Sessions getting mixed up

[SeeVik]

Hi, please advice.

I seem to have a problem with session getting mixed up! I have an
application created with cakephp with many users registered, and so a
login is protected with a session. After a customer logs in his info
are registered in the session such as his user id, and are destroyed
after logout.

So, the issue is that I received some reports form customers who are
form the same country, Kenya, and they said that when they logged in
they found pages and info of another customer (who is form Kenya) .. I
investigated this problem and turned out that although they might know
each other, but each use his/her own computer! what does that mean?
What can be wrong? I never encountered such a problem and I've got
more than 10 reports from different people from the same country! This
is really strange!

All I need is advice of how I can track this bug. Or if anyone is
familiar with it, I hope to get a clue of what kind of bug this might
be.

Thanks and regards
Vikram

[crim...@googlemail.com]

On 6 апр, 11:45, SeeVik <vikramvmalhotra1...@gmail.com> wrote:
> So, the issue is that I received some reports form customers who are
> form the same country, Kenya, and they said that when they logged in
> they found pages and info of another customer (who is form Kenya) .. I
> investigated this problem and turned out that although they might know
> each other, but each use his/her own computer! what does that mean?
> What can be wrong? I never encountered such a problem and I've got
> more than 10 reports from different people from the same country! This
> is really strange!

Proxy server with incorrect cookies processing. They sitting on the
same provider or the same internet-cafe with the same proxy and here
is problems with proxy setup. As I remember old versions of WinGate
have such problem.

[C. (http://symcbean.blogspot.com/)]

On 6 Apr, 13:47, "criman...@googlemail.com" <criman...@googlemail.com>
wrote:

Yes - this is most likely the cause. Only practical solution is to use
SSL to bypass the dodgy proxy.

C.

[Robert Gonzalez]

Another thing to try is to cookie a token unique to each request and check the token as well as the session id to make sure the user matches both pieces.

2009/4/6 C. (http://symcbean.blogspot.com/) <colin.m...@gmail.com>

--
Robert A. Gonzalez

[flickle1]

Heres a suggestion you can add a touch of global positioning
(longitude latitude) to you session variables which is very simple.
also add session timeouts because 1 in 2 people probaly never bother
to log out anyway.

and out of interest which server do you use Apache?

[SeeVik]

Thanks a lot for your replies guys.

@ fickle1
> Heres a suggestion you can add a touch of global positioning (longitude latitude) to your session variables which is very simple.
Adding latitudes and longitudes? but how will I find the co-ordinates
of the terminal from where the customers is accessing the system?

> also add session timeouts because 1 in 2 people probaly never bother to log out anyway.

Yes. I have added a session timeout.

> and out of interest which server do you use Apache?

Yes I am using Apache, to be more accurate XAMPP, which contains
apache in the bundle.


@ crim...@googlemail.com

> They sitting on the same provider or the same internet-cafe with the same proxy and here is problems with proxy setup.

I know that these people are using different computers, but yes they
could have same provider.


@ C. (http://symcbean.blogspot .com/)

> Only practical solution is to use SSL to bypass the dodgy proxy.

Hello there. Using SSL to bypass the proxy? I have a query about this
being more or less a novice in website security. Is this something to
be applied on my webapp or has it got to be configured on customer's
terminal?

Thanks and Regards
Vikram

[C. (http://symcbean.blogspot.com/)]

On 6 Apr, 17:13, Robert Gonzalez <robert.anthony.gonza...@gmail.com>
wrote:

> Another thing to try is to cookie a token unique to each request and check
> the token as well as the session id to make sure the user matches both
> pieces.
>

But if the proxy is ignoring the caching information, why would it
start respecting the information when another cookie is added
(presumably there is alerady a session cookie).

This does present the possiblity of
1) embedding the session id in the response
2) trapping the response at the browser and checking that the session
id returned matches the stored cookie
3) initiating a redirect on the borwser if they don't match

But you still have the problem of getting the right session cookie
delivered to the browser when the user logs on. (back to SSL?) ... and
this would also mean that you couldn't set the http_only flag on the
session cookie.

C.

[C. (http://symcbean.blogspot.com/)]

On 7 Apr, 02:37, SeeVik <vikramvmalhotra1...@gmail.com> wrote:
> Thanks a lot for your replies guys.
>

> @ C. (http://symcbean.blogspot.com/)> Only practical solution is to use SSL to bypass the dodgy proxy.

>
> Hello there. Using SSL to bypass the proxy? I have a query about this
> being more or less a novice in website security. Is this something to
> be applied on my webapp or has it got to be configured on customer's
> terminal?
>

No, SSL provides end-to-end encryption. Since the proxy has no
visibility of what the discussion is, it cannot cache any of the data.
It will still act as an intermediary passing on the data if it is
configured to do so.

All you need to do is enable SSL on your webserver and deliver all
your content via SSL. The downside is that its not very search-engine
friendly, requires the cost of buying, configuring and managing a
certificate.

C.

[SeeVik]

@ C. (http://symcbean.blogspot .com/)

Thanks a lot for your reply. Taking your advice I have created my own
certificate for now and tried to configure XAMPP with SSL. But I have
run into a problem there. here is an insight into the directory
structure of my webapp (I have used cakephp framework) ...

C:/
--+ xampp
----+ htdocs
----+ phpmyadmin
----+ php
----+ security

D:/
--+ webapp
----+ htdocs
------+ js
------+ css
------+ index.php
------+ .htaccess
----+ code (All the code resides here)
------+ company
--------+ cake
--------+ config
--------+ controllers
--------+ models
--------+ views
--------+ index.php
--------+ app_controller.php

Here is what I wrote in my apache/conf/extra/httpd-xampp.conf file

Alias / "D:/webapp/htdocs/"
<Directory "D:/webapp/htdocs/">
AllowOverride All
Order allow,deny
Allow from all
SSLRequireSSL
</Directory>

Since I have set the alias to root '/' so, it correctly displays the
main page, which is accessed from https://localhost.
but as soon as I click other links, it displays the following error
message...

Bad Request
Your browser sent a request that this server could not understand.
Additionally, a 400 Bad Request error was encountered while trying to
use an ErrorDocument to handle the request.

Apache/2.2.8 (Win32) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8g
mod_autoindex_color PHP/5.2.5 Server at localhost Port 443

What am I doing wrong over here?

Thanks and Regards
Vikram

[Robert Gonzalez]

Have you made sure to enable/install any SSL modules for Apache that you need to? Have you set up the virtual host for port 443 that handles the certificate?

--
Robert A. Gonzalez

[SeeVik]

Thanks for your reply Robert.

Yes, the SSL module is installed in xampp bundle. It is OpenSSL. Its
the 443 port that I had missed to setup. Thanks a lot for your help.

On Apr 8, 2:38 pm, Robert Gonzalez <robert.anthony.gonza...@gmail.com>
wrote:

> Have you made sure to enable/install any SSL modules for Apache that you
> need to? Have you set up the virtual host for port 443 that handles the
> certificate?
>

> On Tue, Apr 7, 2009 at 11:16 PM, SeeVik <vikramvmalhotra1...@gmail.com>wrote:
>
>
>
>
>
> > @ C. (http://symcbean.blogspot.com/)

> > main page, which is accessed fromhttps://localhost.

[MEM]

I'm having a hard time planning my project here. :s Today web applications
don't rely only on one programming language, and I found it hard to separate
CSS from PHP from Javascript (and more difficult it will become, if we add
ajax to the equation).

Before keep on going, and just code like madness, I'd like to find a way, a
methodic way, that allows me to separate (not physically, not the files, but
logically), those project parts.

How can I logically separate CSS from Javascript, from PHP, etc... ?
I've read about singletons, and DI, and factories, but WOW... let's keep it
simple for now, I have no more than some weeks of PHP, I just want to
organize the best I can. So keeping in mind that I'm a newbie, what would be
your best advices, for start doing this this way?

Thanks a lot,
Márcio

[Fahd Murtaza]

How do you think about your PHP skills. Are they good enough? Please answer. I will suggest you a few things then.

--
Regards
Fahd Murtaza
http://www.fahdmurtaza.com

[MEM]

I’m the most newbie you can get. I can learn and I’m avid for doing so, but I’m very newbie php and OOP programmer, if I can call me that. :)

 

Thanks,

Márcio

[Fahd Murtaza]

Well

Thats not a problem. You can still go for MVC. Thats Model View Controller. Try learning codeigniter. I see you have great plans for development so I find it a pretty cool thing for you.

[MEM]

Thanks a lot for your advice I will read more about those topics.

 

Still, I was reading about MVC and it was not easy to understand where the javascript + php separation on a possible ajax application can work there… But I will keep reading.

 

About frameworks, well, I’d like to avoid them for now. I really want to learn. I was having great pleasure dealing with PDO and make a database connection, I’d like to learn PHP foundations more than custom framework code, if that’s the case.  But maybe I’m misjudging frameworks… ?

 

Maybe having a structure and using some classes here and there for the hardest parts can do the trick? But again, in this case, what organization should I take to allow stability and scalability, are those impossible goals for a newbie?

Note that, as a learner, I don’t want to use one single piece of code that I cannot properly understand, and that’s also a challenge… :)

 

 

 

Regards,

[Bruno Reis]

" I’d like to learn PHP foundations more than custom framework
> code, if that’s the case. But maybe I’m misjudging frameworks… ?"

Frameworks let you focus on the business. They settle a design
foundation and do the repetitive work for you. And they organize the
code and the layers very well. A lot of problems you will find are
already solved on them, normally with good designs. There is no such
things as "custom framework code". MVC frames only separate the layers
and help you to put things on the right places, but what you write is
as much "PHP code" as you would without one.

I would also recomend you to take a look on phpDoctrine (database orm)
and JQuery (js) or maybe Dojo. The best way to avoid a mess with
php/js/ajax/css/html is to comunicate only data (json or xml) between
client and server. But it is not an easy task for a beginner. I think
Zend Framework has some integration with Dojo already done that you
might want to study either.


2009/4/8 MEM <tal...@gmail.com>:

[Robert Gonzalez]

If you want to learn PHP don't bother with a framework yet. Hell, you may never get to the point where you use one. You might even build your own lightweight framework once you get the hang of programming. Learn the fundamentals firsts, because if you don't know those then the framework stuff might work, but you will never know why.

The web front end
First things first... learn HTML. If you are developing for the web, learn how to bring hypertext to the users user agent (their browser of choice). Once you understand HTML (and I don't mean just the collection of tags, but HTML vs. XHTML, strict vs. transitional, etc) and the standards associated with it move on to CSS and learn how CSS handles the presentation aspect of the visible web. HTML, or the markup that makes a web page a web page, is meant for structure, not presentation. CSS is meant for presentation. Learn how they work with one another and you will be golden.

After that learn the basics of Javascript. I say the basics because this is one case where I would totally recommend you use a library when developing. But even in that, you still need to know how JS works when working with a JS library, so learn the core concepts of JS then pick a library to use. I favor jQuery.

The web back end
The first thing I would tell you is the learn PHP from a procedural approach with something small. I say this because moving to OOP can be a daunting task for those that do not come from a programming background, and even for those that do, if you come from a strictly typed language background, OOP in PHP is a little confusing at first. Learn the basics of PHP, the core of the language, like types, arrays, language contructs and looping structures. Those will become invaluable later on.

Then move on to the database learning. PHP is a powerful language and does not need a database to kick ass as a programming language. But the power of it is totally unleashed when you couple it with a database. Of course the most common database server associated with PHP is MySQL, but there are lots of choices available when it comes to database servers (SQLite, PostgreSQL, etc). As you learn the foundations of SQL (not SQL specific to a RDBMS but SQL, the actual Structured Query Language itself) keep in mind that not all RDBMS's implement SQL the same way so some of your learning will be the basics and some will be specific to your platform.

Putting it all together
Once you have an understanding of the front end and back end you can put the two together very easily. Of course structuring your Ajax interactions might be a bit more confusing since often you think of the Ajax output as either JSON encoded objects, XML or straight HTML.

Your file structure/architecture will be whatever you want it to be. The thing to remember is to make code work within your structure, which is not that hard to do once you figure out what your structure will look like.

--
Robert A. Gonzalez

[MEM]

Thanks a  million Robert and Bruno.

 

@Bruno Reis

If part of my learning process to also know the structure. So I’m more on a mood to create (even if it’s little, and not well constructed) my own structure,  but I absolutely need one, and that’s a point that I want to state clearly ;).

 

@Robert Gonzalez

I’m not a expert on all that disciplines, for example, CSS and Javascript are a DOM world where I only grasp. But I know there places on the all picture. And despite new on programming “by hand” I’m not that new on web-development. So I do believe I pass all the disciplines that you have stated, not as a master, but as someone capable of understanding how they are related to each other, and to get the basics done.  I already have the basics like loops, conditionals, var types, using procedural to.

 

It’s because I have done this the “wrong way”, that I’m trying to appeal on a better way.

 

And your last statement is not at all trivial for me:

“is not that hard to do once you figure out what your structure will look like.”

And that is where my question resides: “Where should I learn about structure?” How can I, newbie, do little things, starting by very simples tasks (like a database connection shared by all classes) but doing that on a well structured logic way?

 

MVC could be an answer but, gash, it’s hard to get there with no information architectural bases or something…

Should I go with a bunch of includes, scripts, requires etc … ?

 

 

Regards,

Márcio

[Steven Wright]

Very well put.

---

From: Professi...@googlegroups.com [mailto:Professi...@googlegroups.com] On Behalf Of Robert Gonzalez
Sent: Wednesday, April 08, 2009 11:11 AM

[Pete Morales]

robert you are the MAN!!!!

[crim...@googlemail.com]

On 8 апр, 08:16, SeeVik <vikramvmalhotra1...@gmail.com> wrote:
...

> certificate for now and tried to configure XAMPP with  SSL. But I have

...

Oh no! Longtitude? SSL? May be, SWAT and nuclear bomb?
Get the solution:


>--------------------------8<---------------------------------
<?php

function AwareBadProxy()
{
$sid=session_id();
if(!empty($sid))
{
trigger_error(ini_get('session.auto_start')
? "session.auto_start must be 0"
: "move AwareBadProxy call before session_start()",E_USER_ERROR);
}

$badProxyList=func_get_args();
if(in_array($_SERVER['REMOTE_ADDR'],$badProxyList))
{
ini_set('session.use_cookies',0);
ini_set('session.use_trans_sid',1);
}
}

// Localhost (127.0.0.1) is 'bad' to demostrate effect. Change it to
127.0.0.2 to quit bad list.
AwareBadProxy('195.95.95.100','127.0.0.1');

// P.S. 195.* just for example

session_start();


?><HTML>
<HEAD><TITLE>Decooker check page</TITLE></HEAD>
<BODY>
<H1>Test</H1>

<P><A HREF="<?php echo $_SERVER['SCRIPT_NAME'];?>">Press me and see
URL line</A></P>
</BODY>
</HTML>
>--------------------------8<---------------------------------

See in logs ip address of proxy used by problem clients and add it to
list calling AwareBadProxy().
Call it _before_ session_start(). In good design here must be exactly
one place where you can add this call and affect all site (it can be
include file or constructor of basic page if you use OOP). If you have
no such place in code it's reason to do redesign.