0

i have this php code that on successful login is supposed to set my session "valid" variable to true sniplet:

    if($row['c']>=1)
    {
     session_name($_SERVER['REMOTE_ADDR']);
     session_start();
     $_SESSION['valid']='true';
     echo "Home.php";
    } 
else 
    {echo "/";};
};

and then when the next page loads i check if the variable isset using (sniplet:)

    session_name($_SERVER['REMOTE_ADDR']);
    session_start();
    if($_SESSION['valid']==true)
     {echo "i am valid";}
    else
     {echo "i am invalid";};

but it keeps saying the page is invalid, even if it did redirect to it as a valid page

Edited: Everyone noticed this part of the code: $_SESSION['valid']='true'; and I appologise, i had retyped the code instead of copying it. My original code didnt have the quotation marks. The but it did help seeing as the session id cant contain numbers and an IP Address will have all numbers

Improve this question
9
  • 1
    try to set $_SESSION['valid']=true; instead $_SESSION['valid']='true'; Commented Aug 13, 2013 at 14:19
  • means remove single code from suffix & prefix from true Commented Aug 13, 2013 at 14:20
  • 1
    supposing that you checked the regular stuff (like output that might be generated before session_start) check the session_name function, it has a big red warning about the valid names.. also, why would you use the ip as session name anyway? Commented Aug 13, 2013 at 14:21
  • 2
    I was referring to the man page here php.net/session_name that's where you will see that you need at least a letter in the session name Commented Aug 13, 2013 at 14:23
  • 1
    btw.. I removed your MySql tag as I can't see any relation between what you are asking and any database transactions you might have at some other point Commented Aug 13, 2013 at 14:31

5 Answers 5

Reset to default
3

So I was looking into the session_name() on php.net, and I saw the following warning and comment:

Warning The session name can't consist of digits only, at least one letter must be present. Otherwise a new session id is generated every time.

Comment: if you try to name a php session "example.com" it gets converted to "example_com" and everything breaks. don't use a period in your session name.

Warning:http://www.php.net/manual/en/function.session-name.php

Comment Source:http://www.php.net/manual/en/function.session-name.php#86000

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

These true != "true" responses are not the cause!
no.. those comparison are not that problem, that's what I keep saying here :) the session name has a bigger chance to be the problem.. as said in another comment :)
Delightful! As he said above it appears as though the periods are not allowed. Interesting.
2

Even if a few of us noticed that the comparison is not the problem and that the session name might be in fact an issue I am adding this answer just for an addition.

Please note that this is not the solution to the problem, others already discussed this, including me in a comment.

I just want to say that even if that was possible or if you would apply a transformation like removing the dots and adding some letters as a prefix I still find this a bad idea.

The session name is used for the cookie stored in the client's browser and it is used to recognize him on subsequent calls. If you are using the ip in the session name you are locking the session on the ip address and I can think of at least two cases when this is not a good idea:

  1. if I am using my phone to browse your site and walking around switching from a connection to a wifi network to the service provider data package my ip will change and you will log me out
  2. some (I think that most, I might be wrong) ISPs don't provide a fixed IP addresses to customers so with each restart to my router my IP will change, so I will be logged out again
Improve this answer

2 Comments

Not only that but behind a router running NAT an attacker is going to get Session Hijacking for free :-p ...
and also if we think of how reliable $_SERVER['REMOTE_ADDR'] really is and what happens if say the application will need a load balancer this turns into a never ending story about how bad this idea is :)
1

You're setting your $_SESSION variable to 'True' (a string), and in your if statement you're checking if it is True (boolean). They are not the same.

Change

$_SESSION['valid']='true';

to 

$_SESSION['valid']= True;

Hope this helps!

Improve this answer

1 Comment

with a comparison that is not strict the string 'true' is equal to the boolean value true.. so even if it's not the most exact comparison, it will work
1 
session_name($_SERVER['REMOTE_ADDR']);

From the docs: "It should contain only alphanumeric characters;" http://php.net/manual/en/function.session-name.php

$_SERVER['REMOTE_ADDR']

From the docs: "The IP address from which the user is viewing the current page." http://php.net/manual/en/reserved.variables.server.php

Valid characters are only a-z, A-Z and 0-9 but an IP address will contain periods/dots.

Edit "A valid variable name starts with a letter or underscore" http://php.net/manual/en/language.variables.basics.php This will also cause an IP address as the session name to be problematic. End Edit

Also;

This:

$_SESSION['valid']='true';

Should be this:

$_SESSION['valid']= true; <-- lack of single quotes

Try that and let me know!

Improve this answer

5 Comments

+1 for the session_name() part, but the comparison won't fail! Example: ideone.com/nKwNBi
Yeah I realised after I typed it and updated the answer. Thanks!
Just for ease of reading I have suggested changing it to true so different types aren't being used.
You're right, the OP should definitely use the same types (I didn't want to encourage the current types being used, I just said that this does not trigger the misbehaviour) ;)
Yeah I know, I was just explaining why I left it in there for clarity :-)
0

There are situations, in which you need to implement a solution supporting periods in session names. E.g. I ran into a similar issue. I had to create a PHP page emulating the exact behavior of an ASP page to stay compatible with customer's external hardcoded frontend. In the given request header a cookie name ASP.NET_SessionId was present.

If someone else gets into similar constraints, here is a workaround.

After some research and testing, I came to the result, that the reason for the misbehavior is, that $_COOKIE does not contain the correct keys when there are special characters in the cookie name.

<?php session_start (['name' => 'ASP.NET_SessionId']); ?>
<html>
<head><title></title><meta charset="UTF-8"></head>
<body>
  <pre><?php
    //echo implode("\n", apache_request_headers());
    foreach (apache_request_headers() as $header => $value)
      echo "$header: $value" . PHP_EOL;
    echo "\n";
    var_dump($_COOKIE);
    ?></pre>
</body>
</html>

Output:

Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=31run6vlfk69j0ni9l02fad82u
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

array(1) {
  ["ASP_NET_SessionId"]=>
  string(26) "31run6vlfk69j0ni9l02fad82u"
}

You get a similar output on the second request. The session id is changing with each request, since the default session handler does not recognize the session name properly. Unfortunely neither an error is thrown nor any notification is logged.

We could write our own session handler by implementing the SessionHandlerInterface and fetching the raw cookie data overriding the given precalculated session id when the session already exists.

However, I've chosen a quick'n'dirty workaround. The default session handler apparently just evaluates the $_COOKIES variable (or relies on the same generation algorithm). Actually the $_COOKIE variable is an associative array, which can have arbitrary strings including blanks, periods etc. as keys. We can overwrite the $_COOKIE variable at runtime as well.

<?php
  $raw_cookies = apache_request_headers()['Cookie'];
  $cookies     = preg_split('/;\s*/', $raw_cookies);
  $_COOKIE     = [];

  foreach ($cookies as $cookie)
  {
    list($k, $v) = explode('=', $cookie, 2);
    $_COOKIE[$k] = $v;
  }

  session_start (['name' => 'ASP.NET_SessionId']);
?>
<html>
<head><title></title><meta charset="UTF-8"></head>
<body>
  <pre><?php var_dump($_COOKIE); ?></pre>
</body>
</html>

Output:

array(1) {
  ["ASP.NET_SessionId"]=>
  string(26) "jqf97quci4sh6k0n4p59b3d18n"
}

Now the session id remains stable and values in $_SESSION are restored after each request.

Note that apache_request_headers() is a specific function to support Apache web servers. There should be functions to support alternative servers as well.

EDIT: On my Apache server I have found the raw cookies string also in $_SERVER[HTTP_COOKIE'].

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.