0

I have this problem on a PHP website that I made. The website uses a login mechanism I got online. This mechanism has a .php script called "checklogin.php". My problem is with the method it uses to check if the login is valid or not. Basically what its uses is this:

<?php

session_start();
if(isset($_SESSION['myusername'])){
//run my site
}
else {header("location:../main_login.php")
?>

but this code returns true for all users, if there is at least one user logged in.

my question is that; is there a way to compare $_SESSION['myusername'] with the username given at login page, or if there is anything to make MySQL session unique.

Excuse my English and Grammar.

carvelle
  • 15
  • 1
  • 6
  • 1
    You are using `myusername` in general and i assume your site is not unsetting it on logout. You need to unset it when user is logged out or the session is expired. – Muhammad Raheel May 28 '14 at 08:38
  • Set `$_SESSION['myusername']` to the actual users `username` and fetch data from that. – Darren May 28 '14 at 08:38
  • Are you testing the users on the same computer? – Noman Ghani May 28 '14 at 08:44
  • The site unset the session when a user logs out, and every new user will have to put valid credential at login. my problem is that, if there is one user logged in. Every new user (with a right link), can bypass login and go straight to my site. – carvelle May 28 '14 at 09:10
  • @HeroFTime Yes, I am testing with different users on the same computer. Which also is running the server, i dont know if that matters – carvelle May 28 '14 at 09:14
  • You can't compare $_SESSION['myusername'] with username given at login page because this will be TRUE for any case. No matter what you will write as a username as long it is set your IF will be TRUE. You should compare username entered in login page with usernames which are registered and has privilegees to use your website. So you should compare username entered at login page to database of registered usernames. You should check other things like password etc for increase your security. For example if i know a username of one of your registered user i can also access your members area – StudioArena May 28 '14 at 10:25

1 Answers1

0

A Session is by default a Server File, wich can stores Information. A Session is identified by ID. In PHP the Default Identification is a Client Cockie. If you use Session Start, the $_SESSION Var will be initialized via that Cookie.

As long as you don't override this machanism, and you not overrideing $_SESSION['myusername'] before you reading it, it must be your unique user.

Do you try different Browsers in your Tests? If not, you should delete the Session Cookie for Testing.

Christian Gollhardt
  • 16,510
  • 17
  • 74
  • 111
  • This worked, thanks for you knowledge Christian. Thanks to everyone else who tried to help. But now, how do I make sure that a user thats logged in only has access to his account only. – carvelle May 28 '14 at 09:33
  • The keyword is "Prevent Session Hijacking". Take a look into this: http://stackoverflow.com/a/12234563/2441442 – Christian Gollhardt May 28 '14 at 12:39