Session is rewritten in php

Question

Session is rewritten in php

I ran into a problem that my session is being overwritten by another registered user in php.

when we have a reasonable load of about 50-100 user sessions, they begin to mix. For example, if a user logs in as A after a while, his session switches to user B, who is also logged in. The system has been working for more than a year, and this is the first time we are faced with this problem.

The server is running Centos.

I have no code error anywhere, but somehow one information is being overwritten by others.

Please help me, because I'm trying to solve this error, but I do not have time.

Is there any php ini setting that will overwrite user session data? or Is it something on the server that randomization of session authentication is not correct?

Thanks in advance.

+2

php session

user387493 Jul 9 '10 at 7:44

source share

4 answers

user387493 · Answer 1 · 2010-07-09T12:35:05+0000

I studied the problem and found that several session files with 1 bit identifier are created among 32-bit ones. eg. sess_1 and sess_8 together with sess_f1d9037025f544376ff0d44511ed3192.

, , A B , A B PHPSESSID cookie, , sess_1. - 32- PHPSESSID, , , A B .

user387493 · Answer 2 · 2010-07-09T08:43:40+0000

, PHPs .

<?php  
session_start(); 
include("dbconfig.php"); 

if($_POST['login']) { 

    $user = $_POST['user']; 
    $pass = $_POST['pass']; 
    $msg = ''; 

    $check = mysql_query("SELECT * FROM `user` WHERE username = '{$user}' AND pass = '{$pass}'") or die(mysql_error()); 
    $row = mysql_num_rows($check); 
    $ck = mysql_fetch_assoc($check); 

    if($row == 1) {       
            $_SESSION['name'] = $user; // used to be set to $ck['iname']; 
            $_SESSION['isadmin'] = 1;            
            $_SESSION['team'] = $ck['teamstatus']; 
            $_SESSION['logintime'] = time(); 
            $_SESSION['priority'] = $ck['priority'];
            $_SESSION['id'] = $ck['id'];
            $_SESSION['designation'] = $ck['designation'];
            $_SESSION['course'] = $ck['course'];
            $_SESSION['year'] = $ck['year'];            
            $_SESSION['no'] = $ck['no'];            
            $_SESSION['div'] = $ck['div'];
            $_SESSION['sp_designation'] = $ck['sp_designation'];      
            header("Location: index.php"); 
            exit;                 
    } else { 
        $msg =  "Invalid Username or Password"; 
    }  
} 
?>

, ,

<?php 
session_start(); 

if(!(isset($_SESSION['name'])) && ($_SESSION['isadmin'] == 1) && (isset($_SESSION['id'])) && (isset($_SESSION['designation']))) { 
    header("Location: error.php"); 
    exit; 
} 

otherwise perform the action
?>

Rupeshit · Answer 3 · 2010-07-09T08:59:51+0000

, , :

-, , , querystring, .

-, , , , afaik, ( ), , cookieless- URL-, .

, .

symcbean · Answer 4 · 2010-07-09T12:11:55+0000

erk, , , , , (,

user = "admin' OR ('bla'='"
password="')"

- , .

Assuming you are using the default session handler, the error is unlikely to be in the session handler code. It is used by thousands (millions?) Of Applications and works for everyone else.

Most likely, the reason is poor data caching - can you play it in the absence of intermediate proxies? Have you checked the headers coming out of the web server?

WITH.

Session is rewritten in php

More articles: