Results 1 to 5 of 5

Thread: Another php question - sessions

  1. October 8th, 2003, 11:36 PM #1
    sun7dots
    sun7dots is offline
    Senior Member
    Join Date
    Jan 2002
    Posts
    227

    Question Another php question - sessions

    Hi I have another php related question

    I just made a login system for my web - login.php, checklogin.php.. etc. I also have a lougout.php. Everything works fine (AFAIK) and what I want to know is how to solve this situation - someone forgot to click on logout when quiting the web? I think that this can be done by monitoring user activity on web. I mean update the time of last click on anything. And in checklogin then check if the time of a last click isn't too old.

    If this solution is right - how can I see if user has click on something (there should be some http request every time a link is clicked, right?).
    And the last question - what things should I pay attention to in this login system? I mean how can it be defeated, tricked, whatever...

    Thanx
    http://promote.opera.com/small/opera94x15.gif

    [gloworange]Sun7dots[/gloworange]
    Reply With Quote Reply With Quote
  2. October 9th, 2003, 02:56 PM #2
    Deaflamb
    Deaflamb is offline
    Senior Member
    Join Date
    Sep 2003
    Posts
    179
    watch out for the way you check the validity of your login. For example. If you check the users passwords in a function that returns the vlaue true to a variable named 'passcheck' someone could pass 'that value to your script and defeat your login process.

    One way that you could protect against this, and solve your session problem is create a login database. When someone's password is checked it creates a random number that can be checked as they move from page to page. Every time it is checked, a new time stamp is also placed in the data base. If this time stamp is over a certain lenght of time, then the login is timed out. To do house keeping you could use a cron job to clean out the login database once a day or so.

    Hope this helps.

    DeafLamb
    Happy Trails and Blue Skies
    http://www.AntiOnline.com/sig.php?imageid=586
    Reply With Quote Reply With Quote
  3. October 9th, 2003, 05:46 PM #3
    xmaddness
    xmaddness is offline
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    See my post about that here: http://www.antionline.com/showthread...065#post655065
    Reply With Quote Reply With Quote
  4. October 13th, 2003, 11:37 AM #4
    sun7dots
    sun7dots is offline
    Senior Member
    Join Date
    Jan 2002
    Posts
    227

    thanx

    Thanx fot your answers guys..

    watch out for the way you check the validity of your login. For example. If you check the users passwords in a function that returns the vlaue true to a variable named 'passcheck' someone could pass 'that value to your script and defeat your login process.
    But he has to know the now the name of that variable, right?

    See my post about that here: http://www.antionline.com/showthrea...5065#post655065
    I've already read it. Thanx
    http://promote.opera.com/small/opera94x15.gif

    [gloworange]Sun7dots[/gloworange]
    Reply With Quote Reply With Quote
  6. October 13th, 2003, 02:00 PM #5
    Deaflamb
    Deaflamb is offline
    Senior Member
    Join Date
    Sep 2003
    Posts
    179
    yes they would have to know the name of the variable. You would be surprised though how easy it can be to guess the names of variables used for common purposes.

    DeafLamb
    Happy Trails and Blue Skies
    http://www.AntiOnline.com/sig.php?imageid=586
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules