axilant
Account Closed
- Impact
- 28
In the creation of a new authentication system i made for an upcoming website, i have created a way that does not use a cookie or a regular session using a database.
Code:
SQL:
Simple Example:
Explanations:
This is used to register a session with the database. There are no variables yet. But its open to a varible/value for later use.
ip is the variable's name. $ip is the variables value. You can use this to insert username/passwords ect...
How this works
This is really a way to keep data retrieval away from the client side... they will have to get server access to get any information. The register() function will setup a new sessionID in the dbsessions table, and its retrieved by the users ip address. All the data is accessed using the viewers ip address.
This is only the basics of this idea, i recoded this for here at namepros, so if there is any problems just ask me, and id be glad to assist you.
What this would be useful for:
Web games, email services, things like that.
Is this secure?
In my opinion it is, the only thing that could make this insecure was the person uses a shared proxy ip address.
Good thing to keep in mind:
Two DIFFERENT people cannot be logged in on the same ip address at a time. To me, this could prevent a lot of cheating online games, without the use of a GOOD proxy application, cause it does look for ip forwarding.
Any questions/comments post here.
Code:
PHP:
<?PHP
class dbSESSIONS
{
var $_version = "1.0";
var $_lastupdate = "11/3/2005";
var $_author = "Cody Selzer <[email protected]>";
var $_description = "Class that will allow to make dbSESSIONS";
function MySQL($host, $username, $password, $database)
{
$this->connect = @mysql_connect("$host", "$username", "$password");
if(!$this->connect)
{
$this->error("Mysql Connection Error","Failed connecting to database server\r\n\r\n" . mysql_error() . "");
return false;
}
$this->select_db = @mysql_select_db($database, $this->connect);
if(!$this->select_db)
{
$this->error("Mysql Connection Error","Failed selecting to database\r\n\r\n" . mysql_error() . "");
return false;
}
return true;
}
function query($query)
{
return mysql_query($query);
}
function get_array($query)
{
return mysql_fetch_array($query);
}
function get_row($query)
{
return mysql_fetch_array($this->query($query));
}
function num_rows($query)
{
return mysql_num_rows($this->query($query));
}
function error($title, $message)
{
exit("<h1>$title</h1><p>$message</p>");
}
function ip()
{
global $_SERVER;
if ($_SERVER['HTTP_X_FORWARD_FOR']) //stupid proxies! :P
{
return $_SERVER['HTTP_X_FORWARD_FOR']; //get there real ip hehe
}
else
{
return $_SERVER['REMOTE_ADDR']; //they dont use a proxy :)
}
}
function seed()
{
$len = rand("1","1000000");//between 1 and 1,000,000
$s[0]=range("0","9");
$s[1]=range("A","Z");
$s[2]=range("a","z");
$l=count($s);
for($i=0;$i<$l;$i++){for($a=0;$a<count($s[$i]);$a++){$all[]=$s[$i][$a];}}
for($i=0;$i<$l;$i++){shuffle($s[$i]);$z[]=$s[$i][0];}
for($i=$l;$i<$len;$i++){shuffle($all);$z[$i]=$all[0];}
shuffle($z);
return(md5(implode('',$z)));
}
function getID($ip)
{
return $this->get_row("SELECT sessionID FROM dbsessions WHERE ipaddress = '$ip'");
}
function varArray()
{
$sessionID = $this->getID($this->ip());
$sql = $this->query("SELECT * FROM session_vars WHERE sessionID = '$sessionID'");
$arr = array();
while($row = $this->get_array($sql))
{
extract($row);
$arr[$var] = $value;
}
return $arr;
}
function register()
{
$seed = $this->seed();
$ip = $this->ip();
if($this->num_rows("SELECT * FROM dbsessions WHERE ipaddress = '$ip'") == 1)
{
return true;
}
else
{
$this->query("INSERT INTO dbsessions (sessionID, ipaddress) VALUES ('$seed', '$ip')");
}
}
function kill() //basicly "logout"
{
$sessionID = $this->getID($this->ip());
$this->query("DELETE FROM dbsessions WHERE sessionID = '$sessionID'");
$this->query("DELETE FROM session_vars WHERE sessionID = '$sessionID'");
}
function variable($name,$value)
{
$sessionID = $this->getID($this->ip());
if($this->num_rows("SELECT * FROM session_vars WHERE sessionID = '$sessionID' AND var = '$name'") == 1)
{
$this->query("UPDATE session_vars SET value = '$value' WHERE sessionID = '$sessionID' AND var = '$name'");
}
else
{
$this->query("INSERT INTO session_vars (sessionID, var, value) VALUES ('$sessionID','$name','$value')");
}
}
}
?>SQL:
Code:
DROP TABLE IF EXISTS dbsessions;
CREATE TABLE dbsessions (
sessionID varchar(32) NOT NULL default '',
ipaddress varchar(20) NOT NULL default '',
setdate varchar(255) NOT NULL default '',
daystokeep int(11) NOT NULL default '0'
) TYPE=MyISAM;
DROP TABLE IF EXISTS session_vars;
CREATE TABLE session_vars (
sessionID varchar(32) NOT NULL default '',
var text NOT NULL,
value text NOT NULL
) TYPE=MyISAM;Simple Example:
PHP:
include("./dbSESSION.php");
$dbses = new dbSESSIONS();
$ip = $dbses->ip();
$dbses->MySQL("localhost","root","","dbses");
$dbses->register(); //this will make a new session...
$dbses->variable("ip","$ip");
$ses = $dbses->varArray();
print_r($ses);Explanations:
Code:
$dbses->register();
Code:
$dbses->variable("ip","$ip");How this works
This is really a way to keep data retrieval away from the client side... they will have to get server access to get any information. The register() function will setup a new sessionID in the dbsessions table, and its retrieved by the users ip address. All the data is accessed using the viewers ip address.
This is only the basics of this idea, i recoded this for here at namepros, so if there is any problems just ask me, and id be glad to assist you.
What this would be useful for:
Web games, email services, things like that.
Is this secure?
In my opinion it is, the only thing that could make this insecure was the person uses a shared proxy ip address.
Good thing to keep in mind:
Two DIFFERENT people cannot be logged in on the same ip address at a time. To me, this could prevent a lot of cheating online games, without the use of a GOOD proxy application, cause it does look for ip forwarding.
Any questions/comments post here.
