Someone please tell me if I've discovered a PHP bug.
I'm sitting in front of several computers on my home network, behind
a NAT firewall/router. I am testing my web site on these different
computers (running different browsers, logged in as different users,
etc.). My web site keeps track of users logged in through the use
of $_SESSION.
Here's the bizarre thing: All computers are logged off, then I log
into my web site with one computer -- and when I browse my site from
another computer it behaves as if logged in! And if I log off with
one computer, all other computers subsequently behave as if logged
off! This happens also with different browsers (say IE and Opera)
running on the same machine.
This is especially serious because I have four classes of users:
non-logged-in visitor, logged-in user, paying customer, and
superuser. Logging in as superuser, for example, gives superuser
privileges to ALL computers on my home network!
AAAARRRGH!! I can't figure this out. It seems that $_SESSION is
using *only* my IP address and no unique identifying information
from the browsers on my network. Is this a php bug?
Background:
Here is basically what I'm doing. All scripts first contain a
require_once() directive that includes a file which executes the
following statements right up front:
session_save_pa th("/home/mydomain/public_html/lists");
session_name('l ogin_settings') ;
session_start() ;
(Naturally, the save path exists, and it contains session data
files.) Then, each script calls a function isLoggedOn() to
determine the type of user logged in, if any:
function isLoggedOn()
{
if (isset($_SESSIO N['superuser']))
return 'superuser';
if (isset($_SESSIO N['customer']))
return 'customer';
if (isset($_SESSIO N['user']))
return 'user';
return NULL; // unregistered or not logged in
}
Upon receiving the return value from isLoggedOn(), the script
behaves exactly the way it should depending on what type of user is
logged in. The value of $_SESSION['user'], $_SESSION['customer'],
and $_SESSION['superuser'] is the user's ID in the MySQL table for
that user type; the value is set by a login.php script.
I have three login.php scripts: for normal users, customers, and
superuser. Each login.php script queries the appropriate database
for user ID and password, and then sets some $_SESSION values.
Here, for example, is what happens with $_SESSION when a normal user
logs in. Note that it ensures that the customer and superuser types
are unset upon this login:
if ($sql->rows) {
$userid = $sql->GetValue('id') ;
if ($userid) {
$_SESSION['user'] = $userid;
if (isset($_SESSIO N['admin']))
unset($_SESSION['customer']);
if (isset($_SESSIO N['superuser']))
unset($_SESSION['superuser']);
header("Locatio n: http://www.example.com/userindex.php") ;
} else header("Locatio n: http://www.example.com/login.php?error =1")
} else header("Locatio n: http://www.example.com/login.php?error =1")
Logging off shouldn't leave anything behind from prior users,
deleting all $_SESSION data, killing the session cookie, and finally
calling session_destroy (). So here's my logout.php script for all
user types. It does seem to work correclty:
$CookieInfo = session_get_coo kie_params();
$_SESSION = array(); // unset all session values
if ((empty($Cookie Info['domain'])) && (empty($CookieI nfo['secure'])))
setcookie(sessi on_name(), '', time()-3600, $CookieInfo['path']);
elseif (empty($CookieI nfo['secure']))
setcookie(sessi on_name(), '', time()-3600, $CookieInfo['path'],
$CookieInfo['domain']);
else
setcookie(sessi on_name(), '', time()-3600, $CookieInfo['path'],
$CookieInfo['domain'], $CookieInfo['secure']);
unset($_COOKIE[session_name()]);
session_destroy ();
I'm at my wit's end, almost ready to manage my own cookies and dump
this PHP session handling stuff. I'd rather not though; I like
having the one session cookie with sensitive data stored on the
server. *Other* sites don't behave this way if I log into them
simultaneously from different computers on my home network. What's
wrong with MY site??
-Alex
Jul 30 '06
21  3073 
In article <spam-0445EE.04274801 082006@localhos t>,
Miguel Cruz <sp**@admin.u.n uwrote:
>ax**@spamcop.n et (axlq) wrote:
Why don't you log people out by just erasing everything in their session
with session_destroy ()?
I do. See the rest of this thread.
>Does it matter to you whether the session cookie itself is gone?
It probably shouldn't -- I was just going by the documentation for
session_destroy () on php.net, which shows the session cookie being
deleted in its primary example.
-A
In article <FI************ *************** ***@comcast.com >,
Jerry Stuckle <js*******@attg lobal.netwrote:
>Hmmm, is register_global s on in your system? That could be part of what
you're seeing. But again - I don't use cookies to keep track of
sessions. I let the session take care of itself and just destroy it at
the end.
Whether you know it or not, you're using session cookies if you're
not passing the session ID through URLs.
The problem arises, I guess, because I'm deleting the session cookie
before calling session_destroy () -- because the php documentation said
to do that. I guess I don't really need to delete it.
Deleting the cookie gives it the value 'deleted' until the browser
is closed, which matches the sess_deleted file created when
session_destroy () is called. THAT was the whole problem.
-Alex This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Eric |
last post by:
Hi,
I am new to internet programming. I would now like to create a
platform which allow two users behind different boardband router to
exchange files. There are only two users in the system and I have no
right to modify the boardband router. I have check up some p2p
applications like jxta and winmx. I have made some guess how the
system works:
Their is a relay server or a service outside the Internet. Computer A
|
by: Rajesh Kapur |
last post by:
Hello,
We use Informix and MySQL on linux/unix to drive our web application.
SQL*Server is used only for backend enterprise applications within the
firewall. I am trying to get the management to use SQL*Server outside the
firewall. They tell me there are security issues with Microsoft products,
including SQL*Server, that make it vulnerable to attacks outside the
firewall. Can someone please point me to white papers/documentation that...
|
by: Bill Hauver |
last post by:
I am attempting to use a web service from my work pc
which is behind a firewall. I have used wsdl.exe to
create the web service reference class and added it to my
project. (this seems to work without a hitch).
Before I use this class, I make the necessary calls to
instantiate a WebProxy class and then pass in my
credentials to set the WebProxy.Credentials property so I
can get through the proxy server.
|
by: John |
last post by:
Hi
I am using ms internet control in my app. It works fine form all machines
except from a new one which has win xp sp2 installed. All machines are part
of a small business server 2003 domain so have the isa server firewall
client as well. Unfortunately I can't find a way to disable xp firewall once
it is connected to the domain. How do I get past the xp firewall for
internet control to work?
Thanks
|
by: Sean |
last post by:
Hi, I'm programming an IRC bot. I'm trying to establish a dcc
connection with another IRC client. I give the ipaddress and port
number to the client in the request. I listen to that port with
TcpListener on IPAddress.Any. The listener never receives a
connection.
My situation is the bot computer is behind a router. Is there
something special that must be done to bind to the router's port?
Thanks,
| | |
by: Coder |
last post by:
Is there anyway to access this webservice that is behind a router/firewall?
- Thanks.
|
by: =?Utf-8?B?SmF5RFA=?= |
last post by:
HELP! I have a small home network setup.
One Desktop for me, one dektop for my two girls,
a laptop for work, my wife's laptop, and my son's laptop for college work.
All in "WORKGROUP" connected through wireless Verizon FIOS broadband
router.
I had Zone Alarm FREE as the firewall.
I also have CAI Anti-Virus.
Both CAI Anti-Virus and Zone Alarm FREE needed an update.
|
by: PW |
last post by:
I have a Netgear DG834G (v3) wireless router. I also host an ASP website
from my home computer. I had a problem when I first got this router that
was blocking requests from outside from seeing the website. I overcame that
problem by adding a firewall rule and everything has been working fine for
months.
Then last night I had my computer hang several times on a file called
agp440.sys. After many attempts I finally got that problem...
|
by: cnixuser |
last post by:
Hi,
I was wondering if someone could give me some general pointers about creating client server applications that would be able to communicate with each other over not just the LAN which I am able to do, but would be able to communicate with each other and exchange filestreams over the internet, meaning in most cases communication with PC's behind a router and / or a gateway server. I have applications that can send messages to each other and...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
