R
E
S
O
U
R
C
E
S
       Home      Products & Services      Contact Us      Links


WebHatchers will design & develop your site for you.
_______________________

Website Menu Heaven: menus, buttons, etc.
_______________________

Send us your questions.
_______________________

site search by freefind
_______________________

HOME
SEO, Google, Privacy
   and Anonymity
Browser Insanity
JavaScript
Popups and Tooltips
Free Website Search
HTML Form Creator
Animation
Buttons and Menus
Counters
Captchas
Image Uploading
CSS and HTML
PHP
AJAX
XPATH
Website Poll
IM and Texting
Databases—MySQL
   or Not MySQL
Personal Status Boards
Content Management
   Systems
Article Content
   Management Systems
Website Directory
   CMS Systems
Photo Gallery CMS
Forum CMS
Blog CMS
Customer Records
   Management CMS
Address Book CMS
Private Messaging CMS
Chat Room CMS
JavaScript Charts
   and Graphs




Free Personal Status Boards (PSB™)

Free Standard Free PSB

Free PSB Pro Version

Free Social PSB

Free Social PSB Plus (with Email)

Free Business PSB

Free Business PSB Plus (with Email)

PSB demo

Social PSB demo

Business PSB demo

So what's all this PSB stuff about?

Chart comparing business status boards

PSB hosting diagram

PSB Licence Agreement



Copyright © 2002 -
MCS Investments, Inc. sitemap

PSBs, social networking, social evolution, microcommunities, personal status boards
PSBs, social networking, business personal status boards
website design, ecommerce solutions
website menus, buttons, image rotators
Ez-Architect, home design software
the magic carpet and the cement wall, children's adventure book
the squirrel valley railroad, model railroad videos, model train dvds
the deep rock railroad, model railroad videos, model train dvds

HTML Form Creator—Search and Match Session Monitoring CMS

This script is called checkid_.php

The HTML Form Creator—Search and Match Session Monitoring CMS script is one of a group of PHP scripts that handle both the administrative and end-user aspects of a general purpose HTML Form Creator that allows not just input boxes but multiple selection enabled select/option lists as well. In addition to the expectable editing scripts for both administrative and end-user functions, there's also a Search and Match script so that users can use the scripts to find other users with various individual or group commonalities, including proximity searches, i.e., find all the users within various distances. There are even private messaging scripts.

The purpose of this script is to provide a way in which the session id of the user can be checked to make sure they are logged in. This is a precaution indicated by the fact that hackers, exploits, and session hijacking/hacking exist: http://ankit-downloadz.blogspot.com says that "Web applications become vulnerable to session hacking due to improper generation and mishandling of cookies while undergoing process. The data that is passed as cookie is known as token so in fact we can say that weak token generation methods and weakness in handling them is main reason for session getting hacked." Some other ways for specified variables to survive page loads are cookies and URL querystrings. The latter shows the user name in the URL so is weak, security wise. The former forces users to turn on cookies in their Internet Options.

But the best 2 ways for specified variables to survive page loads are POSTing to PHP from hidden or unhidden HTML form input fields or simply saving 'username' (or other) session variables in the login script, and consult these as needed. We chose the latter. Cookies are—admittedly—used for session id storage, but because they are not always available, PHP also provides an alternative way so that cookies are NOT required for session use. The second method embeds the session id directly into URLs. But this is a lot safer than putting the user name in these url query strings, since only sophisicated hackers know what to do with this id to do hacking.

If you wish to enhance the security level even beyond what we normally do, regenerate the session identifier (session_regenerate_id() is good) whenever there is any change in privilege level (for example, after verifying a username and password) to prevent session fixation attacks. And there are other ways to make things difficult for the bad guys and easy for the good guys.

For low security applications like our HTML Form Creator apps, our session handling is probably adequate. On to the code, which you may feel free to enhance if you are feeling paranoid: First, we start up a session.

If their session id is not set, we send them to HTML Form Creator—Register with Captcha after first using the PHP functions session_unset() and session_destroy() to kiss goodbye both the session variables and the session.

If their session id is set, we simply continue, with a little "session logged" comment thrown in for good measure.

The script below is called: checkid_.php


<?php
session_start();
if(!isset($_SESSION['sessionid'])){

session_unset();
session_destroy();

header('location: register-with-captcha_.php');

}else{
// session logged
}
?>