-
leavai
Newbie
-
Posts: 9
Threads: 1
Joined: Sep 2016
Reputation:
0
11-07-2017, 12:08 PM
Hi! I' ve a seriuos problem: my users can see info of another users. How? I don't know, but I suspect that session variables in my server are the problem. How do I test it?
Situation is next:
User A is logued in app with his credentials. All info (username, avatar, id, permission) are stored in session variables using codeigniter. Suddenly, he can see the avatar, username and info of another user of the application... what can I do!?
Please, help me!
Thanks!
Is your server Apache or NGINX?
-
leavai
Newbie
-
Posts: 9
Threads: 1
Joined: Sep 2016
Reputation:
0
Hi to everyone! thanks for yours replies.
I will try to show you some code to resolve my trouble
First, when an user log on in y app, the function "ingresar" in my login.php controler unset and set session variable with some info about the user
Code: public function ingresar(){
$correo = $this->security->xss_clean(strip_tags($this->input->post('correo')));
$pass = md5($this->security->xss_clean(strip_tags($this->input->post('password'))));
$Usuarios = new Usuario_Model();
$result = $Usuarios->login($correo, $pass);
if(count($result)>0){
foreach($result as $u){
$this->session->unset_userdata('id');
$this->session->unset_userdata('mail');
$this->session->unset_userdata('nombre');
$this->session->unset_userdata('activo');
$this->session->unset_userdata('logo_empresa');
$this->session->unset_userdata('nombre_empresa');
$this->session->unset_userdata('id_empresa');
$this->session->unset_userdata('nivel');
$this->session->unset_userdata('estado_sesion');
$this->session->set_userdata('id', $u->id);
$this->session->set_userdata('mail', $u->mail);
$this->session->set_userdata('nombre', $u->nombre);
$this->session->set_userdata('activo', $u->activo);
$this->session->set_userdata('nivel', $u->nivel);
$this->session->set_userdata('nombre_empresa', $u->nombre_empresa);
$this->session->set_userdata('id_empresa', $u->id_empresa);
$this->session->set_userdata('logo_empresa', $u->logo_empresa);
$this->session->set_userdata('avatar_user', $u->avatar_user);
$this->session->set_userdata('estado_sesion', TRUE);
redirect(base_url()."panel");
}//End foreach
}else{
$this->session->set_flashdata('mensaje', 'El usuario o password es incorrecto');
redirect(base_url()."login/index/1");
//$this->index(1);
}//End if
Then, when "panel" controller is loaded, I've the following code
Code: <?php
defined('BASEPATH') OR exit('No direct script access allowed');
class Panel extends CI_Controller {
public function __construct(){
parent::__construct();
$this->load->helper('html');
$this->load->helper('form');
$this->load->model('usuario_model');
$this->load->model('panel_model');
$this->load->helper('security');
$this->usuarios_lib->controla_sesion();
$this->load->library('form_validation');
$this->load->library('session_data_lib');
}
public function index(){
$data_session = $this->session_data_lib->set_data_session($data_session); //session variable load
if ($data_session['nivel']==1 || $data_session['nivel']==2){
$data_counters = $this->counters_lib->get_admin_counters(); //cargo las variables de contadores
}else{
$data_counters = $this->counters_lib->get_user_counters(); //cargo las variables de contadores
}
$this->load->view('templates/header', $data_session);
$this->load->view('templates/menu_top', $data_session);
$this->load->view('templates/menu_left', $data_counters);
if ($data_session['nivel']==0) {
$this->load->view('panel/panel_user',$data_counters);
}else{
$this->load->view('panel/panel_admin',$data_counters);
}
$this->load->view('templates/footer',$data_counters);
}//End method index
}
As you can see, exist one library called 'session_data_lib', the code is next
Code: <?php defined('BASEPATH') OR exit('No direct script access allowed');
class Session_data_lib {
protected $CI;
// We'll use a constructor, as you can't directly call a function
// from a property definition.
public function __construct()
{
// Assign the CodeIgniter super-object
$this->CI =& get_instance();
$this->CI->load->library('session');
$this->CI->load->model('panel_model');
$this->CI->load->helper('url');
}
public function set_data_session($data_session)
{
$data_lib_session['title'] = $data_session['title'];
$data_lib_session['opcionMenu'] = $data_session['opcionMenu'];
$data_lib_session['bodyClass'] = $data_session['bodyClass'];
$data_lib_session['nombre'] = $this->CI->session->userdata('nombre');
$data_lib_session['userid'] = $this->CI->session->userdata('id');
$data_lib_session['nivel'] = $this->CI->session->userdata('nivel');
$data_lib_session['avatar_user'] = $this->CI->session->userdata('avatar_user');
$data_lib_session['logo_empresa'] = $this->CI->session->userdata('logo_empresa');
$data_lib_session['nombre_empresa'] = $this->CI->session->userdata('nombre_empresa');
$data_lib_session['id_empresa'] = $this->CI->session->userdata('id_empresa');
$data_lib_session['arr_css'] = array("absolute_admin/assets/fonts/iconsweets/iconsweets.css");
$data_lib_session['lastSegs'] = $this->CI->panel_model->get10LastSeg($this->CI->session->userdata('id_empresa'));
return $data_lib_session;
}//End method set_data_session
}//End class
Code: $data_session = $this->session_data_lib->set_data_session($data_session); //cargo las variables de sesion
-
leavai
Newbie
-
Posts: 9
Threads: 1
Joined: Sep 2016
Reputation:
0
(11-08-2017, 05:20 AM)Gustavo Martins Wrote: Is your server Apache or NGINX?
Hola Gustavo! Actualmente tengo mi aplicacion hosteada en un hosting de Argentina con acceso Cpanel. Como puedo verificar esto? Gracias por tu respuesta
-
leavai
Newbie
-
Posts: 9
Threads: 1
Joined: Sep 2016
Reputation:
0
(11-08-2017, 10:39 AM)Narf Wrote: (11-08-2017, 09:58 AM)leavai Wrote: (11-08-2017, 05:20 AM)Gustavo Martins Wrote: Is your server Apache or NGINX?
Hola Gustavo! Actualmente tengo mi aplicacion hosteada en un hosting de Argentina con acceso Cpanel. Como puedo verificar esto? Gracias por tu respuesta
English only please.
Hi Gustavo, today I've my app hosting in Argentina with an CPanel access only. How Can I verify if it uses Apache or NGINX?
Thanks
-
leavai
Newbie
-
Posts: 9
Threads: 1
Joined: Sep 2016
Reputation:
0
I found this info in codeigniter official site (read red text and my final conclusion)
Quote:A note about concurrency
Unless you’re developing a website with heavy AJAX usage, you can skip this section. If you are, however, and if you’re experiencing performance issues, then this note is exactly what you’re looking for.
Sessions in previous versions of CodeIgniter didn’t implement locking, which meant that two HTTP requests using the same session could run exactly at the same time. To use a more appropriate technical term - requests were non-blocking.
However, non-blocking requests in the context of sessions also means unsafe, because modifications to session data (or session ID regeneration) in one request can interfere with the execution of a second, concurrent request. This detail was at the root of many issues and the main reason why CodeIgniter 3.0 has a completely re-written Session library.
Why are we telling you this? Because it is likely that after trying to find the reason for your performance issues, you may conclude that locking is the issue and therefore look into how to remove the locks …
DO NOT DO THAT! Removing locks would be wrong and it will cause you more problems!
Locking is not the issue, it is a solution. Your issue is that you still have the session open, while you’ve already processed it and therefore no longer need it. So, what you need is to close the session for the current request after you no longer need it.
Long story short - call
Code: session_write_close()
once you no longer need anything to do with session variables.
Actualy, I'm using Codeigniter 2.2.6 version. Could it be the reason of my trouble?
|
