Hey Guys, I am having one hell of a problem that I cannot figure out for the life of me. I have set up a super simple CMS for a client. Each different page of the CMS has and include file called session.php. session.php session_start(); $username = $_SESSION['siteadmin']; if (!$_SESSION['siteadmin']){ header( 'Location: login.php?status=2' ); } PHP: Every now and again, random things would disappear from the database. So, I setup a crude log system that logged any action through the CMS. Well, it happened again. The logs show this: Logged in **.**.237.209 17:18 <-- thats me Deleted board member id 12 195.42.102.25 16:49 Deleted board member id 15 195.42.102.25 16:49 Deleted board member id 8 195.42.102.25 16:49 Deleted board member id 10 195.42.102.25 16:49 Deleted board member id 9 195.42.102.25 16:49 Deleted board member id 4 195.42.102.25 16:49 Deleted board member id 3 195.42.102.25 16:49 Deleted board member id 5 195.42.102.25 16:49 Deleted board member id 6 195.42.102.25 16:49 Deleted board member id 11 195.42.102.25 16:49 Deleted board member id 7 195.42.102.25 16:49 Deleted review id 2 195.42.102.25 16:49 Deleted review id 3 195.42.102.25 16:49 Code (markup): and that goes on for a couple pages. It doesn't even show 195.42.102.25 logging in! Last time it happened with 195.128.18.19. How are they computers loading the window without a session variable? Is there a security hole in my code that I am completely overlooking?! Any insight on this issue would be awesome. Thanks,
if you dont want to use the normal PHP Sessions you can use the mysq Sessions This class implements a new PHP session handler that can replace the default PHP session handler by storing session data in a MySQL database table. the class PHP Sessions Management 1.0.1
you also dont have }elseif go somewhere else{header( 'Location: login.php' );} which means anyone knowing the url could get there, they dont have to be the siteadmin
What version of PHP are you running the script? If is is an old version PHP 4.x then you should use the session_register() function to register a session variable.
well there could be a glitch in ur code maybe using that the person is deleting .. do u know whos ip is that ?
@ CoreyPeerFly This is set on the previous page where the actual login form is: $pword = $myrow1['pword']; $uname = $myrow1['uname']; $username = CleaningAString($_POST['username']); $password = CleaningAString($_POST['password']); if ($username == $uname && $password == $pword){ $_SESSION['siteadmin'] = $uname; header ('Location: index.php'); }else{ $status = 2; } PHP: @astkboy2008 What would be the benefit of handling sessions that way? Would it slow down my site? @MyVodaFone Not sure what you mean. I have a header redirect if there is no "siteadmin" session set. So if you directly browse to a URL without being logged in, it would send you to the login.php. At least thats how it works for me. @bitist PHP 5 @Bohra exactly what I want to know and how they are doing it. Those IP addresses are from the the other side of the world, I would guess it to be some sort of bot that may even be using a proxy. @vinodvyas12 No, but wouldn't AJAX session security script be useless if the visitor has javascript disabled?
Found the solution. Basically it was a spider like bot that ignored the header redirect and loaded the page even though it wasn't logged in. This was fixed by simply putting exit; PHP: right after the header redirect. http://thedailywtf.com/Articles/WellIntentioned-Destruction.aspx