Secure PHP pages with session data

Question

LloydFarrell 0 Junior Poster

14 Years Ago

Hi all,

I have been doing some reading into security with PHP session data and I have changed a few things around in my script -
For example - I am now using $securecode=sha1(uniqid(rand())); as before I was using
$securecode=md5(uniqid(rand()));

As reading through daniweb has taught me that sha1 is much more secure than md5 -

I have changed my passwords to SHA1 and I have tested successfully by logging into a test site I am using to teach myself PHP -

My question here today is regarding the security of "profile pages"

I have been trying to get the following code to work as a security feature of the site and to give me a greater understanding.

<?php
session_start(); // start_session
require_once('../config.php');//connect to db
// id=session id
/////////// SESSION ID ///////////////////////////
if ($_GET['SESS_MEMBER_ID']) {
     $id = $_GET['SESS_MEMBER_ID'];
} else if (isset($_SESSION['SESS_MEMBER_ID'])) {
	 $id = $_SESSION['SESS_MEMBER_ID'];
} else {
	//header("location: http://www.com/members/authentication-failed.php");
   exit();
}
/////////// SESSION LOGIN ///////////////////////////
if ($_GET['SESS_SECURE_CODE']) {
     $securecode = $_GET['SESS_SECURE_CODE'];
} else if (isset($_SESSION['SESS_SECURE_CODE'])) {
	 $securecode = $_SESSION['SESS_SECURE_CODE'];
} else {
	//header("location: http://www.com/members/authentication-failed.php");
   exit();
}
/////////// SESSION LOGIN ///////////////////////////
if ($_GET['SESS_LOGIN']) {
     $login = $_GET['SESS_LOGIN'];
} else if (isset($_SESSION['SESS_LOGIN'])) {
	 $login = $_SESSION['SESS_LOGIN'];
} else {
	//header("location: http://www.com/members/authentication-failed.php");
   exit();
}
// END OF SESSION GET DATA //
// SHOW SESSION DATA //
echo "$id";
echo "<br />";
//echo "";
echo "$securecode";
echo "<br />";
echo "$login";
echo "<br />";

//Create query
	$qry="SELECT * FROM table WHERE login='$login' AND securecode='$securecode'";
	$result=mysql_query($qry);
	//Check whether the query was successful or not
	if($result) {
		if(mysql_num_rows($result) == 1) {
		echo "<b>Authenticated Member</b>";
	}else{
	echo "Authentication failed";
	//header("location: http://www.com/members/authentication-failed.php");
		//	exit();
		//}
			exit();
		}
}
?>

as you can see from the above code, I am successfully echo ""; the variables I need to search the database table. This works fine - But the problem im facing is if I include the header("location: http://www.com/members/authentication-failed.php"); in the session data and also include the header("location: http://www.com/members/authentication-failed.php"); in the Authentication Failed section I get the error message that headers are already sent !!

What Id like it to do is - If result == 1 then (continue)allow the user to continue browsing the site.

else

header("location: http://www.com/members/authentication-failed.php");

I intend to use the above code in a new php file called secure.php that will be included in all pages of the website.

Hoping someone can point me in the right direct and help me understand where I am going wrong.

regards

php session

3 Contributors
3 Replies
525 Views
17 Hours Discussion Span
Latest Post 14 Years Ago Latest Post by Zagga

slyme 27 Junior Poster in Training

14 Years Ago

I used get to get this problem a lot and worked around it until I figured out that you need put all header('Location: index.php'); type expressions before you send any page headers.

It looks to me like you are doing this in the middle of the html document, in fact you are echoing some strings before your header expression.

My best guess is that you should put all of this code right at the top of the document.

Put anything that you need to echo into variables and echo them in the html document.

Keep all your header expressions at the top (before any text is echoed or any html headers are sent).

If you need to carry info with the redirect then use the URL to create $_GET

Hope this helps,

Simon.

Edited 14 Years Ago by slyme because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

LloydFarrell 0 Junior Poster · Answer 1 · 2010-06-04T18:35:00+00:00

Also just to let you know that the above session data is created when a user successfully logs in -

Zagga · Answer 2 · 2010-06-05T06:03:29+00:00

Hi,

You can include the following code to the very top of every page that you want "protected".

<?php
session_start();
if (!isset($_SESSION['username'])){
	header("location:http://www.com/members/authentication-failed.php");
	exit();
}
?>

This will check to see if a $_SESSION variable called 'username' has been set. If it has been set, the user has successfully logged in and the rest of the script will be processed. If it is not set, the user is not logged in and will be redirected to authentication-failed.php. As a side note, it may be a better idea to redirect them to the login page though.

Hope this helps.
Zagga