NYCPHP Meetup

[Joseph Crawford]

Guys here is my current CheckSession function code, can you critique it for 
me please ;)
basically it checks to see if the users user agent changes, if it does it 
checks to see if it normally changes frequently, if it does it should do 
nothing, if it doesnt change frequently and it has changed, it then checks 
to see if the users ip address has changed. If both the UA and IP have 
changed and it's abnormal for the users UA to change it requests the 
passord. I have yet to add this functionality but plan to

If the users UA does change frequently it will check to see if the users IP 
changes frequently if not and it has infact changed it will display the 
password page, otherwise it will keep on chugging and realise this is one of 
the say 10% users who's UA and IP changes frequently.


function CheckSession() {
global $db;
// check the users user agent activity.
if(isset($_POST['submit'])) {
if(isset($_POST['passwd'])) {
$table = strtolower($_SESSION['type'].'s');
$res = $db->Query("SELECT pass FROM ".$table." WHERE 
username='".$_SESSION['username']."' AND pass='".md5($_POST['passwd'])."'");
if($db->NumRows($res) == 0) {
$pError = 'Invalid Password!';
// display password form 
// displayPasswordForm($pError);
} else {
// reset our session variables.
unset($_SESSION['UA_CHECKS']);
unset($_SESSION['HTTP_USER_AGENT']);
unset($_SESSION['UA_CHANGES']);
}
} else {
// displayPasswordForm($pError);
}
}
if($_SESSION['UA_CHECKS'] >= UA_THRESHOLD) {
}

// check to see if UA_CHECKS is instanciated, if not set it to 0
if(!isset($_SESSION['UA_CHECKS'])) $_SESSION['UA_CHECKS'] = 0;
// check to see if the users IP address has been set, if not set it.
if(!isset($_SESSION['REMOTE_ADDR'])) $_SESSION['REMOTE_ADDR'] = 
$_SERVER['REMOTE_ADDR'];

// check to see if the IP has changed
if($_SESSION['REMOTE_ADDR'] != $_SERVER['REMOTE_ADDR']) {
// It has changed, update and increment IP_CHANGES count
$_SESSION['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
++$_SESSION['IP_CHANGES'];
}

if(!isset($_SESSION['HTTP_USER_AGENT'])) $_SESSION['HTTP_USER_AGENT'] = 
$_SERVER['HTTP_USER_AGENT'];
else {
// check to see if the UA has changed
if($_SESSION['HTTP_USER_AGENT'] != $_SERVER['HTTP_USER_AGENT']) {
// Check to see if the UA_CHECKS has been completed UA_THRESHOLD times
if($_SESSION['UA_CHECKS'] >= UA_THRESHOLD) {
// It's not normal for the users UA to change frequently
// check to see if the IP has changed at all
if($_SESSION['IP_CHANGES'] != 0) {
// The users IP changed also, display the password page.
//display the password page
}
// UA_CHECKS has not met with UA_THRESHOLD increment the UA_CHANGES
} else {
if(!isset($_SESSION['UA_CHANGES'])) $_SESSION['UA_CHANGES'] = 0;
++$_SESSION['UA_CHANGES'];
}

} else {
++$_SESSION['UA_CHECKS'];
}
}
}

-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050811/68442d8d/attachment.html>