I am fairly new to sessions.
I have a classifieds website, and users may chose to "EDIT" their classifieds.
All they have to enter is a password which they chose when creating the classified.
In the "edit.php" page, if the password is correct, the classified details show up. There is a picture upload tool, which reloads the page but uploads a picture at the same time, and previews to the user.
The problem is that when the pic is uploaded, I don't want the page to ask for password again. (this because the page reloads) Not so nice if password was required for every pic upload开发者_StackOverflow.
So I have set a session variable like this:
if($pass==$row['pass']){ $_SESSION['correct_pass']=1; }
then in edit.php on reload, I check against this condition:
if($pass==$row['pass'] || $_SESSION['correct_pass']==1){
EDIT AD HERE
}
The problem (BIG PROBLEM) is that once the user enters a correct password, the SESSION['correct_pass'] is created and set to 1.
After this, the user may click "back" on browser and enter another classifieds ID nr in the URL, and the PHP Session will think the password is still okay.
So in other words, one might change other peoples classified if you figure this out.
How should solve this?
If you need more input let me know...
Below are a few lines of code which further describes edit.php file (not tested):
//FIRST VISIT TO "EDIT.PHP?ad_id=ID_OF_CLASSIFIED_HERE"
if($todo==0){
//User is shown 2 radios, and a password form, and choses either to remove classified, or change classified
}
//REMOVE CLASSIFIED
if($todo==1){
//User has chosen to remove a classified
if($pass==$row['pass']){
//DELETE CLASSIFIED
}
if($pass!=$row['pass']){
//SHOW WRONG PASSWORD WARNING
}
}
if($todo==2){
//User has chosen to change a classified
if($pass==$row['pass'] || $_SESSION['correct_pass']==1){
if(!isset($_SESSION['correct_pass'])){
$_SESSION['correct_pass']=1;
}
//EDIT AD HERE
}
else {
//SHOW WRONG PASSWORD WARNING
}
}
Thanks
Instead of storing a flag whether the user has entered a correct password or not, store a hash of the password in the session. Then when they try and edit a classified, compare the hash of the password in the session with the hash of the password used to create the classified.
Salt the password with the userid (if you have one), and that should protect against collisions of shitty passwords.
Let me suggest one possible approach to such kind of proplems.
You may generate some long random string (uploadId), remember it on server side (in database / session) and pass as additional request parameter in hidden input element.
Then, when image is uploaded, you may compare these values and check, whether any image was already uploaded with this "uploadId". If that's the first time image with this uploadId comes, then you should remember on server-side, that this uploadId was already used once, and accept upload.
Already used uploadId values may be removed after some timeout / after user logout.
Why not just store a list of the items they are authorized for such as:
$_SESSION['authorizedPages']['pageID'];
if (isset($_SESSION['authorizedPages']['pageID']) == false)
{
echo loginForm;
}
else
{
echo editForm;
}
精彩评论