Using codeigniter's session class, what is the equivalent function/properties of $_SESSION['username'] in which username is a database column name ? –
Also, when I direct log in user to another page how can I retain his state in session ? In native php session, I just issue "session_start(), then choose the column name to put in $_SESSION[columnNAME]", it automatically works then.
I store userinformation after getting it from DB as
$this->session->set_userdata("db_result",$result);
If sessions are enabled in codeigniter then they will autostart you don't need to tell them to start.
Everything else you ask is explained in the codeigniter documentation
http://codeigniter.com/user_guide/libraries/sessions.html
You can consider implementing session_start() in your hooks, so that it starts automatically. Probably this is what you need. You can check how to implement hooks in Codeigniter's Documentation.
I don't prefer using codeigniter's session. If you do not use the DB option for session, codeigniter saves it in $_COOKIE and all the information we save in the session is clear text.
Its a security risk, because any user and simply read those cookies and install it on his own browser, and the site will start to treat user as authenticated.
So I advice, you stick to traditional PHP Session handling, and as already said, execute session_start() in your hooks
(PS: session being saved in cookies was true as of Codeigniter v1.7.3, I don't know about the latest development.)
Related
I'm new to PHP, I read other articles without finding the answer I'm looking for, but still don't know if what I want to do makes sense or not.
I'm using PHP 7.
My user authentication page, checks credentials and then executes session_start(), creating the session server-side and a cookie client-side in the browser.
Each other page of the web application then calls session_start() to resume session information, in this case checking the cookie. Everything works fine so far... at least when I have a single login.
I'd like to be able to have more than one user SIMULTANEOUSLY logged in the same browser (on another tab for example.) using cookie. I don't want to append the session ID to the URL.
I managed to create different session on the server-side using session_id() before session_start() in the authentication page based on username, but the problem is on the client side.
The first successful login (session_start()) creates a cookie and the second login updates the same cookie corrupting the previously created session.
Therefore when it comes to resume the session, session_start() will resume only the last session, mixing the data fetched from DB based on session info.
Is there a way to make session_start() create a cookie for each login and make PHP resume the correct session using cookies?
Any ideas?
FURTHER DETAILS:
I'm updating a legacy app trying to fix some security issue. The need for multiple sessions comes from administrative purposeses where admins access the same site. The reason why it's needed a separation of session is that depending of the session info, the data are fetched from a different database. Therefore, a regular usage would only need one session per user, but the administrator he needs to make multiple logins viewing different data depending on that login.
The default PHP behaviour is to handle sessions using cookies.
..and the default behaviour for browsers is to "reuse" the same set of cookies if you revisit an URL in another tab.. So, like mentioned below:
The simple way probably is to start another browser. Not the same browser but like firefox and chrome, if you have multiple browsers installed.
Another way would be to install a browser plugin, like Sessionbox for Chrome or Multifox for Firefox.
Edit, for clarity: I can think of two cases when multiple sessions would be used:
During development. Depends on the application, but an obvious case would be testing communication between two users.
After deployment. Though I've never seen a site that required multiple logins for the same user account.
This is my frame of reference. Based on this I assumed the question was for development. I'm not suggesting that the site should require installing extra packages. Flash would be about the only one that's ever gotten away with that..
You can use the same session but change the variable names that you are looking for:
if ( $_SERVER['REQUEST_URI'] == '/admin/' ):
$session_name = 'session1';
else:
$session_name = 'session2';
endif;
session_start( $session_name );
There is a problem that I can not understand when working with Codeigniter Session Library. Same network users use same session (We work with a big company, and they said me this: When anybody logged in to system, then everybody logged in)! Is this possible? How, and what can I do for fix this bug?
I am using Codeigniter Core Session Library and it uses database.
It is more possible to have app logic error that a session one.
Maybe you can reproduce it if you try on your local development server to use 2 ore more different user accounts (from different browsers).
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
When a page is loaded, the session class will check to see if valid
session data exists in the user's session cookie. If sessions data
does not exist (or if it has expired) a new session will be created
and saved in the cookie. If a session does exist, its information will
be updated and the cookie will be updated. With each update, the
session_id will be regenerated.
I don't know where you read that same network users use the same session, but in the CodeIgniter-documentation, I find that the session is stored in a cookie, and network users will not have the problem you discribed.
Sorry for the newbie question! I'm making a small website that allows users to create their own accounts. It's not a banking system, and it's unlikely that someone would want to hack it. That said, I am trying to make it reasonably secure, as there are plenty of bored script kiddies out there.
Could someone describe a basic workflow for a user logging in and having a cookie set that will keep them logged in for 30 days?
At the moment I have the following:
Validate and sanitize inputted data.
Check supplied credentials against bcrypt hashed password in DB.
If correct then call "Login" function.
Login function:
a. Delete any session data from DB with userID (table with two columns: SessionString and UserID).
b. Add new session data to DB (newy random generated string and UserID).
c. Write random generated string and UserID to cookie.
d. Set $_SESSION("UserID") with $userID.
But although the two cookies are being created and written to, the $_SESSION("UserID") remains blank... I'm guessing because I can't write to $_SESSION any time I like?
And even once that's fixed, how do I use the data stored in the cookie to log a user in? I'm guessing I don't want to go to the DB on every page load. And it will still require me to create a database object to see if the credentials in the cookie are ok. Is this the right way to this?
Once again, apologies for the newbie question!
UPDATE:
Yes, I do understand the difference between $_SESSION variables and a cookies. I also have session_start() at the top of every page (right after <php with no blank lines). $_SESSION("UserID") just remains blank.
Here's the code from the top of the page:
<?php
session_start();
if(!isset($_SESSION['initiated'])) {
session_regenerate_id();
$_SESSION['initiated'] = true;
}
Thanks for the help.
First off, there is an important difference between a session and a cookie. When you use the $_SESSION[".."] you are creating a session (which lives on the server, compared to a cookie which lives on the client), even though the browser uses a cookie to keep track of the session id. To create a cookie you would use the setcookie() method.
That said, I would recommend you to read through this article which is a step-by-step guide on how to create a secure login script, with persistence using a cookie for a "Remember me"-feature. Describe how to do it in detail would be to extensive for an SO answer im afraid.
Side note:
To be able to write to the session, you might have to call session_start(); prior to getting or setting a session variable using $_SESSION[".."].
Did you write a custom session handler that has your session-files stored in the db? I guess you don't.
If you want to use $_SESSION you have to also do session_start(). When using PHP sessions the cookie to identify the user will be set for you. You will also get session files created in your /tmp directory. That's the location your variables and anything you assign to $_SESSION will be stored.
Unless you define a custom session handler, that will manage the location of the session files, you won't need to query your database. Just save the users credentials in $_SESSION.
See this Tutorial on how to use PHP sessions.
PS: You access arrays like this: $_SESSION["UserID"], not with ().
you might want want to look at this article in which i have already discussed about various types of session hijacking and how you could avoid it.
session security in php
I want my users to have secure session on my website. What must i store in cookie to recognise each user?
Every time user logs in, cookie value must be changed.
P.S. I want to make a database with cookie values which link to user id.
a session id?
You should store a session ID in the cookie. That said, you should NOT have to do this yourself. Use PHP sessions, it does all the cookie handling for you.
Why do you need to store the session IDs in a database? If you need semi-temporary data to travel with the user during their session, you can use the $_SESSION variable for that. It is documented as part of the guide above.
PHP does not have native support for storing session IDs on the server in a database, you would have to write that yourself, or use a library that already provides that functionality, like CakePHP.
A cookie should be a cryptographic nonce that is used to reference server side state. IE: A session id. All web application platforms have their own session handler. In php you just call session_start() and then use the $_SESSION[] super global.
I need to transfer the user session across servers. ie. If user logged in server1 and if the user exists in server2 , then I have to transfer the user session details to server2. For this I used the following technique
From server1, redirect user to http://server2/auth_from_server1.php?sessionid=12345
On server2 (internally, in the PHP code of auth_from_server1.php), do a request to http://server1/secret/check_session_id.php with the sessionid, 12345.
On server1, in the implementation of check_session_id.php, validate the ID and return OK, FAILURE, and session related data you want to pass, such as username, ...
On server2, when the call returns with OK, store the transferred session data, and give the user a cookie and session for this server.
But when the call back function call the auth_from_server1.php the value in session id is null. I tryed to check the sessionid as
if(isset($_SESSION['sessionId']))
echo 'true';
else
echo 'false';
But $_SESSION['sessionId'] is null. In login page I am setting the value for session id as
$_SESSION['sessionId'] = session_id();
Thanks in advance....
Wouldnt it be easier to just store session data in a shared directory?
Alternatively you can store it in a database.
I would suggest writing a custom PHP session handler or using a prebuilt session handler like ShareDance. You can store session information in a MySQL database shared amongst the two machines, a SQLite file, etc.
There are many benefits to using PHP's built in ability to get/set session data by using session_set_save_handler() namely, that all calls to get or set from $_SESSION will work in your application code without any additional modification.
More information can be found here:
http://php.net/manual/en/function.session-set-save-handler.php
A tutorial on writing custom session handlers (old but still relevant) is here:
http://devzone.zend.com/article/141
When server 2 calls server1/secret/check_session_id.php it has to submit the session ID like server1/secret/check_session_id.php?sessionid=12345 and in check_session_id.php you have to call session_id($_GET['sessionid']) before session_start().
Another opportunity could be sharing the filesystem.
Since PHP puts the session in the filesystem, you could share the filesystem (sshfs for example) on both servers.
the setting for changing the destination directory in the php.ini is
session.save_path
This problem can quickly get out hand when you start adding more and more severs to the problem. One of the best solutions that I have found is to store the session on a database and share that database with the servers. Redis typically works great for this. Here is a great guide to get started with redis
I think to store an id of a user in DB is the most appropriate way to do this.It is an error proof way.
Cheers