php-windows Digest 11 Apr 2007 17:59:02 -0000 Issue 3189
Topics (messages 27655 through 27666):
Re: So why do I need session?
27655 by: Mikael Grön
27656 by: Mikael Grön
27657 by: Stut
27658 by: sam rumaizan
27659 by: Mikael Grön
27660 by: Stut
27661 by: Mikael Grön
27662 by: Stut
27663 by: Mikael Grön
27665 by: Jody Williams
java with PHP
27664 by: sam rumaizan
27666 by: Stanislav Malyshev
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Are you asking someone specifically, or is this a general question?
Here's an example of when sessions are useful:
You have a login area on your website on which users who have registered
can log in to access special content. Only, you want such a high
security on your website so that people shouldn't be able to simply
browse to the hidden files, nor should a user still be logged in when
his friend uses his computer and starts a fresh browser. Here's where
sessions are perfect! You store the userId or similar information in the
session and start every secret page with the question:
if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;
of course you should not do that check in login.php... :P
Mike
PS: That $GLOBALS[USER] and the User class part is my own stuff.. Dunno
if anyone else does stuff like that.. :P
sam rumaizan skrev:
You use a session to store values that are required over the course of a single visit, and a cookie to store more persistent data that is used over multiple visits.
Session: when you close the browser the session gets flushed. Which means the browser will not recognize the user next time he/she browse the page unlike cookie.
So why do I need session? OR maybe I didn’t understand session
---------------------------------
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
--- End Message ---
--- Begin Message ---
Yes, no, you're right. I don't do that on every page on the systems I've
built. And yes, I define('USER','The user namespace'); before I set it.
Mike
Stut skrev:
Out of curiosity, why do you create the user object on every page
request? Why not store the user object in the session?
Also, $GLOBALS[USER] is invalid unless you have defined a constant
called USER somewhere.
-Stut
--- End Message ---
--- Begin Message ---
Mikael Grön wrote:
Are you asking someone specifically, or is this a general question?
Here's an example of when sessions are useful:
You have a login area on your website on which users who have registered
can log in to access special content. Only, you want such a high
security on your website so that people shouldn't be able to simply
browse to the hidden files, nor should a user still be logged in when
his friend uses his computer and starts a fresh browser. Here's where
sessions are perfect! You store the userId or similar information in the
session and start every secret page with the question:
if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;
of course you should not do that check in login.php... :P
Mike
PS: That $GLOBALS[USER] and the User class part is my own stuff.. Dunno
if anyone else does stuff like that.. :P
Out of curiosity, why do you create the user object on every page
request? Why not store the user object in the session?
Also, $GLOBALS[USER] is invalid unless you have defined a constant
called USER somewhere.
-Stut
--- End Message ---
--- Begin Message ---
It is a general question.
Why can't I use cookie instead?
Mikael Grön <[EMAIL PROTECTED]> wrote:
Are you asking someone specifically, or is this a general question?
Here's an example of when sessions are useful:
You have a login area on your website on which users who have registered
can log in to access special content. Only, you want such a high
security on your website so that people shouldn't be able to simply
browse to the hidden files, nor should a user still be logged in when
his friend uses his computer and starts a fresh browser. Here's where
sessions are perfect! You store the userId or similar information in the
session and start every secret page with the question:
if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;
of course you should not do that check in login.php... :P
Mike
PS: That $GLOBALS[USER] and the User class part is my own stuff.. Dunno
if anyone else does stuff like that.. :P
sam rumaizan skrev:
> You use a session to store values that are required over the course of a
> single visit, and a cookie to store more persistent data that is used over
> multiple visits.
> Session: when you close the browser the session gets flushed. Which means the
> browser will not recognize the user next time he/she browse the page unlike
> cookie.
>
> So why do I need session? OR maybe I didnt understand session
>
>
>
>
>
>
> ---------------------------------
> Looking for earth-friendly autos?
> Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
>
---------------------------------
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
--- End Message ---
--- Begin Message ---
You can, only it's not as secure. It's easier to edit cookies since
they're not stored on the server. Also cookies don't disappear when you
close the browser, which is standard on other pages with login systems.
Your users will expect to be logged out when closing the browser.
Mike
sam rumaizan skrev:
It is a general question.
Why can't I use cookie instead?
Mikael Grön <[EMAIL PROTECTED]> wrote:
Are you asking someone specifically, or is this a general question?
Here's an example of when sessions are useful:
You have a login area on your website on which users who have registered
can log in to access special content. Only, you want such a high
security on your website so that people shouldn't be able to simply
browse to the hidden files, nor should a user still be logged in when
his friend uses his computer and starts a fresh browser. Here's where
sessions are perfect! You store the userId or similar information in the
session and start every secret page with the question:
if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;
of course you should not do that check in login.php... :P
Mike
PS: That $GLOBALS[USER] and the User class part is my own stuff.. Dunno
if anyone else does stuff like that.. :P
sam rumaizan skrev:
You use a session to store values that are required over the course of a single visit, and a cookie to store more persistent data that is used over multiple visits.
Session: when you close the browser the session gets flushed. Which means the browser will not recognize the user next time he/she browse the page unlike cookie.
So why do I need session? OR maybe I didn’t understand session
---------------------------------
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
---------------------------------
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
--- End Message ---
--- Begin Message ---
Mikael Grön wrote:
You can, only it's not as secure. It's easier to edit cookies since
they're not stored on the server. Also cookies don't disappear when you
close the browser, which is standard on other pages with login systems.
Your users will expect to be logged out when closing the browser.
"as secure"??? Cookies are not secure at all. There has been a *very*
lengthy discussion of this subject on the PHP-General mailing list.
Search the archives for a recent thread with the subject "Session
Authentication".
-Stut
sam rumaizan skrev:
It is a general question.
Why can't I use cookie instead?
Mikael Grön <[EMAIL PROTECTED]> wrote:
Are you asking someone specifically, or is this a general question?
Here's an example of when sessions are useful:
You have a login area on your website on which users who have
registered can log in to access special content. Only, you want such a
high security on your website so that people shouldn't be able to
simply browse to the hidden files, nor should a user still be logged
in when his friend uses his computer and starts a fresh browser.
Here's where sessions are perfect! You store the userId or similar
information in the session and start every secret page with the question:
if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;
of course you should not do that check in login.php... :P
Mike
PS: That $GLOBALS[USER] and the User class part is my own stuff..
Dunno if anyone else does stuff like that.. :P
sam rumaizan skrev:
You use a session to store values that are required over the course
of a single visit, and a cookie to store more persistent data that is
used over multiple visits. Session: when you close the browser the
session gets flushed. Which means the browser will not recognize the
user next time he/she browse the page unlike cookie.
So why do I need session? OR maybe I didn’t understand session
---------------------------------
Looking for earth-friendly autos? Browse Top Cars by "Green Rating"
at Yahoo! Autos' Green Center.
---------------------------------
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
--- End Message ---
--- Begin Message ---
As I said.
Cookies being completely insecure is as valid as Cookies not being as
secure as Sessions.
... *sighs*
Though, there are ways to make cookies more secure, for example by
storing copies of them with timestamps in a database and matching values
before allowing users to pass... But that's more or less exactly what
Sessions do, so there's really no use of Cookies for authentication.
Mike
Stut skrev:
Mikael Grön wrote:
You can, only it's not as secure. It's easier to edit cookies since
they're not stored on the server. Also cookies don't disappear when
you close the browser, which is standard on other pages with login
systems. Your users will expect to be logged out when closing the
browser.
"as secure"??? Cookies are not secure at all. There has been a *very*
lengthy discussion of this subject on the PHP-General mailing list.
Search the archives for a recent thread with the subject "Session
Authentication".
-Stut
sam rumaizan skrev:
It is a general question.
Why can't I use cookie instead?
Mikael Grön <[EMAIL PROTECTED]> wrote:
Are you asking someone specifically, or is this a general question?
Here's an example of when sessions are useful:
You have a login area on your website on which users who have
registered can log in to access special content. Only, you want such
a high security on your website so that people shouldn't be able to
simply browse to the hidden files, nor should a user still be logged
in when his friend uses his computer and starts a fresh browser.
Here's where sessions are perfect! You store the userId or similar
information in the session and start every secret page with the
question:
if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;
of course you should not do that check in login.php... :P
Mike
PS: That $GLOBALS[USER] and the User class part is my own stuff..
Dunno if anyone else does stuff like that.. :P
sam rumaizan skrev:
You use a session to store values that are required over the course
of a single visit, and a cookie to store more persistent data that
is used over multiple visits. Session: when you close the browser
the session gets flushed. Which means the browser will not
recognize the user next time he/she browse the page unlike cookie.
So why do I need session? OR maybe I didn’t understand session
---------------------------------
Looking for earth-friendly autos? Browse Top Cars by "Green Rating"
at Yahoo! Autos' Green Center.
---------------------------------
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
--- End Message ---
--- Begin Message ---
Mikael Grön wrote:
As I said.
Cookies being completely insecure is as valid as Cookies not being as
secure as Sessions.
Sessions are more secure than cookies, but only in so far as the actual
data stored in a session is never sent to the client.
... *sighs*
I'm not sure what that's supposed to mean. This is a serious topic, and
the lack of understanding of it that too many PHP developers suffer from
is part of the reason PHP is getting a bad security reputation.
Though, there are ways to make cookies more secure, for example by
storing copies of them with timestamps in a database and matching values
before allowing users to pass... But that's more or less exactly what
Sessions do, so there's really no use of Cookies for authentication.
There is no real way to make cookies secure. Anything you do needs to be
reversible and so can be brute-forced. The best approach to take IMHO is
to use cookies for session IDs and identification between visits.
*Never* authenticate someone based purely on a cookie, and *never* track
user status in cookies.
Oh, and to correct one other thing, cookies will disappear when you
close the browser if you don't give them an expiry time. This is how the
session ID cookie works.
-Stut
Stut skrev:
Mikael Grön wrote:
You can, only it's not as secure. It's easier to edit cookies since
they're not stored on the server. Also cookies don't disappear when
you close the browser, which is standard on other pages with login
systems. Your users will expect to be logged out when closing the
browser.
"as secure"??? Cookies are not secure at all. There has been a *very*
lengthy discussion of this subject on the PHP-General mailing list.
Search the archives for a recent thread with the subject "Session
Authentication".
-Stut
sam rumaizan skrev:
It is a general question.
Why can't I use cookie instead?
Mikael Grön <[EMAIL PROTECTED]> wrote:
Are you asking someone specifically, or is this a general question?
Here's an example of when sessions are useful:
You have a login area on your website on which users who have
registered can log in to access special content. Only, you want such
a high security on your website so that people shouldn't be able to
simply browse to the hidden files, nor should a user still be logged
in when his friend uses his computer and starts a fresh browser.
Here's where sessions are perfect! You store the userId or similar
information in the session and start every secret page with the
question:
if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;
of course you should not do that check in login.php... :P
Mike
PS: That $GLOBALS[USER] and the User class part is my own stuff..
Dunno if anyone else does stuff like that.. :P
sam rumaizan skrev:
You use a session to store values that are required over the course
of a single visit, and a cookie to store more persistent data that
is used over multiple visits. Session: when you close the browser
the session gets flushed. Which means the browser will not
recognize the user next time he/she browse the page unlike cookie.
So why do I need session? OR maybe I didn’t understand session
---------------------------------
Looking for earth-friendly autos? Browse Top Cars by "Green Rating"
at Yahoo! Autos' Green Center.
---------------------------------
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
--- End Message ---
--- Begin Message ---
You keep repeating what I've already said. That's what the *sigh* was about.
But, I was hasty in sighing as you're right in how important it is to
clarify to the absolute limit on this subject. Sorry about that!
Far to many programmers are completely oblivious when it comes to
hacking methods.
And, as you said, there's no way to make a cookie secure... Only a bit
more secure. Everything is in shades of gray.
Truthfully, I've never ever built a site or part of a site that relies
on cookies for anything. Except for the more or less default PHP
configuration for sessions to use cookies for the SESSID.
Mike
Stut skrev:
Mikael Grön wrote:
As I said.
Cookies being completely insecure is as valid as Cookies not being as
secure as Sessions.
Sessions are more secure than cookies, but only in so far as the
actual data stored in a session is never sent to the client.
... *sighs*
I'm not sure what that's supposed to mean. This is a serious topic,
and the lack of understanding of it that too many PHP developers
suffer from is part of the reason PHP is getting a bad security
reputation.
Though, there are ways to make cookies more secure, for example by
storing copies of them with timestamps in a database and matching
values before allowing users to pass... But that's more or less
exactly what Sessions do, so there's really no use of Cookies for
authentication.
There is no real way to make cookies secure. Anything you do needs to
be reversible and so can be brute-forced. The best approach to take
IMHO is to use cookies for session IDs and identification between
visits. *Never* authenticate someone based purely on a cookie, and
*never* track user status in cookies.
Oh, and to correct one other thing, cookies will disappear when you
close the browser if you don't give them an expiry time. This is how
the session ID cookie works.
-Stut
--- End Message ---
--- Begin Message ---
As a side note, there are a lot of companies/organizations that
completely block cookies at the firewall level. As a result, the
cookie never makes it to the web browser. If relying strictly on
cookies for authentication, on every page, the user must
re-authenticate.
Jody
--- End Message ---
--- Begin Message ---
How can I run java with PHP?
Any example please
---------------------------------
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
--- End Message ---
--- Begin Message ---
How can I run java with PHP?
Any example please
You could look here:
http://www.zend.com/products/zend_platform/features_comparison/java_bridge
or here:
http://php-java-bridge.sourceforge.net/pjb/
--
Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED] http://www.zend.com/
--- End Message ---
