$_SESSION varible and the administration section of my site

Junior WebHelper Joined: 29 Sep 2005 Posts: 7

hi i have been creating a website it works perfect on my localhost (using WAMP) then when i uploaded it to the web it has a bug. When i login it sets a session varible 'status' this varible works fine untill i press the back button on the browser then it resets the varible and i have to log in again.

<?php
session_start();
include ('starting.php'); // just formatting for site
$status = $_SESSION['status'] ;
if ($status != 3)
{
echo "You are not logged in Properly <br/><br/>Please go ";
echo "<a href='javascript: history.go(-1)'>Back</a> and Re-Login";
}
else
{
//does its thing
}

and ill put the login script here too

<?php
session_start();
include ('starting.php');

$username = $_GET['username'];
$password = stripslashes($_GET['password']);
//$password = sha1($password);

$users_query = "select * FROM users WHERE username = '$username' and password = '$password'" ;
$users_result = mysql_query($users_query) or die ('Problem Logging In');
while ($usersrow = mysql_fetch_array($users_result))
{
$userID = stripslashes($usersrow['userID']);
$status = stripslashes($usersrow['status']);
$_SESSION['username']=$username ;
$_SESSION['validated']='true' ;
$_SESSION['status']=$status ;
$_SESSION['userID']=$userID ;
echo "<table border='0' width=90%><tr>";
echo "<td>Username</td></tr>";
echo "<tr><td>You are now logged in as: ".$_SESSION['username'].".";
echo " Now redirecting back</td></tr><tr><td>";
echo "<SCRIPT language='JavaScript'>setTimeout('history.go(-2)',2000);</SCRIPT>" ;
echo "<br/><br/><br/>If this page doesn't redirect you within 5 seconds please click <a href='index.php'>here</a></td></tr></table>" ;

}
if(!mysql_num_rows($users_result))
{
echo "There was a problem Logging in. Please ";
echo "<a href='javascript: history.go(-1)'>go back</a> and try again" ;
}
include ('ending.php');
?>

Team Member Joined: 06 Jan 2002 Posts: 2564

What does phpinfo() have to say about sessions? There's a sessions section in phpinfo, which has a line entitled "Session Support". Is that enabled? Also you might want to compare the output from the server with the output you get when running it locally.

Junior WebHelper Joined: 29 Sep 2005 Posts: 7

here is the section for sessions u can view the full phpinfo at http://www.riverslea.school.nz/ and hte local host version at the bottom of the index page

localhost session:

session
Session Support enabled
Registered save handlers files user sqlite
Registered serializer handlers php php_binary wddx

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path c:/wamp/tmp c:/wamp/tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0

<hr>
------------------------------------------------------------------------------
Server session:

session
Session Support enabled
Registered save handlers files user

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid On On

Team Member Joined: 06 Jan 2002 Posts: 2564

Do you have access to /tmp on the server to see if session files are indeed being created?

Posted: Fri Sep 30, 2005 8:11 am (18 years, 6 months ago)

This isn't related to your question, but directly using a user-supplied variable in an SQL query can be a security risk - it would be easy for a malicious user to add their own SQL to the query and modify your database. Check out the mysql_real_escape_string() function.

Junior WebHelper Joined: 29 Sep 2005 Posts: 7

Yes i have full rights to the site, i am in the temp file now and cant find any sessions at all. all i can see is a few graphs for the statistics section of the webserver, and a few folders:

analog
analogbrowrep.png
analogbrowsum.png
analogcode.png
analogdir.png
analogdom.png
analogfailref.png
analogorg.png
analogrefsite.png
analogreq.png
analogsize.png
analogtype.png
awstats
bw-riversle-2005.png
bw-riversle-today.png
webalizer
webalizerftp
--------------------------------------------------
in the folder alalog there is a file called cache

thats all i really see, maybe shoudl the whole website be in the folder cgi-bin? it is currently in public_html and cgi-bin is a sub category... cheers for ur sujestions

Junior WebHelper Joined: 29 Sep 2005 Posts: 7

i am kinda new to the whole online thing and the whole malicious internet, i kinda thought i would be exposing myself by posting infomation on here, i cant really work out how a sql statment can be run via someone without access to the php code, or how someone can use "sql-injection" as it is called, although i will take those security holes into account, thanks for your input

Posted: Fri Sep 30, 2005 1:23 pm (18 years, 6 months ago)

I'm guessing you're on a cPanel server? In which case, the tmp directory you see in FTP isn't the same one which is used by PHP to store session data.

Junior WebHelper Joined: 29 Sep 2005 Posts: 7

where abouts would i see session data then i am on a cpanel server...

Posted: Sat Oct 01, 2005 4:00 am (18 years, 6 months ago)

You won't be able to unless you're the server administrator. However, I think you can change the place where PHP stores the data though I can't remember exactly how.

Junior WebHelper Joined: 29 Sep 2005 Posts: 7

i am the administrator of the site

Posted: Sat Oct 01, 2005 11:18 am (18 years, 6 months ago)

Administrator of the site and administrator of the server are two different things - the server administrator (i.e. the hosting company you're using) has access to a lot of stuff that you don't.

Junior WebHelper Joined: 29 Sep 2005 Posts: 7

oh sweet i get u now, so any adivce to solve my probelm apart from whats given?

Posted: Sat Oct 01, 2005 3:05 pm (18 years, 6 months ago)

I'm not sure exactly what the problem is. You say it logs you out when you click the back button? What page does that take you back to? Is there anything on that page that might modify $_SESSION?

Also, as a side note, you might want to use POST rather than GET for the login form. That way the user name and password won't be visible in the URL. (If it's visible in the URL, it will also show up in the browser's history, which could be a big security problem.)

Junior WebHelper Joined: 23 Dec 2014 Posts: 1