[Lavalair] [sid protection]Other people cannot login with the current user sid

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    [Lavalair] [sid protection]Other people cannot login with the current user sid

    I want to protect my sid (session). Currently i am not using cookie/session as many device don't support it. What i need , Only those member can access to the site who logged in with the password from login.php otherwise if they copy and paste the link on the browser they will not be able to access the site or they will see "Your session has been expired". Is it possible to make without cookie/session ??? I used saving the browser and IP beside the session table but they frequently changed and get "Your session has been expired" . Can you give me a solution of that ?

    #2
    In which country mobile devices does not suport cookies??cookies are not suported if you have hell old mobile device ,ol phones from last 7 yearssuport cookies and js

    Added after 9 minutes:

    by the way,read again what you write bellow,if you are not using sessions how your members loged in in first place and stay on site for some time,usualy in piramide lava about 6 minutes ?it's sessions .your post is pointless as we all know lava in most cases runs on sessions which can be set in core.php file still from ancient times
    Last edited by chelios; 25.02.14, 21:16.

    Comment


      #3
      I just wanted to do that the sid will not work on other device, if any session hijack occurs then he will not able to log in.

      Comment


        #4
        Due to mobiles not having a persistent connection, it makes mobiles change ip addresses regularly, there is nothing you can do about this apart from remove that part of the script, it is pointless anyway as a session can still be used even with browser and ip protection - even changing the script to cookies/sessions will not stop a session from being stolen and used.

        The best option is to fix the holes where people are using to steal sessions.

        Comment


          #5
          Originally posted by something else View Post
          Due to mobiles not having a persistent connection, it makes mobiles change ip addresses regularly, there is nothing you can do about this apart from remove that part of the script, it is pointless anyway as a session can still be used even with browser and ip protection - even changing the script to cookies/sessions will not stop a session from being stolen and used.

          The best option is to fix the holes where people are using to steal sessions.
          Thank you bro for detailed explanation. I agree with you. I have removed all external link BBCODES [url=http]text[/*url]. But still not secured. If you suggest me what else i can do it will be helpful to me.

          Comment


            #6
            maybe you can try implement token? google about it i personaly dont know much about it but know token is used by web pages with sales systems .maybe that can help you.cookies and session are realy insecure if they are used on lava

            Comment


              #7
              SID protection in LAVALAIR ?
              Are you actually serious ???

              Lavalair script,
              was perfect to start with site and getting basics PHP knowledge.
              But today ???
              Hmmm.... I don't think so...
              It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
              ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ ⓐⓡⓔ ⓐⓑⓛⓔ ⓣⓞ ⓗⓔⓐⓡ !
              ιη тнєσяу, тнє ρяα¢тι¢є ιѕ α яєѕυℓт σƒ тнє тнєσяу, вυт ιη ρяα¢тι¢є ιѕ тнє σρρσѕιтє.
              キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!

              Comment


                #8
                you can use external url and images you just have to pass the code away from the sessions

                Comment


                  #9
                  To make lava best safe site.

                  1. delete it
                  2. code something that isn't lavalair


                  How to stop sid

                  1. Do not allowed to use [ image = url ] | Use that have it coded in php image other name GD image like <src href=\"image.php?url=userimageurlhere\"/>

                  2. Use Anti Sql injection that i have posted.

                  3. Don't allow symbols in user/post/chat unless it's decoded. Using html hash tags doesn't really saves you.
                  Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
                  Visit: WapMasterz Coming Back Soon!
                  _______
                  SCRIPTS FOR SALE BY SUBZERO
                  Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
                  FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
                  _______
                  Info & Tips
                  php.net
                  w3schools.com

                  Comment


                    #10
                    I will give you idea how to do it,

                    make a condition something like if the user logs in the device IP/Browser will be bind in his/her session so that IF the user changes its IP/Browser with the same session the session will DIE

                    I cannot judge lavalair script because I respect every coder.

                    The best way to protect your LAVALAIR site is to fix its holes against XSS/Backdoors/Sqlinjections.

                    LEARN PHP/MySQL =) Don't be LAZY leeching from others work.

                    http://wapx.amob.com
                    Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!

                    Comment


                      #11
                      Originally posted by wapxtech View Post
                      I will give you idea how to do it,

                      make a condition something like if the user logs in the device IP/Browser will be bind in his/her session so that IF the user changes its IP/Browser with the same session the session will DIE
                      as said above - not a good idea on mobiles due to non static ip addresses on some networks like orange

                      Comment


                        #12
                        Originally posted by something else View Post
                        as said above - not a good idea on mobiles due to non static ip addresses on some networks like orange
                        yah, they commonly use dynamic IP. would you think someone will hack your session with the same ISP? ISP uses static IP per gateway. if it will happen the hacker of your session is your neighbor OR your friend using the same ISP with the same server location LOL. in addition to the security add user-agent to your conditions. its hard to understand how it happens if you have no knowledge in networking =)

                        http://wapx.amob.com
                        Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!

                        Comment


                          #13
                          Lava !! in 2014 !! Are you serious!! :v

                          Comment


                          • pmbguy
                            pmbguy commented
                            Editing a comment
                            it's inspiring man, almost makes me wanna code a mod again with my new found ideas n stuff, but bah!!! too much effort,will defo hook it up though... lava, how i miss those days

                          #14
                          yo shakil, just curious, what script you running? you need to sanitise all your inputs, ie: code a function that blocks any sql injection, n run that on every post and get variable in the script... also sanitise any points you check the users browser... that'll get you on your way, oh and run all content uploaded by users through php scripts n chmod destination of any uploads to server only or upload above public_html....

                          been years, but gotta say i love lava, possibilities are endless, lol
                          C3 Themes: http://c3themes.wen.ru/index.html
                          Find Files: http://mystarter.tk/?goto=X-search

                          Comment


                            #15
                            Originally posted by wapxtech View Post
                            would you think someone will hack your session with the same ISP?
                            YES

                            Originally posted by wapxtech View Post
                            if it will happen the hacker of your session is your neighbor OR your friend using the same ISP with the same server location LOL.
                            WRONG - mobile networks can connect to the same server from hundreds of miles away.

                            Originally posted by wapxtech View Post
                            its hard to understand how it happens if you have no knowledge in networking =)
                            >.>

                            I was not talking about getting hacked - i was talking about getting logged out every few seconds/mins due to mobiles reconnecting to servers to prevent sky high bills - this also can change your ip number regularly. So therefore making it linked to a session a bad idea.

                            Comment

                            Working...
                            X