ok i get it but then the answer to this thread is to not post a link to an external site in anyway unless the link is in such a manner that you would have to copy and paste in your browser
-
sigpic
|~~Dont forget to say thanx~~|
-
u can force cookie 2 expire after so long but thats stored in the browser so i can see ur point but u can stil use database 2 end sessions too and lava has auto session destroy in the database so if the cookie and db session are set 2 expire in say 20mins of inactivity then ur ok jus store session id in the cookie dnt use the cookie value as the session id as its easy 2 crack thatComment
-
for some reason i cant get it to work.
click here to join blingywap.co.za
http://blingywap.co.za
IF YOU NEED HELP JUST ASK AND ALWAYS SAY THANK YOU!Comment
-
what about using sesid=$sesid in url and session start with cookies. This way you have a session which u store in ur db and a session stored as a cookie. double the protection. would this work?sigpic
|~~Dont forget to say thanx~~|
Comment
-
u need it stored in the database so it can interact anyway no need for it in the url thats what makes it easy 2 crackComment
-
the only thing id do in the url is pass a fake session, most people who attempt to hack these wap sites (which are 10 to a dozen these days) have already done it via url session snatching or they are so narrow minded if they see a session id in url they dont think to check anything else so pass a random fake session between pages , they snatch it a few times, each time it dont work so they give upComment
-
Thats exactly what i am talking about, i think we more or less on the same pathOriginally posted by djlee View Postsigpic
|~~Dont forget to say thanx~~|
Comment
-
Alternate way could be to use browser and ip as your session id*
$check = md5($browser$ip$your_code);
if ($sid!=$check) print 'Your browser and ip details have been logged in our database<br/>If it appears in our database again your internet provider will be contacted!';
that way even if session id does get stolen it renders it useless*Comment
-
basically using an independant salt... and ive suggested ip based restrictions before. and when i did someone moaned at me saying that its a good possibility that on wap multiple people can use the same IP address as there shared a lot more than a standard pc users ip. so theres still a good possibility that it could be ineffective all the time.
Sorry but every suggestion i make someone pokes holes in it yet never coming up with a fool proof way themselves. Its only fair you get the same treatment. But from a neutral standpoint the concept has its merits and will function just as well as most of the other implementations suggested hereComment
-
doesnt matter what is done theres always gonna be questions 2 it i prefer using cookie sessions as its neater code can hide lot info in them including ip, uid etc 1 thing i did wif my script is all the url links dnt use uid at all so ppl cant inject that info it wont do any gud lol wouldnt it be better 2 store session and ip in the cookie and if ip changes from whats in database then it has 2 be revalidated as a new sessionComment
-
thanks broOriginally posted by jsyguy23 View Post
can u please tell me where to put this code in logout
this codePHP Code:session_destroy(); // this in your logout code
logout code
thanksPHP Code:///////////////////////////Logout///////////////////////////////
else if($action=="logout")
{
$who = $_GET["who"];
$user = getnick_uid($who);
echo "<head>";
echo "<title>Logout</title>";
echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../themes/$theme[0]\">";
echo "</head>";
echo "<body>";
echo "<p align=\"center\">";
$uid = getuid_sid($sid);
if($who!=$uid){
echo "<b><img src=\"../images/notok.gif\" alt=\"x\"/><br/>Error!!!<br/>Permission Denied...</b><br/>";
echo "<br/>$user, U Cannot Log Someone Out<br/>This Is An Attempt To Breach Site Security<br/>If U Are Caught Trying This Again U Will Be Banned<br/>";
echo "<br/><a accesskey=\"1\" href=\"index.php?action=main&\"><img src=\"../images/home.gif\" alt=\"\"/>Ok!</a>";
echo "</p>";
}else{
echo "<br/>";
$res = mysql_query("DELETE FROM ibwf_ses WHERE uid='".$who."'");
if($res)
{
addonline($who,"Logging Out","");
echo "<img src=\"../images/ok.gif\" alt=\"O\"/><b>$user</b><br/>U Hav Successfully Logged Out Pls Come Back Soon :o)<br/>";
}else{
echo "<img src=\"../images/notok.gif\" alt=\"X\"/>Error Logging Out";
}
echo "<br/><a accesskey=\"1\" href=\"index.php\"><img src=\"../images/home.gif\" alt=\"\"/>ok!</a>";
echo "</p>";
}
echo "</body>";
}
Comment
-
Originally posted by wolf77ar View Post
hmmm i try this but not working... when i enter in menu.:D session expires apearsComment
-
You could protect session id from being stolen by using Curl ......*
It might be a drain on your bandwidth but it would make your site a lot safer against session stealing muppets lol*
And also if anyone does try to session steal then you would have there ip and browser details and know they were defently trying to steal sessions as you could change the session they steal to something like:
$haha = md5("im a session stealing idiot");
//http://domain.com/?action=main&sid=$haha
if($sid=$haha) print 'bugger off you wannabe hacker!';
And the best thing about it you wouldnt need to edit every page. you could do it straight off your login page
Comment
-
Just a quick note to people who do decide to use cookies/sessions:*
make sure you protect your url bb code to prevent unwanted urls being added on your site
Comment
-
can someone please post the complete code to remove $sid? Thanx
click here to join blingywap.co.za
http://blingywap.co.za
IF YOU NEED HELP JUST ASK AND ALWAYS SAY THANK YOU!Comment
Comment