on 13/08/02 3:42 AM, mintbaggio ([EMAIL PROTECTED]) wrote: > I'm a Chinese university student,I want to ask some questions about session. > These days I'm build a website for my university with PHP, But I meet a > question when I develop the part of User Management: After I have log out > from a user page(I use "session_unset()" and "session_destroy()"),I can > return to the page again by click the button "Back"to that pagea and refresh > it, the user page can be shown again. This is unsafe. > So I want to ask that the function "session_unset" and "session_destroy()" > will > destroy session immediately or there is a life-time for session. In my memory, > I think that there is a life-time for session and the life-time can be > configured.
Firstly, make sure you've read the page at php.net/session_destroy and php.net/session_unset, because it supplies perfect code for destroying a session. Make sure your code matches either example 1 or 2, depending on your code. If you're unsure, test with both. If you've named your session somewhere, you need to unset and destroy it WITH that name, I think (never had to do it). > Another question: > If the user log page is "main.php",the page for authenticate the user is > "login.php" > I use session to store the infomation of user such as : > session_register($userid); > But if the variables in the session are unfortunately be known by somebody > else. > and he can visit others' information bye the url:"login.php?userid=***",how > can solve > these problem? use a ugly but difficult session varable? When you store the the username as a session variable, it's stored on the SERVER, not on the client. Hence, there is less chance of the session variables being disclosed. Better still, if you NEVER store both the password and username in the session, then the "hacker" will not be able to do anything without the password. The only thing stored on the browser or transmitted in clear view when running a session is the session id (a long number), NOT the variables assigned to the session... that's the whole point. FWIW, if you really want to make things more secure, you should turn off register globals, learn about the new super global arrays like $_POST, $_SESSION, $_GET, etc etc. In short, you'd register a new session variable as $_SESSION['var'] = "value"; rather than $var="value"; session_register($var); Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
