Hi
The following post has been prev. posted in php-forum.com but as there seems to be very little Activity there in i try here.
I have been including a script for secure login using session coockies and a sql database. I guess it is a common and welknown solution for educated php users, and I have got a fair understanding of how it works but there are some holes in my knowledge. So, when I now have run into problems i need some help. The problems are regarding _SESSION variables which is set in one function but not readable in another. I have tried some ““solutions”” reffered to in other threads/forum but which have not solved it for me.
The following is the code as used:
[php]
function sec_session_start() {
$session_name = ‘sec_session_id’; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set(‘session.use_only_cookies’, 1) == FALSE) {
header(“Location: …/www/call.php?target=error&error=Could not initiate a safe session (ini_set)”);
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams[“lifetime”],
$cookieParams[“path”],
$cookieParams[“domain”],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare(“SELECT id, username, password, salt
FROM members WHERE email = ? LIMIT 1”)) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return "Account locked";
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return "OK";
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return "Unknown userid or password";
}
}
} else {
// No user exists.
return "Unknown userid or password";
}
}
}
function login_check($mysqli) {
// Check if all session variables are set
if (isset($_SESSION[‘user_id’],
$_SESSION[‘username’],
$_SESSION[‘login_string’]))
{
$user_id = $_SESSION[‘user_id’];
$login_string = $_SESSION[‘login_string’];
$username = $_SESSION[‘username’];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if ($stmt = $mysqli->prepare("SELECT password
FROM members
WHERE id = ? LIMIT 1")) {
// Bind "$user_id" to parameter.
$stmt->bind_param('i', $user_id);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
if ($stmt->num_rows == 1) {
// If the user exists get variables from result.
$stmt->bind_result($password);
$stmt->fetch();
$login_check = hash('sha512', $password . $user_browser);
if ($login_check == $login_string) {
// Logged In!!!!
return "SUCCESS";
} else {
// Not logged in
return "ERROR1";
}
} else {
// Not logged in
return "ERROR2";
}
} else {
// Not logged in
return "ERROR3";
}
} else {
// Not logged in
return "SESSION ID's NOT SET";
}
}
[/php]
There are three functions :
function sec_session_start()
function login($email, $password, $mysqli)
function login_check($mysqli)
They are invoked in this order as presented here, so session_start() is already initiated when login_check is called, and for the record, the _SESSION variables gets set in the login function which returns OK when I try to login. I also see that the coocki is set and generated and is present in the browser I initiated the session from. Still the check in the beginning of login_check function, where all _SESSION variables is checked to be set using isset(), are always evaluated to be false, and this is also the very problem that I have. They should not evaluate to be false when logged in (that is, when login() previously where invoked and returned OK).
I have tried to set the session_start() in the beginning each function as suggested in some forums but to no help. (This code is removed in the above example).
Hope someone understanding these session variables may share their valuable light upon my troubles. Maybe there are some php.ini settings that is missing???
Thanks in advance
Breg
Vidar