Hide form when logged in.

Quote:

---

Originally Posted by Pieman

2. if(!isset($_SESSION['username']) is bad, for a user could create a session called username and the system would log him in without even checking if the user exists. (I know this is kind of hard with sessions, but still.)

---

Woah o-o how would that happen?

It probably won't, unless you're some kind of über hacker, but that's not the point. The point is that it's bad practice.

Quote:

---

Originally Posted by Pieman

1. Sessions are bad. Use cookies.
2. if(!isset($_SESSION['username']) is bad, for a user could create a session called username and the system would log him in without even checking if the user exists. (I know this is kind of hard with sessions, but still.)
3. Use oop.

---

Well, if you state it like that, then cookies are bad as wel :)
As a developer you should know ways to make it more secure... It isn't cookies or sessions.. hell you could even use just text files.. as long as you have a way to make it secure :)

Also cookies can be tampered with :)

Quote:

---

Originally Posted by Pieman

It probably won't, unless you're some kind of über hacker, but that's not the point. The point is that it's bad practice.

---

Damn I wasn't aware that it was bad practice, but as Way[2]Death says, I always thought that cookies could be messed with. I actually thought that they were more vulnerable than using $_SESSION['name']. The only way to set $_SESSION['name'] is through the login unless you allow user input and don't block the use of PHP functions o.o

Quote:

---

Originally Posted by Way[2]Death

Well, if you state it like that, then cookies are bad as wel :)
As a developer you should know ways to make it more secure... It isn't cookies or sessions.. hell you could even use just text files.. as long as you have a way to make it secure :)

Also cookies can be tampered with :)

---

What are your suggestions on securing these things? :P

Quote:

---

Originally Posted by mickeydels1

They have a session.

---

ok?

im failing to understand why you just didnt add a check in your register system to see if a session exists...

Quote:

---

Originally Posted by Trahb

Damn I wasn't aware that it was bad practice, but as Way[2]Death says, I always thought that cookies could be messed with. I actually thought that they were more vulnerable than using $_SESSION['name']. The only way to set $_SESSION['name'] is through the login unless you allow user input and don't block the use of PHP functions o.o



What are your suggestions on securing these things? :P

---

Well the thing is, cookies are saved on your PC.. there are lots of easy ways to see these, edit them or even steal them from other people, session on the other hand are easier to secure.

The thing with sessions is that it can be "hijacked" by simply stealing someone's session id.. with a few adjustments you could prevent session hijacking..

anyone who is interested should check: http://phpsec.org/projects/guide/4.html

If you use cookies. You can use same "isset and !isset" thing with $_COOKIE.

Quote:

---

Originally Posted by Way[2]Death

Well the thing is, cookies are saved on your PC.. there are lots of easy ways to see these, edit them or even steal them from other people, session on the other hand are easier to secure.

The thing with sessions is that it can be "hijacked" by simply stealing someone's session id.. with a few adjustments you could prevent session hijacking..

anyone who is interested should check: http://phpsec.org/projects/guide/4.html

---

sessions are also stored on the computer...

EDIT:
opps i mean they are stored on the server. which is a computer

Quote:

---

Originally Posted by Pieman

1. Sessions are bad. Use cookies.
2. if(!isset($_SESSION['username']) is bad, for a user could create a session called username and the system would log him in without even checking if the user exists. (I know this is kind of hard with sessions, but still.)
3. Use oop.

---

Needless to say, it's actually the exact opposite as what you said. I assume it was a mistype. Well, To use OOP is good and all, but it's certainly not bad if you use procedural for small web-apps.. How do you suppose one write elegant OOP when one can't even master procedural? You've got to walk before you can crawl now??? It's bad practice to crawl, so all you toddlers, GET WALKIN'! OOP should be learned, it's VERY good to learn and use, but if you can't code functions, then you're not going to grasp OOP. Start with variables, goto conditionals, move onto loops, then goto functions, THEN goto OOP style... That's pushing it, you really should know a whole list of built-in functions first, too.

@other posts
isset() doesn't "protect" anything, if a variable is set, that doesn't make it secure. If you're administration panel is behind "isset" function, that's really funny.. Especially with cookies, that's like the easiest variable to set/change next to GET~ with POST not too far behind. $_SESSION variables WILL NOT be individually set or changed. An entire session key can be generated or stolen, but.. that's so far-fetched, and it assumes the attacked individual is infected with some sort of cookie sniffer, keylogger, or trojan already. (or a victim to the ever-popular, "copy your address bar for free cash!" (in the case the session ID is in GET instead of Cookie, which is hardly less secure except in terms of social hacking idiots.)

It only makes sense to use sessions. If you rely solely on cookies, it's just asking for scary trouble.

Also, with a few simple adjustments... Way[2]Death is so right on it's ridiculous. I have nothing more to say. :thumbup1:

Another way would be.

PHP Code:

---

if(session_is_registered(LoggedIn)) {
echo 'meow :3';
} 


---

:3 GLHF!

Quote:

---

Originally Posted by justei

another way would be.

PHP Code:

---

if(session_is_registered(loggedin)) {
echo 'meow :3';
} 


---

:3 glhf!

---

Quote:

---

Originally Posted by php.net

warning

this function has been deprecated as of php 5.3.0. Relying on this feature is highly discouraged.
---
Note: If $_SESSION (or $HTTP_SESSION_VARS for PHP 4.0.6 or less) is used, use isset() to check a variable is registered in $_SESSION.
Caution

If you are using $_SESSION (or $HTTP_SESSION_VARS), do not use session_register(), session_is_registered() and session_unregister().

---

:3 glhf! :glare:

:thumbdown: Please don't

Quote:

---

Originally Posted by Way[2]Death

:3 glhf! :glare:

:thumbdown: Please don't

---

Actually, knowing what you are doing :P that method works just as well as any tbh. I use it, and pages I work on use it, and I can tell you it works just as well :).

(One of the pages has 1kk hits a day for example and works like a charm :P)

Quote:

---

Originally Posted by Justei

Actually, knowing what you are doing :P that method works just as well as any tbh. I use it, and pages I work on use it, and I can tell you it works just as well :).

(One of the pages has 1kk hits a day for example and works like a charm :P)

---

nope.

once you update your apache server its as good as shit. the only reason it works for you is because your version is still below the deprecated version.

Quote:

---

Originally Posted by holthelper

nope.

once you update your apache server its as good as shit. the only reason it works for you is because your version is still below the deprecated version.

---

Exactly, knowing how to use depreciated functions doesn't make you a good developer.. It just tells us that you don't care to keep your stuff updated. It might work "just as well" but it's discontinued and highly discouraged to use it, when you update.. your script wont work, on the contrary, mine will ;) Again glhf :3 :thumbdown: