Welcome Guest, Not a member yet? Register   Sign In
Crossing sessions data
#1

I am currently having a problem with the sessions at the time of logging in with a user, when the user starts the session, the session takes the data of another user who is connected to the system on another computer and also shows sales data that the other user is performing, sometimes refreshing the site returns to normal.

HomeController.php


Code:
public function login()
{
    $username = $this->input->post('username');
    $password = $this->input->post('password');

    $usuario = $this->Modelousuarios->verificar_usuario($username, md5($password));

    if($usuario){
        $permisos = $this->Modelousuarios->permisos($usuario->codigousuario);
        $this->login_success($usuario, $permisos);
    }
    else{
        $this->login_fail();
    }
}

private function login_success($usuario, $permisos)
{
    $session_data = array(
        'autenticado' => TRUE,
        'nombre_usuario' => $usuario->nombreusuario,
        'nombre' => $usuario->nombre,
        'codigo' => $usuario->codigousuario,
        'tipo_usuario' => $usuario->tipousuario,
        'codigolocal' => $usuario->codigolocal,
        'permisos' => $permisos
    );

    //Quitando los datos de la session si existen
    $this->session->unset_userdata($session_data);

    $this->session->set_userdata($session_data);

    redirect('facturacion/realizar-venta');
}

Modelousuarios.php


Code:
function verificar_usuario($user, $pass) {
    $query = $this->db->query("select * from usuarios where nombreusuario='{$user}' and contrasena='{$pass}' and estado = 1 ");

    if ($query->num_rows() > 0) {
        return $query->row();
    } else {
        return false;
    }
}

This is my current session configuration in config.php


Code:
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 0;
$config['sess_save_path'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 0;
$config['sess_regenerate_destroy'] = FALSE;

I hope you can help me, this problem is driving me crazy... Sorry for my english, regards.
Reply
#2

At first glans I can see that you are using unset incorrectly. You don't need to do that on login, however you are required to destroy it on logout. unset_userdata only want the keys to unset, not the values themselves.

sess_time_to_update should have a value higher than 0.

How does your cookie_ settings look?

Other feedback
You are using md5, that can be hacked in matter of minutes. You NEED to switch to password_hash
Your application are open to SQL-injection and with special crafted input you can do the following:
- Login to any account without password
- Can access all data in your database
- Can delete all your data in the database
- etc... All you can do, we can do to your database.
Reply
#3

(02-21-2020, 01:04 PM)jreklund Wrote: At first glans I can see that you are using unset incorrectly. You don't need to do that on login, however you are required to destroy it on logout. unset_userdata only want the keys to unset, not the values themselves.

sess_time_to_update should have a value higher than 0.

How does your cookie_ settings look?

Other feedback
You are using md5, that can be hacked in matter of minutes. You NEED to switch to password_hash
Your application are open to SQL-injection and with special crafted input you can do the following:
- Login to any account without password
- Can access all data in your database
- Can delete all your data in the database
- etc... All you can do, we can do to your database.


Thanks for your feedback, I tried many session configurations and none works. I try to set sess_time_to_update and sess_expiration to default values and nothing works. I uses unset in login function trying to fixed... With md5 it not my work, the previus developer implement it like that. And there are many users using it. Could you give me some example of a sessions standart configuration? Thanks for your time, regards...
Reply
#4

(This post was last modified: 02-21-2020, 03:02 PM by jreklund.)

Personally I'm storing my main session in files (user_id,login_time) instead of database. And saving additional content in the database. Always checking on every refresh if the information on file match the one in the database, and if the user have been deleted.

https://community-auth.com/

PHP Code:
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'abcsession';
$config['sess_expiration'] = 86400;
$config['sess_save_path'] = NULL;
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 1800;
$config['sess_regenerate_destroy'] = FALSE;

$config['cookie_prefix'] = '';
$config['cookie_domain'] = NULL;
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = TRUE
Reply
#5

Thanks @jreklund.

Would you give me an example how to compare my current session with files on every refresh? and why do you prefer files storage instead database? Sorry for so many questions, but I am newbie using CodeIgniter and I need to do a god job. I apreciate your help.
Reply
#6

Every bit of code I'm using are from Community Auth, with modifications to use UUIDv4 instead of incremental id as user_id. And I changed out all groups/permissions as they didn't fit my needs, I needed something more advanced.

I choose to save the main session on file instead of database as I find it easier to manage high load with session locking.
https://codeigniter.com/user_guide/libra...oncurrency
Reply
#7

Thank you so much. I will work using your recommendations, and I will change md5 to password_hash, regards.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB