Scoobler
03-26-2008, 04:20 PM
Hello,
I am trying to build a site, it is very low usage as in there are really only 12 or so people who will acutally use the site, maybe more guests, but not many.
I am trying to create a security system for it, each page has several uses. Here is a very cut down version of my code:
<?php
####################
# The following code is part of a file included in every viewable page.
####################
// Start session off
session_start();
// Encrypt a finger print:
$setword = "SomethingAboutThisSite";
// Include: IP, Browser, Username,
// Setword - Make sure this finger print is unique to this site.
// User Active - incase a user is deactivated during their session by a higher user.
$setfinger = md5($_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$setword.$_SESSION['user'].$_SESSION['user_active']);
####################
# The following takes place after sucessfull completion of username and password
# in a login script.
####################
$_SESSION['user_finger'] = md5($_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$setword.$username.$user_active);
// Username, as entered. User_active is taken from the DB.
####################
# Each page has multiple purposes, guests, users and higher users, this is how its checked:
####################
// Check if the user is authenticated:
if (($_SESSION['user_finger'] == $setfinger) & ((time() - $_SESSION['login_time']) < 3600 ))
{
if ($_SESSION['user_level'] == "higher")
{
// Whatever a higher powered user can do on this page.
}
else
{
// Whater a normal user can do on this page.
}
else
{
// What ever a guest can do on this page.
}
####################
# Each page has a footer which tidies up some script and formatting of the page
####################
// Included is some code to extend the log in time, so as long as they are
// active they stay logged in.
// There is also some code which adds details to a database to show when the user
// was last active and what page they were viewing.
// This is so higher users can see who is currently logged in and what they are
// doing.
// Any entry past the sessions expiry time is removed from the database.
// A log is also made against the users details of their last activity time, which
// remains till their next login.
?>
What do people think?
What are the security risks with using something like this?
The actual code won't be public in anyway so variables and things shouldn't be known?
Thanks in advanced!
Scoobler.
I am trying to build a site, it is very low usage as in there are really only 12 or so people who will acutally use the site, maybe more guests, but not many.
I am trying to create a security system for it, each page has several uses. Here is a very cut down version of my code:
<?php
####################
# The following code is part of a file included in every viewable page.
####################
// Start session off
session_start();
// Encrypt a finger print:
$setword = "SomethingAboutThisSite";
// Include: IP, Browser, Username,
// Setword - Make sure this finger print is unique to this site.
// User Active - incase a user is deactivated during their session by a higher user.
$setfinger = md5($_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$setword.$_SESSION['user'].$_SESSION['user_active']);
####################
# The following takes place after sucessfull completion of username and password
# in a login script.
####################
$_SESSION['user_finger'] = md5($_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$setword.$username.$user_active);
// Username, as entered. User_active is taken from the DB.
####################
# Each page has multiple purposes, guests, users and higher users, this is how its checked:
####################
// Check if the user is authenticated:
if (($_SESSION['user_finger'] == $setfinger) & ((time() - $_SESSION['login_time']) < 3600 ))
{
if ($_SESSION['user_level'] == "higher")
{
// Whatever a higher powered user can do on this page.
}
else
{
// Whater a normal user can do on this page.
}
else
{
// What ever a guest can do on this page.
}
####################
# Each page has a footer which tidies up some script and formatting of the page
####################
// Included is some code to extend the log in time, so as long as they are
// active they stay logged in.
// There is also some code which adds details to a database to show when the user
// was last active and what page they were viewing.
// This is so higher users can see who is currently logged in and what they are
// doing.
// Any entry past the sessions expiry time is removed from the database.
// A log is also made against the users details of their last activity time, which
// remains till their next login.
?>
What do people think?
What are the security risks with using something like this?
The actual code won't be public in anyway so variables and things shouldn't be known?
Thanks in advanced!
Scoobler.