php session variable randomly changes -

- July 15, 2014

i have website has membership system. when users log in, validate username/password database , start session, $_session['userid'] contains id (i have not implemented using cookies yet)

i have problem, system works fine of times, users have reported find logged in other random users account. means $_session['userid'] changes without reason else , i'm pretty sure i'm not doing change it.

any ideas why happening ?

edit : summary of doing

this method start session

function startsession($id){ $_session['logged_in'] = 1; $_session['userid'] = $id; }

this method checks login

function isloggedin(){      return isset($_session['logged_in']) && isset($_session['userid']) && $_session['userid']!=" " && $_session['logged_in']==1; }

this logout method

function logout(){     $_session['logged_in'] = 0;     $_session['userid'] = 0;     unset($_session['logged_in']);     unset($_session['userid']);     session_destroy();     if (!isloggedin()){ return "s3"; }     else { return "e3"; } }

and how check if user logged in places

if (isloggedin()){ $profileid = $_session['userid']; }

this login function, call startsession

function login($username, $password){     $pdo = newpdo();     $username = sanitize_string($username);     $password = sha1(sanitize_string($password));     $query = $pdo->prepare("select id ".table_profile." nick=:nick , pass=:pass limit 1");     $query->execute(array(':nick'=>$username, ':pass'=>$password));     $result = $query->fetch(pdo::fetch_assoc);     if (count($result['id']) == 1){          startsession($result['id']);         loginexecution();         return "s1";     }     else{ return "e1"; } }

the problem in login function

your script not checking username , password data, , if username , password empty or incorrect, client gets firs available id database.

function login($username, $password){     $pdo = newpdo();     $username = sanitize_string($username);     $password = sanitize_string($password);      // check data existing     if (empty($username)) throw new exeption('empty username');     if (empty($password)) throw new exeption('empty password');      $password = sha1($password);      $query = $pdo->prepare("select id ".table_profile." nick=:nick , pass=:pass limit 1");     $query->execute(array(':nick'=>$username, ':pass'=>$password));     $result = $query->fetch(pdo::fetch_assoc);     if (count($result['id']) == 1){          startsession($result['id']);         loginexecution();         return "s1";     }     else{ return "e1"; } }

p.s. check incoming data, before sql queries

Search This Blog

XPATH

php session variable randomly changes -

Comments

Post a Comment

Popular posts from this blog

PHPMotion implementation - URL based videos (Hosted on separate location) -

javascript - Using Windows Media Player as video fallback for video tag -

c# - Unity IoC Lifetime per HttpRequest for UserStore -