开发者

Check session with server variables

问答 作者:

I have been trying to protect my pages by checking the following code (part of):

if (($_SERVER['REMOTE_ADDR'] != $_SESSION['USER_IP']) || !isset($_SESSION['SERVER_GENERATED_SID']))
{
    session_destroy();
}

$_SESSION['SERVER_GENERATED_SID'] = true;
$_SESSION['USER_IP'] = $_SERVER['REMOTE_ADDR'];

For some reason it kills the session every time.

This is my index page:

<?php
require('includes/sessions.php');
require('includes/language.php');

$page_name = "Anchor & Steel Constructions";

require('includes/header.php');
?>

<div id="page">
        <div>
            <div id="content">
                <?php

                if(!isset($_SESSION['user_id']) || !in_array($_SESSION['user_type'], $user_types))
                {
                    include('user_login.php');
                }

                ?>
            </div>
        </div>
        <div style="clear: both;">&nbsp;</div>
</div>

My login code where variables are added to the session: $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];

$_SESSION['user_id'] = $row['user_id'];
                $_SESSION['user_user'] = $row['user'];
                $_SESSION['user_name'] = $row['naam'];
                $_SESSION['user_mail'] = $r开发者_C百科ow['email'];
                $_SESSION['user_lang'] = $row['language'];

sessions:

<?php
// gebruik een andere naam voor de sessie dan de standaard php naam
session_name('what_ever');

// start session
if(!session_start())
{
    exit("Er kan geen sessie worden gestart");
}

// generate nieuwe sessie id
session_regenerate_id();

// set timeout period in seconds
if($_SESSION['user_type'] != 'beheerder')
{
    $inactive = 180;
}
else
{
    $inactive = 28800;
}

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
    $session_life = time() - $_SESSION['timeout'];
    if($session_life > $inactive)
        { session_destroy(); header("Location: user_logout.php"); }
}
$_SESSION['timeout'] = time();

$user_types = array('beheerder', 'kantoor', 'werkplaats', 'administratie');

// controleer of de user gebruikt maakt van dezelfde user agent als bij voorgaande request en accepteer alleen door server gegenereerde SID's
if (($_SERVER['REMOTE_ADDR'] != $_SESSION['user_ip']) || !isset($_SESSION['SERVER_GENERATED_SID']))
{
    session_destroy();
}

// sla variabelen op
$_SESSION['SERVER_GENERATED_SID'] = true;
$_SESSION['user_ip'] = $_SERVER['remote_addr'];

?>

make sure that you had written the code session_start(); at the start of your php/html code

Example 

<?php 
session_start();

?>
<html><head></head><body>hi friend</body></html>

Is $_SESSION['SERVER_GENERATED_SID'] ever set when being checked?

From the comments on this answer,
How about changing $_SESSION['user_ip'] = $_SERVER['remote_addr'] to $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];

继续阅读:phpsession

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9