• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
An user can view info of another users

#1
Sad 
Hi! I' ve a seriuos problem: my users can see info of another users. How? I don't know, but I suspect that session variables in my server are the problem. How do I test it? 

Situation is next:

User A is logued in app with his credentials. All info (username, avatar, id, permission) are stored in session variables using codeigniter. Suddenly, he can see the avatar, username and info of another user of the application... what can I do!?

Please, help me! 

Thanks!
Reply

#2
For now, if the user data is sensitive, you should take the website offline. Next you would probably want to show us some code, because our crystal balls aren't working.
Reply

#3
Is your server Apache or NGINX?
Reply

#4
are you using an authentication library like ion auth, etc?
Reply

#5
You need a check in your controller constructor to check the users identity.
What did you Try? What did you Get? What did you Expect?

Joined the CodeIgniter Community in 2009.          ( Skype: insitfx )
Reply

#6
Hi to everyone! thanks for yours replies.

I will try to show you some code to resolve my trouble

First, when an user log on in y app, the function "ingresar" in my login.php controler unset and set session variable with some info about the user


Code:
public function ingresar(){
        $correo = $this->security->xss_clean(strip_tags($this->input->post('correo')));
        $pass = md5($this->security->xss_clean(strip_tags($this->input->post('password'))));

        $Usuarios = new Usuario_Model();
        $result = $Usuarios->login($correo, $pass);
        if(count($result)>0){
            foreach($result as $u){
                $this->session->unset_userdata('id');
                $this->session->unset_userdata('mail');
                $this->session->unset_userdata('nombre');
                $this->session->unset_userdata('activo');
                $this->session->unset_userdata('logo_empresa');
                $this->session->unset_userdata('nombre_empresa');
                $this->session->unset_userdata('id_empresa');
                $this->session->unset_userdata('nivel');
                $this->session->unset_userdata('estado_sesion');

                $this->session->set_userdata('id', $u->id);
                $this->session->set_userdata('mail', $u->mail);
                $this->session->set_userdata('nombre', $u->nombre);
                $this->session->set_userdata('activo', $u->activo);
                $this->session->set_userdata('nivel', $u->nivel);
                $this->session->set_userdata('nombre_empresa', $u->nombre_empresa);
                $this->session->set_userdata('id_empresa', $u->id_empresa);
                $this->session->set_userdata('logo_empresa', $u->logo_empresa);
                $this->session->set_userdata('avatar_user', $u->avatar_user);
                $this->session->set_userdata('estado_sesion', TRUE);

                redirect(base_url()."panel");
                
            }//End foreach
            
            
        }else{
            $this->session->set_flashdata('mensaje', 'El usuario o password es incorrecto');
            redirect(base_url()."login/index/1");
            //$this->index(1);
        }//End if

Then, when "panel" controller is loaded, I've the following code

Code:
<?php
defined('BASEPATH') OR exit('No direct script access allowed');

class Panel extends CI_Controller {

    public function __construct(){
        parent::__construct();
        $this->load->helper('html');
        $this->load->helper('form');
        $this->load->model('usuario_model');
        $this->load->model('panel_model');
        $this->load->helper('security');
        $this->usuarios_lib->controla_sesion();
        $this->load->library('form_validation');
        $this->load->library('session_data_lib');
    }

    public function index(){

        $data_session = $this->session_data_lib->set_data_session($data_session); //session variable load

        if ($data_session['nivel']==1 || $data_session['nivel']==2){

            $data_counters = $this->counters_lib->get_admin_counters(); //cargo las variables de contadores

        }else{
            $data_counters = $this->counters_lib->get_user_counters(); //cargo las variables de contadores
        }

        $this->load->view('templates/header', $data_session);
        $this->load->view('templates/menu_top', $data_session);
        $this->load->view('templates/menu_left', $data_counters);
        if ($data_session['nivel']==0) {
            $this->load->view('panel/panel_user',$data_counters);
        }else{
            $this->load->view('panel/panel_admin',$data_counters);
        }

        $this->load->view('templates/footer',$data_counters);

    }//End method index
}

As you can see, exist one library called 'session_data_lib', the code is next



Code:
<?php defined('BASEPATH') OR exit('No direct script access allowed');

class Session_data_lib {

 protected $CI;

   // We'll use a constructor, as you can't directly call a function
   // from a property definition.
 public function __construct()
 {
           // Assign the CodeIgniter super-object
   $this->CI =& get_instance();
   $this->CI->load->library('session');
   $this->CI->load->model('panel_model');
   $this->CI->load->helper('url');
 }

 public function set_data_session($data_session)
 {
  $data_lib_session['title'] = $data_session['title'];
  $data_lib_session['opcionMenu'] = $data_session['opcionMenu'];
  $data_lib_session['bodyClass'] = $data_session['bodyClass'];
  $data_lib_session['nombre'] = $this->CI->session->userdata('nombre');
  $data_lib_session['userid'] = $this->CI->session->userdata('id');
  $data_lib_session['nivel'] = $this->CI->session->userdata('nivel');
  $data_lib_session['avatar_user'] = $this->CI->session->userdata('avatar_user');
  $data_lib_session['logo_empresa'] = $this->CI->session->userdata('logo_empresa');
  $data_lib_session['nombre_empresa'] = $this->CI->session->userdata('nombre_empresa');
  $data_lib_session['id_empresa'] = $this->CI->session->userdata('id_empresa');
  $data_lib_session['arr_css'] = array("absolute_admin/assets/fonts/iconsweets/iconsweets.css");
  $data_lib_session['lastSegs'] = $this->CI->panel_model->get10LastSeg($this->CI->session->userdata('id_empresa'));

  return $data_lib_session;
 }//End method set_data_session

}//End class
In this function,I save user data session variables  in an array and return this to the controller in this line


Code:
$data_session = $this->session_data_lib->set_data_session($data_session); //cargo las variables de sesion

Finally, I send this to the views

Maybe, I've been make many errors. Help me please!

Thanks!
Reply

#7
(11-08-2017, 06:20 AM)Gustavo Martins Wrote: Is your server Apache or NGINX?

Hola Gustavo! Actualmente tengo mi aplicacion hosteada en un hosting de Argentina con acceso Cpanel. Como puedo verificar esto? Gracias por tu respuesta
Reply

#8
(11-08-2017, 10:58 AM)leavai Wrote:
(11-08-2017, 06:20 AM)Gustavo Martins Wrote: Is your server Apache or NGINX?

Hola Gustavo! Actualmente tengo mi aplicacion hosteada en un hosting de Argentina con acceso Cpanel. Como puedo verificar esto? Gracias por tu respuesta

English only please.
Reply

#9
(11-08-2017, 11:39 AM)Narf Wrote:
(11-08-2017, 10:58 AM)leavai Wrote:
(11-08-2017, 06:20 AM)Gustavo Martins Wrote: Is your server Apache or NGINX?

Hola Gustavo! Actualmente tengo mi aplicacion hosteada en un hosting de Argentina con acceso Cpanel. Como puedo verificar esto? Gracias por tu respuesta

English only please.

Hi Gustavo, today I've my app hosting in Argentina with an CPanel access only. How Can I verify if it uses Apache or NGINX?

Thanks
Reply

#10
I found this info in codeigniter official site (read red text and my final conclusion)


Quote:A note about concurrency
Unless you’re developing a website with heavy AJAX usage, you can skip this section. If you are, however, and if you’re experiencing performance issues, then this note is exactly what you’re looking for.
Sessions in previous versions of CodeIgniter didn’t implement locking, which meant that two HTTP requests using the same session could run exactly at the same time. To use a more appropriate technical term - requests were non-blocking.
However, non-blocking requests in the context of sessions also means unsafe, because modifications to session data (or session ID regeneration) in one request can interfere with the execution of a second, concurrent request. This detail was at the root of many issues and the main reason why CodeIgniter 3.0 has a completely re-written Session library.
Why are we telling you this? Because it is likely that after trying to find the reason for your performance issues, you may conclude that locking is the issue and therefore look into how to remove the locks …
DO NOT DO THAT! Removing locks would be wrong and it will cause you more problems!
Locking is not the issue, it is a solution. Your issue is that you still have the session open, while you’ve already processed it and therefore no longer need it. So, what you need is to close the session for the current request after you no longer need it.
Long story short - call 
Code:
session_write_close()

 once you no longer need anything to do with session variables.


Actualy, I'm using Codeigniter 2.2.6 version. Could it be the reason of my trouble?
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2018 MyBB Group.