0

I have a login page which displays a login dialog once it has loaded. Login dialog's just a JQuery dialog that uses an Ajax call. Something like that:

$(function() {
    var _width = $.browser.msie ? 316 : 'auto';
    var loginDialog = $('#loginDialog');

    loginDialog.dialog({
        closeOnEscape: false,
        open: function() {
            $(this).parent().find('.ui-dialog-titlebar-close').hide();
        },
        resizable: false,
        position: 'center',
        stack: true,
        draggable: false,
        height: 'auto',
        width: _width,
        modal: true,
        buttons: {
            'submit': function() {
                $.ajax({
                type: 'post',
                dataType: 'html',
                url: '/ProjectName/Scripts/php/AccountController.php',
                cache: false,
                // async: false,
                data: $('#loginForm').serialize(),
                success: function(accessStatus) {
                    if(accessStatus === 'granted') {
                        loginDialog.dialog('close');
                    }
                },
                error: function(request, status, error) {
                    // handle it in a specific manner
                    alert(error);
                }
            });
        }
    }        
});

So if it's ok (on a server side) I just close the dialog.

Then in AccountController.php file as for now I have something like that:

<?php   
    session_start();
    if(IsAjaxRequest()) {
        if(isset($_REQUEST['username']) && isset($_REQUEST['password'])) {  
            require_once('LDAPHandler.php');

            // credentials
            $username = $_REQUEST['username'];
            $password = $_REQUEST['password'];
            // ... more parameters

            // ... Fetch against AD
            if(IsInAdminRole($username, $password)) {
                // ... establishing mysql connection & setting connection options

                // and then:                        
                mysql_query(
                    'insert into accounts'. 
                    '(login, sid) values({$username}, {session_id()})'.
                    'on duplicate key update sid=values(sid)'
                );

                // write response
                echo 'granted';
            }
        }
    }
?>

What I want is to store sid in the related record (Accounts table) in database. What makes me confused:

  • As far as I understand if user duplicates some page after a successful login server will use the same session cookie? Am I right? Unless browser is closed.
  • How do I handle the situation with different browsers?
  • I read that wherever I need to use a session I must call session_start() on the page. Won't this give a sid different from one that is written during login?
  • Say if I don't want duplicates, I mean user shouldn't access the same resource several times (simultaneously), which way is the best to handle that?
  • Also I understand that I need to use some kind of a flag (possibly field in accounts table) to say that user is active, cause in other way I will store only the last sid. Or better solution is to delete user from db once session has closed?

Huge Thanks!!

lexeme
  • 2,915
  • 10
  • 60
  • 125
  • Just out of curiosity, is your `LDAPHandler.php` using the PHP's native `ldap_bind()`? – Adi Jul 17 '12 at 08:49
  • Yes I'm using a native ldap_bind(); I haven't regretted about it yet) – lexeme Jul 17 '12 at 08:51
  • is it okay if you share the code of `LDAPHandler.php`? (especially the part around `ldap_bind()`. After taking the personal info out of course. I've been researching some bad practice cases and I'm very curios. – Adi Jul 17 '12 at 08:53
  • Sure I can share ldap-code but It will be messy if I put it inside the question) – lexeme Jul 17 '12 at 08:56
  • Here you are http://pastebin.com/pPV2F19Q – lexeme Jul 17 '12 at 09:02
  • Please check the update in my answer. – Adi Jul 17 '12 at 09:26

1 Answers1

1
  • Yes you're right (unless there's some tampering on the client-side).
  • Why do you need to worry about that?
  • session_start() will start a new session and resume a previous one if started before.
  • Trust me, don't try.
  • This is good to see who's logged in now, but you have to set active to 0 when the user logs out or when he/she hasn't been active for a while (15 minutes is reasonable).

Update: Those aren't directly related to your question, but it's good to keep them in mind.

  • You're code (SQL part) is vulnerable to SQL Injection, please read this answer here to learn how to protect yourself.

  • Your LDAP code is vulnerable to false-positive authentication when an empty (or NUL) password is provided, because ldap_bind() will attempt anonymous binding if no password was provided, which will result in anyone logging in if they provide the correct username. So make sure you filter out all control characters and then check for empty password.

  • It's also possible to perform LDAP "injection" to your code by providing * as a username.

Community
  • 1
  • 1
Adi
  • 5,089
  • 6
  • 33
  • 47
  • Oh! It is great and I'm really appreciated! Also I'm curious how do I intercept session close event and handle it. – lexeme Jul 17 '12 at 10:09