shak_attack
05-31-2005, 03:06 AM
I've been trying to get my sessions to be shared across servers for verification purposes, i've tried a number of methods including passing the session id through the url but all has failed.
Heres the core script:
<?
session_start();
if (!empty($_POST['username']) && !empty($_POST['password'])) {
include("./sqldata.php"); //file that contains the variables on the next line
$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // open connection
mysql_select_db($db) or die ("Unable to select database!"); // select database
$pusername = mysql_real_escape_string($_POST['username']);
$ppassword = mysql_real_escape_string($_POST['password']);
$query = "SELECT * FROM $table WHERE username ='$pusername'";
$result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // execute query
$row = mysql_fetch_assoc($result); // see if any rows were returned
if ((mysql_num_rows($result) > 0) && (md5(md5($ppassword).$row['salt']) == $row['password'])) {
if (in_array($row['usergroupid'], array(6,2,5,7))) {
if (isset($_POST['remember'])){
$_COOKIE['public']= $pusername;
setcookie("public", $pusername, time()+60*60*24*100, "/");
} else {
$_SESSION['public'] = 1;
}
}
} else {
$error = "<div class=\"content\">Username / Password Incorrect<br><br>Note: Your Username / Password combination is the same as the one used on NarutoMania forums.</div>";
}
mysql_free_result($result); // free result set memory
mysql_close($connection); // close connection
} else {
$error = "<div class=\"content\">Please enter both your forum username and password.</div>";
}
?>
<title>NarutoMania - Naruto Direct Downloads</title>
<body leftmargin="0" topmargin="0">
<center>
<link rel="stylesheet" href="./style.css" type="text/css">
<?php include("./header.txt"); ?>
<?php include("./nav.txt"); ?>
<?php include("./precontent.txt"); ?>
<?
if(isset($_SESSION['public']) or isset($_COOKIE['public'])) {
include("http://66.28.205.245/downloads.php");
} else {
include("nlogin.php");
echo $error;
}
?>
<?php require("./footer.txt"); ?>
</center>
This login script works off a vbulletin database, hence the hashed+salted password check and usergroupid check. Now, this script works perfectly fine, the only thing is, http://66.28.205.245/downloads.php has no way of checking whether a user is logged in or not. I don't know how to share the sessions, I tried a custom session_set_save_handler but it didn't work out, although I think I did it wrong.
Im using fread on download.php on the external server to spit files to users, this is all in attempt to prevent leeching without having to use .htaccess methods. I also want to implement some sort of resume feature, I know it can be done using [HTTP_RANGE] but then again, I don't know how to make the checks to see if the user is logged in or not.
Any help would be appreciated.
Heres the core script:
<?
session_start();
if (!empty($_POST['username']) && !empty($_POST['password'])) {
include("./sqldata.php"); //file that contains the variables on the next line
$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // open connection
mysql_select_db($db) or die ("Unable to select database!"); // select database
$pusername = mysql_real_escape_string($_POST['username']);
$ppassword = mysql_real_escape_string($_POST['password']);
$query = "SELECT * FROM $table WHERE username ='$pusername'";
$result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // execute query
$row = mysql_fetch_assoc($result); // see if any rows were returned
if ((mysql_num_rows($result) > 0) && (md5(md5($ppassword).$row['salt']) == $row['password'])) {
if (in_array($row['usergroupid'], array(6,2,5,7))) {
if (isset($_POST['remember'])){
$_COOKIE['public']= $pusername;
setcookie("public", $pusername, time()+60*60*24*100, "/");
} else {
$_SESSION['public'] = 1;
}
}
} else {
$error = "<div class=\"content\">Username / Password Incorrect<br><br>Note: Your Username / Password combination is the same as the one used on NarutoMania forums.</div>";
}
mysql_free_result($result); // free result set memory
mysql_close($connection); // close connection
} else {
$error = "<div class=\"content\">Please enter both your forum username and password.</div>";
}
?>
<title>NarutoMania - Naruto Direct Downloads</title>
<body leftmargin="0" topmargin="0">
<center>
<link rel="stylesheet" href="./style.css" type="text/css">
<?php include("./header.txt"); ?>
<?php include("./nav.txt"); ?>
<?php include("./precontent.txt"); ?>
<?
if(isset($_SESSION['public']) or isset($_COOKIE['public'])) {
include("http://66.28.205.245/downloads.php");
} else {
include("nlogin.php");
echo $error;
}
?>
<?php require("./footer.txt"); ?>
</center>
This login script works off a vbulletin database, hence the hashed+salted password check and usergroupid check. Now, this script works perfectly fine, the only thing is, http://66.28.205.245/downloads.php has no way of checking whether a user is logged in or not. I don't know how to share the sessions, I tried a custom session_set_save_handler but it didn't work out, although I think I did it wrong.
Im using fread on download.php on the external server to spit files to users, this is all in attempt to prevent leeching without having to use .htaccess methods. I also want to implement some sort of resume feature, I know it can be done using [HTTP_RANGE] but then again, I don't know how to make the checks to see if the user is logged in or not.
Any help would be appreciated.