dbSESSIONS

axilant · 11-03-2005, 03:57 PM

In the creation of a new authentication system i made for an upcoming website, i have created a way that does not use a cookie or a regular session using a database.

Code:

PHP Code:

  <?PHP

class dbSESSIONS 

{

    var $_version = "1.0";

    var $_lastupdate = "11/3/2005";

    var $_author = "Cody Selzer <axilant@gmail.com>";

    var $_description = "Class that will allow to make dbSESSIONS";

    function MySQL($host, $username, $password, $database)

    {

        $this->connect = @mysql_connect("$host", "$username", "$password");

        if(!$this->connect)

        {

            $this->error("Mysql Connection Error","Failed connecting to database server\r\n\r\n" . mysql_error() . "");

            return false;

        }

        $this->select_db = @mysql_select_db($database, $this->connect);

        if(!$this->select_db) 

        {

            $this->error("Mysql Connection Error","Failed selecting to database\r\n\r\n" . mysql_error() . "");

            return false;

        }

        return true;

                

    }

    function query($query)

    {

        return mysql_query($query);

    }

    function get_array($query)

    {

        return mysql_fetch_array($query);

    }

    function get_row($query)

    {

        return mysql_fetch_array($this->query($query));

    }

    function num_rows($query)

    {

        return mysql_num_rows($this->query($query));

????: NamePros.com http://www.namepros.com/code/137339-dbsessions.html
    }

    function error($title, $message)

    {

        exit("<h1>$title</h1><p>$message</p>");

    }

    function ip()

    {

        global $_SERVER;

        if ($_SERVER['HTTP_X_FORWARD_FOR']) //stupid proxies! :P

        {

            return $_SERVER['HTTP_X_FORWARD_FOR']; //get there real ip hehe

        } 

        else 

        {

            return $_SERVER['REMOTE_ADDR']; //they dont use a proxy :)

        }

    }

    function seed()

    {

        $len = rand("1","1000000");//between 1 and 1,000,000

        $s[0]=range("0","9");

        $s[1]=range("A","Z");

        $s[2]=range("a","z");

        $l=count($s);

        for($i=0;$i<$l;$i++){for($a=0;$a<count($s[$i]);$a++){$all[]=$s[$i][$a];}}

         for($i=0;$i<$l;$i++){shuffle($s[$i]);$z[]=$s[$i][0];}

        for($i=$l;$i<$len;$i++){shuffle($all);$z[$i]=$all[0];}

        shuffle($z);

        return(md5(implode('',$z)));

    }

    function getID($ip)

    {

        return $this->get_row("SELECT sessionID FROM dbsessions WHERE ipaddress = '$ip'");

    }

    function varArray()

    {

        $sessionID = $this->getID($this->ip());

        $sql = $this->query("SELECT * FROM session_vars WHERE sessionID = '$sessionID'");

        $arr = array();

        while($row = $this->get_array($sql))

        {

            extract($row);

            $arr[$var] = $value;

        }

        return $arr;

        

    }

    function register()

    {

        $seed = $this->seed();

        $ip = $this->ip();

        if($this->num_rows("SELECT * FROM dbsessions WHERE ipaddress = '$ip'") == 1)

        {

            return true;

        }

        else

        {

            $this->query("INSERT INTO dbsessions (sessionID, ipaddress) VALUES ('$seed', '$ip')");

        }

    }

    function kill() //basicly "logout"

    {

        $sessionID = $this->getID($this->ip());

        $this->query("DELETE FROM dbsessions WHERE sessionID = '$sessionID'");

        $this->query("DELETE FROM session_vars WHERE sessionID = '$sessionID'");

    }

    function variable($name,$value)

    {

        $sessionID = $this->getID($this->ip());

        if($this->num_rows("SELECT * FROM session_vars WHERE sessionID = '$sessionID' AND var = '$name'") == 1)

        {

            $this->query("UPDATE session_vars SET value = '$value' WHERE sessionID = '$sessionID' AND var = '$name'");

        }

        else

        {

            $this->query("INSERT INTO session_vars (sessionID, var, value) VALUES ('$sessionID','$name','$value')");

????: NamePros.com http://www.namepros.com/showthread.php?t=137339
        }

    }

}

?>

SQL:

Code:

DROP TABLE IF EXISTS dbsessions;
CREATE TABLE dbsessions (
  sessionID varchar(32) NOT NULL default '',
  ipaddress varchar(20) NOT NULL default '',
  setdate varchar(255) NOT NULL default '',
  daystokeep int(11) NOT NULL default '0'
) TYPE=MyISAM;

DROP TABLE IF EXISTS session_vars;
CREATE TABLE session_vars (
  sessionID varchar(32) NOT NULL default '',
  var text NOT NULL,
  value text NOT NULL
) TYPE=MyISAM;

Simple Example:

PHP Code:

  include("./dbSESSION.php");

$dbses = new dbSESSIONS();

$ip = $dbses->ip();

$dbses->MySQL("localhost","root","","dbses");

$dbses->register(); //this will make a new session...

$dbses->variable("ip","$ip");

$ses = $dbses->varArray();

print_r($ses);

Explanations:

Code:

$dbses->register();

This is used to register a session with the database. There are no variables yet. But its open to a varible/value for later use.

Code:

$dbses->variable("ip","$ip");

ip is the variable's name. $ip is the variables value. You can use this to insert username/passwords ect...

How this works
This is really a way to keep data retrieval away from the client side... they will have to get server access to get any information. The register() function will setup a new sessionID in the dbsessions table, and its retrieved by the users ip address. All the data is accessed using the viewers ip address.

This is only the basics of this idea, i recoded this for here at namepros, so if there is any problems just ask me, and id be glad to assist you.

What this would be useful for:
Web games, email services, things like that.

Is this secure?
In my opinion it is, the only thing that could make this insecure was the person uses a shared proxy ip address.

Good thing to keep in mind:
Two DIFFERENT people cannot be logged in on the same ip address at a time. To me, this could prevent a lot of cheating online games, without the use of a GOOD proxy application, cause it does look for ip forwarding.

Any questions/comments post here.

sm · 11-04-2005, 10:50 AM

I'm not too sure this is the right way to go ... the use of an IP address as the only means to validate a session is dangerous... also think of AOL users...

moreover, when you have an in-built mechanism in PHP for creating session IDs why not use that ??

If you're apprehensive about storing the actual session data (which can be anything like username, user preferences, etc) in a flat file, store this session data in a mysql database... but you should use session_start() as the way to let PHP itself create session IDs for you .....

11-03-2005, 03:57 PM	THREAD STARTER #1 (permalink)
axilant Account Suspended Join Date: May 2004 Location: /etc/passwd Posts: 2,178	dbSESSIONS In the creation of a new authentication system i made for an upcoming website, i have created a way that does not use a cookie or a regular session using a database. Code: PHP Code: <?PHP class dbSESSIONS { var $_version = "1.0"; var $_lastupdate = "11/3/2005"; var $_author = "Cody Selzer <axilant@gmail.com>"; var $_description = "Class that will allow to make dbSESSIONS"; function MySQL($host, $username, $password, $database) { $this->connect = @mysql_connect("$host", "$username", "$password"); if(!$this->connect) { $this->error("Mysql Connection Error","Failed connecting to database server\r\n\r\n" . mysql_error() . ""); return false; } $this->select_db = @mysql_select_db($database, $this->connect); if(!$this->select_db) { $this->error("Mysql Connection Error","Failed selecting to database\r\n\r\n" . mysql_error() . ""); return false; } return true; } function query($query) { return mysql_query($query); } function get_array($query) { return mysql_fetch_array($query); } function get_row($query) { return mysql_fetch_array($this->query($query)); } function num_rows($query) { return mysql_num_rows($this->query($query)); ????: NamePros.com http://www.namepros.com/code/137339-dbsessions.html } function error($title, $message) { exit("<h1>$title</h1><p>$message</p>"); } function ip() { global $_SERVER; if ($_SERVER['HTTP_X_FORWARD_FOR']) //stupid proxies! :P { return $_SERVER['HTTP_X_FORWARD_FOR']; //get there real ip hehe } else { return $_SERVER['REMOTE_ADDR']; //they dont use a proxy :) } } function seed() { $len = rand("1","1000000");//between 1 and 1,000,000 $s[0]=range("0","9"); $s[1]=range("A","Z"); $s[2]=range("a","z"); $l=count($s); for($i=0;$i<$l;$i++){for($a=0;$a<count($s[$i]);$a++){$all[]=$s[$i][$a];}} for($i=0;$i<$l;$i++){shuffle($s[$i]);$z[]=$s[$i][0];} for($i=$l;$i<$len;$i++){shuffle($all);$z[$i]=$all[0];} shuffle($z); return(md5(implode('',$z))); } function getID($ip) { return $this->get_row("SELECT sessionID FROM dbsessions WHERE ipaddress = '$ip'"); } function varArray() { $sessionID = $this->getID($this->ip()); $sql = $this->query("SELECT * FROM session_vars WHERE sessionID = '$sessionID'"); $arr = array(); while($row = $this->get_array($sql)) { extract($row); $arr[$var] = $value; } return $arr; } function register() { $seed = $this->seed(); $ip = $this->ip(); if($this->num_rows("SELECT * FROM dbsessions WHERE ipaddress = '$ip'") == 1) { return true; } else { $this->query("INSERT INTO dbsessions (sessionID, ipaddress) VALUES ('$seed', '$ip')"); } } function kill() //basicly "logout" { $sessionID = $this->getID($this->ip()); $this->query("DELETE FROM dbsessions WHERE sessionID = '$sessionID'"); $this->query("DELETE FROM session_vars WHERE sessionID = '$sessionID'"); } function variable($name,$value) { $sessionID = $this->getID($this->ip()); if($this->num_rows("SELECT * FROM session_vars WHERE sessionID = '$sessionID' AND var = '$name'") == 1) { $this->query("UPDATE session_vars SET value = '$value' WHERE sessionID = '$sessionID' AND var = '$name'"); } else { $this->query("INSERT INTO session_vars (sessionID, var, value) VALUES ('$sessionID','$name','$value')"); ????: NamePros.com http://www.namepros.com/showthread.php?t=137339 } } } ?> SQL: Code: DROP TABLE IF EXISTS dbsessions; CREATE TABLE dbsessions ( sessionID varchar(32) NOT NULL default '', ipaddress varchar(20) NOT NULL default '', setdate varchar(255) NOT NULL default '', daystokeep int(11) NOT NULL default '0' ) TYPE=MyISAM; DROP TABLE IF EXISTS session_vars; CREATE TABLE session_vars ( sessionID varchar(32) NOT NULL default '', var text NOT NULL, value text NOT NULL ) TYPE=MyISAM; Simple Example: PHP Code: `include("./dbSESSION.php"); $dbses = new dbSESSIONS(); $ip = $dbses->ip(); $dbses->MySQL("localhost","root","","dbses"); $dbses->register(); //this will make a new session... $dbses->variable("ip","$ip"); $ses = $dbses->varArray(); print_r($ses);` Explanations: Code: $dbses->register(); This is used to register a session with the database. There are no variables yet. But its open to a varible/value for later use. Code: $dbses->variable("ip","$ip"); ip is the variable's name. $ip is the variables value. You can use this to insert username/passwords ect... How this works This is really a way to keep data retrieval away from the client side... they will have to get server access to get any information. The register() function will setup a new sessionID in the dbsessions table, and its retrieved by the users ip address. All the data is accessed using the viewers ip address. This is only the basics of this idea, i recoded this for here at namepros, so if there is any problems just ask me, and id be glad to assist you. What this would be useful for: Web games, email services, things like that. Is this secure? In my opinion it is, the only thing that could make this insecure was the person uses a shared proxy ip address. Good thing to keep in mind: Two DIFFERENT people cannot be logged in on the same ip address at a time. To me, this could prevent a lot of cheating online games, without the use of a GOOD proxy application, cause it does look for ip forwarding. Any questions/comments post here.

11-04-2005, 10:50 AM	#2 (permalink)
sm NamePros Regular Join Date: Oct 2005 Location: India Posts: 608	I'm not too sure this is the right way to go ... the use of an IP address as the only means to validate a session is dangerous... also think of AOL users... moreover, when you have an in-built mechanism in PHP for creating session IDs why not use that ?? If you're apprehensive about storing the actual session data (which can be anything like username, user preferences, etc) in a flat file, store this session data in a mysql database... but you should use session_start() as the way to let PHP itself create session IDs for you ..... __________________ My blog (beta) Bachelor.co.in - Gemstone.co.in Assets.co.in - PropertyDealers.org MortgageFirms.org - eLearner.org

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)