
<?php
require_once("include/authentication.php");
SecSessionStart();
$_SESSION['sessionCheck'] = "The cookie was successfully saved and retrieved";
session_write_close();
$_SESSION['sessionCheck']="";
SecSessionStart();
if (isset($_SESSION['sessionCheck']))
{
echo($_SESSION['sessionCheck']);
}
session_destroy();
session_write_close();
?>
Just as I suspected, the page returned the right answer for about 20 hours then I got an alert that the page was not displaying the success string. After I got the alert the login part on the site didn't work, either. I've tried to restart the httpd process to bring back to life the sessions, but this did not help. Only after a complete server restart things got back to normal.
I have tried searching on SO and other sites for my problem and I found some questions that were somehow related, but they did not entirely fit my situation. The main difference between my problem and other similar ones its that the site works perfectly fine in the beginning, but after some time the sessions fail all of the time. Other posters had problems where they lost sessions from time to time or the sessions did not work at all.
Any hint on the possible source of this problem would be kindly appreciated. If you need any further information from me that could help, please let me know.
Thank you
I'm writing a simple website which allows a user to login, fill out a form which is submitted to a database and then log out. In order to manage the session, I used the session manager which is described by TreeHouse on the following page: http://blog.teamtreehouse.com/how-to-create-bulletproof-sessions
In order to protect against hijacking, the client's IP address and user agent are stored in the session variable and compared to the server's values for these properties on each page. If they don't match, then it is assumed that the session has been hijacked and it is reset.
The implementation seems to work on my local machine without any issues, but when I uploaded it to the server, each page refresh causes the preventHijacking() function to return false (meaning it believes the session has been hijacked). However, if I echo any text within that function, the problem mysteriously disappears and the whole thing works as I expect it to (except for the bit of echoed text which is now displayed above my form :P).
I haven't a clue why this would be the case and I can't figure out how to fix it. The session manager code is below. At the start of each page, I use this to start the session and then each page simply uses or sets whatever variables it requires. If anyone could suggest why the function always returns false unless it echoes text and perhaps suggest what modification I need to make so that it will behave in the expected manner, I'd really appreciate it.
<?php
class SessionManager {
protected static $timeout = 600; // Time before automatic logout for the session
static function sessionStart($name, $limit=0, $path='/', $domain=null, $secure=null) {
// Set the cookie name before we start
session_name($name.'_Session');
// Set the domain to default to the current domain
$domain = isset($domain)? $domain : $_SERVER['SERVER_NAME'];
// Set the default secure value to whether the site is being accessed with SSL
$https = isset($secure)? $secure : isset($_SERVER['HTTPS']);
// Set the cookie settings and start the session
session_set_cookie_params($limit, $path, $domain, $secure, True);
session_start();
// Make sure the session hasn't expired and destroy it if it has
if(self::validateSession()) {
// Check to see if the session is new or a hijacking attempt
if(!self::preventHijacking()) {
// Reset session data and regenerate ID
$_SESSION=array();
$_SESSION['IPaddress'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
self::regenerateSession();
// Give a 5% chance of the session ID changing on any request
} else if (rand(1, 100) <= 5) {
self::regenerateSession();
}
$_SESSION['LAST_ACTIVITY'] = time();
} else {
$_SESSION = array();
session_destroy();
session_start();
}
}
static function preventHijacking() {
if(!isset($_SESSION['IPaddress']) || !isset($_SESSION['userAgent'])) {
return false;
}
if($_SESSION['IPaddress'] != $_SERVER['REMOTE_ADDR']) {
return false;
}
if($_SESSION['userAgent'] != $_SERVER['HTTP_USER_AGENT']) {
return false;
}
return true;
}
static function regenerateSession() {
// If this session is obsolete, it means that there already is a new id
if(isset($_SESSION['OBSOLETE']) && $_SESSION['OBSOLETE'] === True) {
return;
}
// Set current session to expire in 10 seconds
$_SESSION['OBSOLETE'] = True;
$_SESSION['EXPIRES'] = time() + 10;
// Create new session without destroying the old one
session_regenerate_id(false);
// Grab current session ID and close both sessions to allow other scripts to use them
$newSession = session_id();
session_write_close();
// Set session ID to the new one and start it back up again
session_id($newSession);
session_start();
// Now we unset the obsolete and expiration values for the session we want to keep
unset($_SESSION['OBSOLETE']);
unset($_SESSION['EXPIRES']);
}
static protected function validateSession() {
// Check if something went wrong
if(isset($_SESSION['OBSOLETE']) && !isset($_SESSION['EXPIRES'])) {
return false;
}
// Test if this is an old session which has expired
if(isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time()) {
return false;
}
// Check if the user's login has timed out
if(isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > self::$timeout) {
return false;
}
return true;
}
}
?>
I could be way out here (it's been a while) but that sounds like the buffer containing the headers isn't being flushed for some reason. Providing body would force them to be flushed, so maybe not providing the body doesn't flush?
Try putting ob_end_flush(); in there before you return. That may fix it.
The code below page keeps session on GET requests or refreshing browser, but when I submit a form the session data is lost.
$user=$_POST['user']; $pass=$_POST['pass'];
if ($_POST['user'])
{ if($user==$un and $pass=$pw)
{ $_SESSION['uid']=$Xid;header('Location: '.$uri.'?welcome'); }
else { $msg="chybny login"; }
}
if(isset($_GET['logout'])) { session_destroy(); header('Location: '.$uri); }
$cnt=$_SESSION['cnt']+1; $_SESSION['cnt']=$cnt;
Above is the code for login which re-directs me to the welcome page as it was verified, however the session is lost. If I just refresh or repeatedly load the page without submitting, the session holds by echoing the session variable cnt (counts up 1,2,3,...)
After submitting the form, I see session is lost and too cnt variable is reset?
I usually don't work with session directly try the following, place it a the top of your script :
session_start();
$uid = $_SESSION['uid'];
$cnt = $_SESSION['cnt'];
then work with the variable instead
The problem is likely your 'and' statement. It should be &&. The condition is not going to be true.
If you're 100% sure the code is all fine and the PHP.ini is the problem, based on your comments above. Look at this link at check the settings in the .ini http://php.net/manual/en/session.configuration.php
To pass the current session to the next page... I believe is what you are asking...
You are currently not passing the session to the next page and use session_start() at the top of the next page.
Change line 4 to:
{ $_SESSION['uid']=$Xid;header('Location: '.$uri.'?'.SID.'&page=welcome'); } // Where "page" is the name of the data you are retrieving
Or, you can save the session data to a cookie and then retrieve it on the next page.
You can alternately name the session when you use session_start("NameHere") on each page, however if the visitor has recently visited and the session not destroyed, they may see parse errors, if you have them enabled.
First of all, make sure that the the first thing you do on every page is to start a session (I recommend calling it once in a header file that you require on all of your sub sites).
So that you have session_start(); everywhere in the system.
Second of all, tighten up your code; make it easier to read. Something like
$userName = isset($_POST['userName']) ? $_POST['userName'] : false;
$password = isset($_POST['password']) ? $_POST['password'] : false;
$logout = isset($_POST['logout']) ? $_POST['logout'] : false;
$url = '../index.php';
if(!($logout))
{
if($userName && $password)
{
if($userName == $un && $password == $pw)
{
$_SESSION['loggedIn']=true;
$_SESSION['uid']=$Xid;
$_SESSION['message']="success";
}
else
{
$_SESSION['loggedIn']=false;
$_SESSION['message']="fail, incorrect login information.";
}
}
else
{
$_SESSION['loggedIn']=false;
$_SESSION['message']="fail ; username and password not submitted.";
}
header("Location: $url");
}
else
{
session_start();
session_destroy();
session_start();
header("Location: $url");
}
And if you want to display unqiue content depending on whether a user is logged in or not, then you can simply check if the login session is set or not, on each page, instead of modifying the header for that.
$_SESSION['user_id'] = $login;
setcookie('user_id', '$login' , time()+86000);
header('Location: userindex.php');
function logged_in() {
return (isset($_SESSION['user_id']) || isset($_COOKIE['user_id']) ? true : false;
}
I have SESSION but I wonna include COOKIE too but I don't know how to restart SESSION with COOKIE. I don't have a idea how I can get that. I create COOKIE but can't logout and have problem with SESSION somebody can help me to fix my problem???? And in every page on top I have logged_in function for check if user is logged in or not I wonna these logged_in function to check if user has cookie to auto login to user cookie. I think it is in logged_in function must get write some code and...
I will note that this is not secure, as any one can create the cookie, using something like firebug.
#session_start();
function logged_in() {
if(!isset($_SESSION['user_id']) && isset($_COOKIE['user_id'])) {
$_SESSION['user_id'] = $_COOKIE['user_id'];
}
return isset($_SESSION['user_id']);
}
function logout() {
unset($_SESSION['user_id']);
setcookie("user_id", "", time() - 3600);
header("Location: http://".$_SERVER['HTTP_HOST']);
exit;
}
Edit: Added logout() - will remove both session and cookie 'user_id', then redirect to homepage
First: you should set it with:
setcookie('user_id', $login , time()+86000);
So $login without quotes. And also maybe set path variable if this cookie should be seen in different pages.
Removing cookie is done with setting negative time value:
setcookie('user_id', '' , time()-86000);
session_start();
function logged_in() {
if(!isset($_SESSION['user_id']) && isset($_COOKIE['user_id'])) {
$_SESSION['user_id'] = $_COOKIE['user_id'];
}
return (isset($_SESSION['user_id'])) && isset($_COOKIE['user_id'])));
}