HTML Form Creator—Search and Match Session Monitoring CMS
This script is called checkid_.php
The HTML Form Creator—Search and Match Session Monitoring CMS script is one of a group of PHP scripts that handle both the administrative and end-user aspects of a general purpose HTML Form Creator that allows not just input boxes but multiple selection enabled select/option lists as well. In addition to the expectable editing scripts for both administrative and end-user functions, there's also a Search and Match script so that users can use the scripts to find other users with various individual or group commonalities, including proximity searches, i.e., find all the users within various distances. There are even private messaging scripts.
- HTML Form Creator
- Edit Options in HTML Form Creator Form
- Administrator Page for HTML Form Creator
End-User HTML Form Creator Scripts
- HTML Form Creator—Register with Captcha
- HTML Form Creator—View Profile
- HTML Form Creator—Edit Profile
- HTML Form Creator—Search and Match
- HTML Form Creator—Search and Match — Security
- HTML Form Creator—Search and Match — JavaScript
- HTML Form Creator—Search and Match — Form
- HTML Form Creator—Search and Match — PHP
- HTML Form Creator—Enter Record in Form
- HTML Form Creator—View Record in Form
- HTML Form Creator—Profile and Account Management
- HTML Form Creator—Login to Profile and Account Management
- HTML Form Creator—Logout of Profile and Account Management
- HTML Form Creator—Delete Group Account
- HTML Form Creator—Forgot User Name
- HTML Form Creator—Forgot Password
- HTML Form Creator—Form to Send Private Message
- HTML Form Creator—Send Private Message
- HTML Form Creator—Private Message Outbox
- HTML Form Creator—Private Message Inbox
- HTML Form Creator—Delete Private Message from Inbox
- HTML Form Creator—Delete Private Message from Outbox
- HTML Form Creator—Private Message Logout
- HTML Form Creator—Search and Match Session Monitoring
- HTML Form Creator—Configure File for Database Connection
- HTML Form Creator—Captcha Script for Registration and Login
Administrative HTML Form Creator Scripts
The purpose of this script is to provide a way in which the session id of the user can be checked to make sure they are logged in. This is a precaution indicated by the fact that hackers, exploits, and session hijacking/hacking exist: http://ankit-downloadz.blogspot.com says that "Web applications become vulnerable to session hacking due to improper generation and mishandling of cookies while undergoing process. The data that is passed as cookie is known as token so in fact we can say that weak token generation methods and weakness in handling them is main reason for session getting hacked." Some other ways for specified variables to survive page loads are cookies and URL querystrings. The latter shows the user name in the URL so is weak, security wise. The former forces users to turn on cookies in their Internet Options.
But the best 2 ways for specified variables to survive page loads are POSTing to PHP from hidden or unhidden HTML form input fields or simply saving 'username' (or other) session variables in the login script, and consult these as needed. We chose the latter. Cookies are—admittedly—used for session id storage, but because they are not always available, PHP also provides an alternative way so that cookies are NOT required for session use. The second method embeds the session id directly into URLs. But this is a lot safer than putting the user name in these url query strings, since only sophisicated hackers know what to do with this id to do hacking.
If you wish to enhance the security level even beyond what we normally do, regenerate the session identifier (session_regenerate_id() is good) whenever there is any change in privilege level (for example, after verifying a username and password) to prevent session fixation attacks. And there are other ways to make things difficult for the bad guys and easy for the good guys.
For low security applications like our HTML Form Creator apps, our session handling is probably adequate. On to the code, which you may feel free to enhance if you are feeling paranoid: First, we start up a session.
If their session id is not set, we send them to HTML Form Creator—Register with Captcha after first using the PHP functions session_unset() and session_destroy() to kiss goodbye both the session variables and the session.
If their session id is set, we simply continue, with a little "session logged" comment thrown in for good measure.
The script below is called: checkid_.php
<?php
session_start();
if(!isset($_SESSION['sessionid'])){
session_unset();
session_destroy();
header('location: register-with-captcha_.php');
}else{
// session logged
}
?>