Re: [GENERAL] passing variables in PHP3

At 08:21 PM 27-02-2000 GMT, sheila bel wrote:
>Hi,
>
>I've written an application for the web that asks users for their
>id and password, checks the database and if they are legit
>takes them to a page. Now I'm using the PHP_AUTH_USER variable
>to identify the user and I need that information from one
>file to another. How do I do that ? I tried storing it in a
>variable and sending it along an with html anchor but that is
>not a neat way of doing it since every time I need the value of
>that variable the user has to click on an image and another problem
>with that is the user id will show up in the url and I don't want
>that security risk.
>So my question is how do I store the value of PHP_AUTH_USER for
>a specific user and access it from many PHP3 files ?

OK, for proper security, just the username should not be enough, even for
subsequent pages. For people can easily change the data they send to your
application whether it is in a cookie or form field or url.

There are a few ways to do this.

1) do a username and password check for EVERY page.
2) Do a username and password check on log in and create a session- random
unguessable string and pass that around.

The only good way I can see for doing 1) is to use the built in browser
authentication thing- where a login dialog box pops up once, and after that
the browser automatically sends the username+password for every page in
that url domain. If you pass the username and password in a form, it is
less secure - more chances for other people to find it.

I do 2). My version is once a person hits any page without an existing
valid session they are given a session, whether they are logged in or not.
The session is inserted into the database, as a row in the session table.
Once they log in successfully, the session is marked logged in, the userid
and other miscellaneous stuff are also stored. When the user has a session
and hits a page, the app looks up the session and can check if the session
has timed out, if the user has logged in, and if so which user it is (and
also can lookup permissions).

Example table.

CREATE TABLE SESSION (
SES_ID SERIAL,
SES_STR VARCHAR(40) DEFAULT '',
SES_UID INT4 DEFAULT 0,
SES_LOGIN VARCHAR(16) DEFAULT '',
SES_STAT CHAR DEFAULT 'N',
SES_SDATE DATETIME,
SES_ADATE DATETIME,
SES_OPTIONS INT4 DEFAULT 0,
SES_LIFESPAN TIMESPAN DEFAULT 900
);

ses_id is the primary key. ses_str stores a random string (sha1_hex of
random stuff).
ses_uid stores the userid. ses_login stores the username (optional- I'm
having second thoughts about this). ses_stat stores the status.
ses_sdate= start of session. ses_adate - when session was last active.
ses_options - various options/preferences for the session. ses_lifespan -
how long a session can be inactive before timing out.

Of course it gets slightly inconvenient if we have more than 2 billion
sessions, but <big grin>.

The session is passed around in the following format
ses_str.ses_id
The reason I do this is for performance reasons, the app just grabs the
ses_id and uses that for a very quick (hopefully) primary key look up to
check ses_str.

Currently I pass the session in the URL and as form post values, AND as a
cookie. The cookie is a backup in case the URL session is destroyed for any
reason, e.g. the user hits static html pages. The cookie vs url

If there are faster and better ways of doing this do let me know. I'll be
very happy to know of better ways! Would it really be better to use char
instead of varchar for this? Is it significantly faster? I don't like
dealing with padding tho. Dealing with padding may negate the speed gains.

Cheerio,

Link.