I want to protect my sid (session). Currently i am not using cookie/session as many device don't support it. What i need , Only those member can access to the site who logged in with the password from login.php otherwise if they copy and paste the link on the browser they will not be able to access the site or they will see "Your session has been expired". Is it possible to make without cookie/session ??? I used saving the browser and IP beside the session table but they frequently changed and get "Your session has been expired" . Can you give me a solution of that ?
-
-
In which country mobile devices does not suport cookies??cookies are not suported if you have hell old mobile device ,ol phones from last 7 yearssuport cookies and js
Added after 9 minutes:
by the way,read again what you write bellow,if you are not using sessions how your members loged in in first place and stay on site for some time,usualy in piramide lava about 6 minutes ?it's sessions .your post is pointless as we all know lava in most cases runs on sessions which can be set in core.php file still from ancient timesLast edited by chelios; 25.02.14, 21:16. -
I just wanted to do that the sid will not work on other device, if any session hijack occurs then he will not able to log in.Comment
-
Due to mobiles not having a persistent connection, it makes mobiles change ip addresses regularly, there is nothing you can do about this apart from remove that part of the script, it is pointless anyway as a session can still be used even with browser and ip protection - even changing the script to cookies/sessions will not stop a session from being stolen and used.
The best option is to fix the holes where people are using to steal sessions.Comment
-
Thank you bro for detailed explanation. I agree with you. I have removed all external link BBCODES [url=http]text[/*url]. But still not secured. If you suggest me what else i can do it will be helpful to me.Originally posted by something else View PostComment
-
maybe you can try implement token? google about it i personaly dont know much about it but know token is used by web pages with sales systems .maybe that can help you.cookies and session are realy insecure if they are used on lavaComment
-
Are you actually serious ???SID protection in LAVALAIR ?
Lavalair script,
was perfect to start with site and getting basics PHP knowledge.
But today ???
Hmmm.... I don't think so...キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ â“â“¡â“” â“ⓑⓛⓔ ⓣⓞ â“—â“”â“â“¡ !
ιη тнєσÑу, тнє ÏÑα¢тι¢є ιѕ α Ñєѕυℓт σƒ тнє тнєσÑу, вυт ιη ÏÑα¢тι¢є ιѕ тнє σÏÏσѕιтє.Comment
-
you can use external url and images you just have to pass the code away from the sessionsComment
-
To make lava best safe site.
1. delete it
2. code something that isn't lavalair
How to stop sid
1. Do not allowed to use [ image = url ] | Use that have it coded in php image other name GD image like <src href=\"image.php?url=userimageurlhere\"/>
2. Use Anti Sql injection that i have posted.
3. Don't allow symbols in user/post/chat unless it's decoded. Using html hash tags doesn't really saves you.Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
Visit: WapMasterz Coming Back Soon!
_______
SCRIPTS FOR SALE BY SUBZERO
Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
_______
Info & Tips
php.net
w3schools.comComment
-
I will give you idea how to do it,
make a condition something like if the user logs in the device IP/Browser will be bind in his/her session so that IF the user changes its IP/Browser with the same session the session will DIE
I cannot judge lavalair script because I respect every coder.
The best way to protect your LAVALAIR site is to fix its holes against XSS/Backdoors/Sqlinjections.
LEARN PHP/MySQL =) Don't be LAZY leeching from others work.
http://wapx.amob.com
Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!Comment
-
as said above - not a good idea on mobiles due to non static ip addresses on some networks like orangeOriginally posted by wapxtech View PostI will give you idea how to do it,
make a condition something like if the user logs in the device IP/Browser will be bind in his/her session so that IF the user changes its IP/Browser with the same session the session will DIEComment
-
yah, they commonly use dynamic IP. would you think someone will hack your session with the same ISP? ISP uses static IP per gateway. if it will happen the hacker of your session is your neighbor OR your friend using the same ISP with the same server location LOL. in addition to the security add user-agent to your conditions. its hard to understand how it happens if you have no knowledge in networking =)Originally posted by something else View Post
http://wapx.amob.com
Applications, Games, Wallpapers, Ringtones, Videos, Themes, Screensaver and More!!!Comment
-
Lava !! in 2014 !! Are you serious!! :vComment
-
yo shakil, just curious, what script you running? you need to sanitise all your inputs, ie: code a function that blocks any sql injection, n run that on every post and get variable in the script... also sanitise any points you check the users browser... that'll get you on your way, oh and run all content uploaded by users through php scripts n chmod destination of any uploads to server only or upload above public_html....
been years, but gotta say i love lava, possibilities are endless, lol
Comment
-
YESOriginally posted by wapxtech View Post
WRONG - mobile networks can connect to the same server from hundreds of miles away.Originally posted by wapxtech View Post
>.>Originally posted by wapxtech View Post
I was not talking about getting hacked - i was talking about getting logged out every few seconds/mins due to mobiles reconnecting to servers to prevent sky high bills - this also can change your ip number regularly. So therefore making it linked to a session a bad idea.Comment
Comment