Hi all,
Comments in the message below ...
Yasuo Ohgaki wrote:
> "Simon Woods" <[EMAIL PROTECTED]> wrote in message
> > Hi All,
> >
> > Sorry if I am asking a vfaq but I was unable to find anything in the
> > archives.
> >
> > I am using PHP4 with session handling to track users which have logged
> > in to my server.
> >
> > I would like to (non intrusively) check to see if a user is logged in
> > without having to start a new session. 95% of my users do not log in at
> > all and do not want to be fed with cookies for no apparent reason. I
> > wanted to avoid giving my visitors the impression that I am tracking
> > them as well.
>
> I posted session helper html sample at zend code exchange. I might want to
> use to detect cookie and javascript are enabled. You might want to use and
> modify code to show reason why you are using cookie. Search keyword with
> 'session' and look for session helper HTML.
I am able to assume that all of my logged in users have cookies and what ever else
I need turned on.
>
>
> Or if you need session only for users logged in, you could write following code
> and put each pages you might want to use session for logged in users.
>
> // If you are only using session cookie
> // No auto start in php.ini. Check session value/format/referer also, if you
> need.
> if (!empty($HTTP_COOKIE_VARS['PHPSESSION'])) {
> session_start();
> }
>
> to avoid sending cookie to users who are not logged in. (You must set session id
> when users are logged in)
I have added my own function session_isvalid() which checks for the existance of
the cookie based on the above code which will be sufficient as a work around for my
small application.
This defeats the purpose somewhat of the session module however. I thought that the
objective was to some extent hide the underlying implementation from the
programmer. A non invasive check requires that I know which cookie is being
used(assuming the use of cookies at all). The assumption is not very difficult to
make, but the session handling would appear to be more complete with something like
"session_isValid()"....
>
>
> > I could check to see if the cookie PHPSESSION or what ever I called my
> > cookie has been returned by the browser, but I have no guarantee that
> > the session is still or at all valid. Checking to see if there are
> > corresponding session files or writing my own handler start to get over
> > complicated.
>
> I think all you need to do is checking session value format. HTML session
> is easily hijacked if session key is known to users anyway.
> Also, writing your own session handlers are not difficult. There are many
> session
> handlers for verious databases. How about look for one and modify?
This would not help really anyway as the handler only replaces the storage
mechanism (I hope I have understood this correctly!). We could however check the
session id in our DB without having to call session_start(). If I have gone to such
bother though (reading cookies directly and looking up in DB), I would be better
off starting from scratch and ignoring the session module all together!!
Stuff removed......
Thanks again for the help,
Simon Woods
--
Siemens Business Services D BIM CVS
Mch P/Ca, Carl-Weri-Strasse 22, 81739 Muenchen, Germany
Tel: +49-89-636-54347 (Fax: -54303)
Internet-Mail: mailto:[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
