[SlaveDriver]

Hi folks, not sure if the title really makes any sense but here's my problem :

I have a download script, which checks if a user is logged in before downloading.

the first line of code in my download script is
session_start();

Everythign works correctly, however if a user is downloading a file, the user will be unable to browse the website untill the download has finished.

I came up with a solution (but it's hardly practical) by adding:
session_destroy();

after the login check functions.

This is very impractical as it will end the session and will require the user to relogin when browsing. But it does solve the problem of restricing browsing when downloading

IS there a more practical solution to this problem?

Thank you coders

[Dissonance]

If you are not naming your sessions, I suggest you do so.

PHP Code:

session_name('some_name');
session_start(); 

You can create 1 session per page, though I don't know why you'd want more than one session.

How are you checking if a user is logged in? And if you only check that the user is logged in upon downloading, how is the user unable to browse while logged out? Are you checking there as well?

[SlaveDriver]

the download script checks if the user is logged in before executing the download.

I don't know the best way of explaining the procdure, so ill keep it short simple.

the download scipt, dl.php is execited like this : site.com/dl.php?file.zip

once the user clicks the link, the dl.php script checks to see if the users is logged in, if so, then the download is executed. if not, then we get error messages.

the problem is, as there is a session_start() in the dl.php file, the user cannot browse until the download is complete.

I foudn a very crap solution by using session_destroy() right before the download is executed,just after the login checks, thus erasing the session data and logging the user out completley, and is able to browse as an anonymous user.

I'll try naming sessions and see how it goes

Still open to more help !

Thanks!

[Dissonance]

Personal Preference: I usually add my session initialization inside of my includes.php file, which is referenced by every page. Sessions always exist for all users regardless of whether or not they are logged in.

However, when/if they do login, it saves the session and username(or user id) in the database, for future reference. As sessions can be spoofed, I also store IP addresses, just for that extra bit of security. Physical access to the same network and access to the sessionid (which is pretty hard to get unless you're sniffing network packets) and like people always say, once physical security is breached, security is pretty useless, you can only slow someone's progress.

If it were up to me, I'd tell you to always have sessions created and reference them in a database.

Here is my sessions table. I store data in the time column with PHP's time() format.

sql Code:

--
-- Table structure for table `sessions`
--
 
CREATE TABLE IF NOT EXISTS `sessions` (
  `ip` varchar(15) collate latin1_general_ci NOT NULL,
  `time` varchar(15) collate latin1_general_ci NOT NULL,
  `id` varchar(32) collate latin1_general_ci NOT NULL,
  `name` varchar(32) collate latin1_general_ci NOT NULL,
  `userid` int(11) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci; 

PHP Code:

function is_user_logged_in()
{
    $link = database_connect(); 
    $sql = "SELECT * FROM sessions WHERE ip='$_SERVER[REMOTE_ADDR]'"; // SQL Query
    $result = mysql_query($sql, $link); // $link is the database connection.  (Not many people use this, but I do.)
    $num = mysql_num_rows($result); // How many rows?  (Should just be one, but on the off-chance that we have multiple users from the same IP, such as a college or something...)
    for ($i = 0; $i < $num; $i++) // Loop through all the rows
    {
        $row = mysql_fetch_assoc($result); // Grab a row.
         // If session ID is the same as the stored database value, success!
        if (session_id() == $row['id']) { return true; } 
    }
    return false;
} 

[Nico]

Maybe I'm missing something, but wouldn't it be better to query the database like this:

PHP Code:

$session_id = session_id();

$sql = "

    SELECT * FROM sessions

    WHERE

        ip = '{$_SERVER['REMOTE_ADDR']}' AND 

        id = '{$session_id}'

    LIMIT 1"; 

...?

[Dissonance]

This is very true. I remember writing the original code that only checked IPs, which didnt work with multiple users from a single IP, so I added in the last few lines to check SessionID's as well, fixing the problem.

I guess I hadn't rewritten that part just yet.

Great catch though, I'll update my scripts accordingly.

[itsjazzy]

Quote:

Originally Posted by SlaveDriver

I foudn a very crap solution by using session_destroy() right before the download is executed,just after the login checks, thus erasing the session data and logging the user out completley, and is able to browse as an anonymous user.

I'll try naming sessions and see how it goes

Still open to more help !

Thanks!

Try using session_write_close() instead of session_destroy()


Cheers

Andy