0

EDIT: After a complaint about assigning myself the answer, I want to update that the answers provided were not satisfactory. No one came out and explicitly said this is your problem, do this and you will have a resolution. Mere suggestions are not sufficient to merit a bounty award. Lastly, the problem was with server settings and after doing some research on server sessions and looking at Stackoverflow/Serverfault I was able to determine how to best resolve this problem. Therefore, I did not feel it was unjust to mark my own answer as the correct one.

I have a php based authentication system which relies on LDAP to verify identity and uses sessions to maintain users authenticated status.

Lately I noticed that it appears to be pushing me back to the login page like my session expired. The problem is that it does not appear to be for any specific reason that I have noticed and I am not sure how to debug/test something like this.

Here is my authentication function which starts the session: 

function authenticateUser($user, $password){
    //assuming ldap connection and verification of user login/pass
    //this is what will happen with authenticate user which is called 
    //when user submits login/pass on authentication form. 
    $_SESSION['id'] = $uID;
    $time = time(); 
    $_SESSION['time'] = $time;                                  
    $_SESSION['lastActivity'] = $time; 
    $_SESSION['expiration'] = $time+$cookieExpiration; 
    $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];  
    $_SESSION['secret'] = md5(rand());                          
    $_SESSION['userHash'] = getSessionHash();  
    $_SESSION['firstLogin'] = isFirstLogin($user); 
    //assign cookie to user and log authentication 
    giveCookie("userHash", $_SESSION['userHash'],0);
    logAuthenticationAttempt($user, $_SERVER['REMOTE_ADDR'], 1);
    return true;
}//end authenticateUser

Give cookie function: 

function giveCookie($name, $value, $expiration=0){
    global $path, $site; 
    setcookie("userHash", $_SESSION['userHash'], $expiration, $path, $site, true, true);    
}//end giveCookie

Here is my function which is called on each page to verify the user is authenticated before allowing them to proceed with action requiring authenticated status: 

function isValidUser(){
    global $links; global $userName; global $userID; global $cookieExpiration; 
    if(isset($_COOKIE['userHash']) and isset($_SESSION['userHash'])){
        if($_COOKIE['userHash'] == $_SESSION['userHash']){

         $userName = $_SESSION['nameN'];
         $userID = $_SESSION['id'];
         //update userHash cookie for additinoal expiration time this way session
         $time = time(); 
         $expiration = $time+$cookieExpiration; 
         $_SESSION['lastActivity'] = $time; 
         giveCookie("userHash", $_SESSION['userHash'],0);
         $_SESSION['expiration'] = $expiration; 
         return true;
         }
    }
    return false;
}//end isvalidUser()

Any advice or feedback on how to test this would be appreciated. I am looking to figure out why occasionally after performing some action I get pushed back to the login page.

On a page which request authentication what I do at the top is the following:

if(!isValidUser()){changePage($links['login']."?refer=".$links['requestHelp']);}
//note: changePage is just a function for header("location: somepage.php");
4

6 回答 6

2

不确定您目前使用什么测试软件,但我强烈推荐Selenium。它允许您通过浏览器运行脚本测试,有效地模拟最终用户会做什么和看到什么。

于 2010-09-20T14:38:07.713 回答
2

您似乎混淆了身份验证、授权和会话管理。如果您想测试所有 3 个,那么您将需要某种能够编写脚本的、有状态的 HTTP 会话重放的自动化测试工具(例如,使用 Perl 的 http::recorder / www::mechaninze)。

OTOH,如果您想使用已部署的应用程序调查会话管理,那么我建议您检测登录页面以捕获有关当前会话以及用户如何被路由到那里的信息。您还应该考虑在网络服务器上记录会话 cookie。

于 2010-09-14T12:39:38.503 回答
1

编写功能测试。你可以使用 SimpleTest 的 WebTestCase 来处理这样的事情。参见文档:http ://www.simpletest.org/en/web_tester_documentation.html

当然,您也可以尝试将代码分解成更小的部分,以便单独测试。现在,您的身份验证系统与服务器状态(例如会话管理)紧密耦合。您可以将两者解耦,从而能够在单元测试而不是功能测试中测试身份验证系统。

于 2010-09-20T14:33:30.207 回答
0

服务器可能正在覆盖他们的会话 cookie,这将更改会话哈希,然后它不会等于他们在客户端拥有的 cookie。看来你多虑了。您无需在他们的系统上设置 cookie 来验证他们。$_SESSION 变量将为您处理这一切。

如果他们通过了挑战,那么他们就会设置一个 $_SESSION 变量来为他们提供身份验证级别。

不要像您一样将 $_SESSION 传递给其他变量。不要去 $username = $_SESSION['username'] 因为现在你有一个不安全的 var ($username) 可以在其中包含受保护的数据。但它可能不会。

每当您显示会话信息时,请确保它来自马的嘴。

于 2010-09-20T14:23:07.643 回答
0

深入了解session.configuration

我会(如果你不愿意考虑你的概念)改变isValidUser记录你以前能得到的东西return false

function isValidUser(){
    global $cookieExpiration; // since $links isn't used and $userName and $userId come from $_SESSION no need for global there
    if( (isset($_COOKIE['userHash']) and isset($_SESSION['userHash'])) 
        and ($_COOKIE['userHash'] == $_SESSION['userHash']) ){

         $userName = $_SESSION['nameN']; // why these lines?
         $userID = $_SESSION['id']; // see above
         //update userHash cookie for additinoal expiration time this way session
         $time = time(); 
         $expiration = $time+$cookieExpiration; 
         $_SESSION['lastActivity'] = $time; 
         giveCookie("userHash", $_SESSION['userHash'],0);
         $_SESSION['expiration'] = $expiration; 
         return true;
    }
    // $logger ist just an example an could be a p.e Zend_Logger Object
    $logger->debug($_SESSION); // serialize if needed
    $logger->debug($_COOKIE); // serialize if needed
    $logger->err(error_get_last());
    return false;
}//end isvalidUser()

你确定你以前打过电话session_start()isValidUser()

于 2010-09-20T14:30:14.387 回答
-1

这似乎是服务器本身的简单错误配置。由于该服务器环境是数百个站点的共享环境,因此我无法修改 php.ini 等中的服务器范围设置。

不过我能做的是……

session_set_cookie_params(time()+$expiration, $path, $domain, true, true);

这已经解决了这个问题,它出现在会话过期未正确设置之前,这将为这个特定的应用程序进行相应的设置。

于 2010-09-20T15:01:16.003 回答