Voting

    : min(two, zero)?
    (Example: nine)

    The Note You're Voting On

    ivan at alexandrov dot biz
    16 years ago
    I had a problem with realizing the restore password form. First a user entered his login or e-mail in the system.

    Then the script searched the database, got the session data, and sended link with SID to registered e-mail. The link was configured so, that it restored session data and logged user in the secure interface to the change password form.

    Then was displayed a page with the message about sended message.

    The problem was that ID was not unique in three pages, the SID sended to e-mail anyone could see in cookie.

    I tryed to start new session before generating and after sending link with the code:

    <?php ....
    session_start();
    /*Getting user login and e-mail from database*/
    $user_login = "....";
    $user_id = "....."

    /*CLOSE PREVIOUS SESSION*/
    session_unlink();
    session_destroy();

    /*NOW GENERATING LINK FOR SESSION DATA */
    session_start();
    $_SESSION = $user_login;
    $_SESSION = $user_id;
    /*here generating link:*/
    $link = "http://host.com/restore=" . SID . "";
    mail (....);

    /*CLOSE THE SESSION WITH USER DATA*/
    session_write_close();

    /*AND STARTING A NEW SESSION*/
    session_start();
    /*THEN LOAD THE 'MESSAGE SENDED' PAGE*/
    header("Location: /restore/message_sended/");

    ?>

    The trouble was that SID was the same even after session_unlink() and session_write_close(). The session_start() function just restored the previous session data!!! So the script was not safe.
    Then I added session_regenerate_id() call after each session_start().

    <?php ....
    session_start();
    /*Getting user login and e-mail from database*/
    $user_login = "....";
    $user_id = "....."

    /*CLOSE PREVIOUS SESSION*/
    session_unlink();
    session_destroy();

    /*NOW GENERATING LINK FOR SESSION DATA */
    session_start();
    session_regenerate_id();//Regenerating SID for sending

    $_SESSION = $user_login;
    $_SESSION = $user_id;

    /*here generating link:*/
    $link = "http://host.com/restore=" . SID . "";
    mail (....);

    /*CLOSE THE SESSION WITH USER DATA*/
    session_write_close();

    /*AND STARTING ANOTHER NEW SESSION*/
    session_start();
    session_regenerate_id(); //Regenerating SID
    /*THEN LOAD THE 'MESSAGE SENDED' PAGE*/
    header("Location: /restore/message_sended/");

    ?>

    And now it works as needed! The SID sending to user we cannot see in cookies nor before neither after generated link, but the data is saved in session with this id. So only the owner of account can get it!

    << Back to user notes page

    To Top