Thanks for Email to me so soon!
1. Before I sent you Emails I read the function "session_destroy()" and function 
"session_unset()" again
   I use session in this sequence:
   //after user has been authenticated (using database authentication)
   $userid = $txtUser; //txtUser is the text input in the log page;
  //after user log out
  I wonder whether this is a right sequence in using session. Could you give me some 

2. I know the session is stored on the SERVER.
    But I am develop a  Homepage Administration System  for my university. This system
    is used to manage the users and store all the users' own homepage. User need to 
   before he/she can store his/her own homepage on the SERVER.
   All the users id are listed out for others' visit. So all the users id are known.
   I mean the url:"login.php" is known. But if one person know my session variable
   and he use "login.php?userid=mintbaggio"(mintbaggio is a user in this system).
   Now I use 3 variables in session to store the use's information. Before somebody 
enter the user's
   own page(Not the user's homepage,but the user's information like name,age,etc) , 
these 3 variables
   are examined whether they are all valid. Is this safer? 

----- Original Message ----- 
From: "Justin French" <[EMAIL PROTECTED]>
Sent: Tuesday, August 13, 2002 10:21 AM
Subject: Re: [PHP] Some questions.

> on 13/08/02 3:42 AM, mintbaggio ([EMAIL PROTECTED]) wrote:
> > I'm a Chinese university student,I want to ask some questions about session.
> > These days I'm build a website for my university with PHP, But I meet a
> > question when I develop the part of User Management: After I have log out
> > from a user page(I use "session_unset()" and "session_destroy()"),I can
> > return to the page again by click the button "Back"to that pagea and refresh
> > it, the user page can be shown again. This is unsafe.
> > So I want to ask that the function "session_unset" and "session_destroy()"
> > will
> > destroy session immediately or there is a life-time for session. In my memory,
> > I think that there is a life-time for session and the life-time can be
> > configured.
> Firstly, make sure you've read the page at and
>, because it supplies perfect code for destroying a
> session.
> Make sure your code matches either example 1 or 2, depending on your code.
> If you're unsure, test with both.
> If you've named your session somewhere, you need to unset and destroy it
> WITH that name, I think (never had to do it).
> > Another question:
> > If the user log page is "main.php",the page for authenticate the user is
> > "login.php"
> > I use session to store the infomation of user such as :
> > session_register($userid);
> > But if the variables in the session are unfortunately be known by somebody
> > else.
> > and he can visit others' information bye the url:"login.php?userid=***",how
> > can solve
> > these problem? use a ugly but difficult session varable?
> When you store the the username as a session variable, it's stored on the
> SERVER, not on the client.  Hence, there is less chance of the session
> variables being disclosed.  Better still, if you NEVER store both the
> password and username in the session, then the "hacker" will not be able to
> do anything without the password.
> The only thing stored on the browser or transmitted in clear view when
> running a session is the session id (a long number), NOT the variables
> assigned to the session... that's the whole point.
> FWIW, if you really want to make things more secure, you should turn off
> register globals, learn about the new super global arrays like $_POST,
> $_SESSION, $_GET, etc etc.
> In short, you'd register a new session variable as $_SESSION['var'] =
> "value"; rather than $var="value"; session_register($var);
> Justin French

Reply via email to