on 13/08/02 3:42 AM, mintbaggio ([EMAIL PROTECTED]) wrote:

> I'm a Chinese university student,I want to ask some questions about session.
> These days I'm build a website for my university with PHP, But I meet a
> question when I develop the part of User Management: After I have log out
> from a user page(I use "session_unset()" and "session_destroy()"),I can
> return to the page again by click the button "Back"to that pagea and refresh
> it, the user page can be shown again. This is unsafe.
> So I want to ask that the function "session_unset" and "session_destroy()"
> will
> destroy session immediately or there is a life-time for session. In my memory,
> I think that there is a life-time for session and the life-time can be
> configured.

Firstly, make sure you've read the page at php.net/session_destroy and
php.net/session_unset, because it supplies perfect code for destroying a

Make sure your code matches either example 1 or 2, depending on your code.
If you're unsure, test with both.

If you've named your session somewhere, you need to unset and destroy it
WITH that name, I think (never had to do it).

> Another question:
> If the user log page is "main.php",the page for authenticate the user is
> "login.php"
> I use session to store the infomation of user such as :
> session_register($userid);
> But if the variables in the session are unfortunately be known by somebody
> else.
> and he can visit others' information bye the url:"login.php?userid=***",how
> can solve
> these problem? use a ugly but difficult session varable?

When you store the the username as a session variable, it's stored on the
SERVER, not on the client.  Hence, there is less chance of the session
variables being disclosed.  Better still, if you NEVER store both the
password and username in the session, then the "hacker" will not be able to
do anything without the password.

The only thing stored on the browser or transmitted in clear view when
running a session is the session id (a long number), NOT the variables
assigned to the session... that's the whole point.

FWIW, if you really want to make things more secure, you should turn off
register globals, learn about the new super global arrays like $_POST,
$_SESSION, $_GET, etc etc.

In short, you'd register a new session variable as $_SESSION['var'] =
"value"; rather than $var="value"; session_register($var);

Justin French

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to