Re: [PHP] sessions security (no problems just question)

2003-06-14 Thread vh 
JH are associated with a specific id. First, URLs carrying session ids. If
JH you link to an external site, the URL including the session id might be
JH stored in the external site's referrer logs. Second, a more active
JH attacker might listen to your network traffic. If it is not encrypted,
JH session ids will flow in plain text over the network. The solution here is
JH to implement SSL on your server and make it mandatory for users.

Also I want to note. If sids are accessible via http_referer, there is
a way to execute php scripts on behalf of a user. For example, user
clicks a link to some php script which will grab sid from referer and
then outputs a html with redirect to another script (for example to
set a forwarding filter or etc). Since sid is right and also script
was called from user's PC, this is a quite bad thing, but
unfortunately this still exists on several web based e-mails. So, be
careful in using only session mechanisms provided by PHP. It's quite
insecure.


-- 
Best regards,
Martchukov Anton aka  VHmailto:[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Page loading time

2003-06-07 Thread vh 
 What is the easiest way to find out how long a page takes to load?
 Is there a PHP script that can do this?

There is no way to do this by just PHP script IMHO, but I can imagine
something like this one. Very suck, but

The idea is using PHP in order to write timestamp of the moment when
script starts and put it in JavaScript code which will be
onloaded. Script will calculate a difference and send it back to
server. This doesn't solve a situation when user and server are in
different timezones, this is point to improve. And also, I'm
interesting in ways of passing values on server without page
reloading. Currently I've done a trick with image's src, but it's a
silly way. Maybe someone knows a better one? Please send me an idea
(if off-topic, e-mails will be appreciated).

Here is a code:

CODE BEGIN=

html
head
script language=javascript
!--
function LoadDone()
{
now=new Date();
//javascript timestamp is in miliseconds, but in php it's in seconds
loadtime=Math.round(now.getTime()/1000)-? echo time(); ?;
//calling fake image in order to pass the value
document.images['fakeimg'].src='log.php?lt='+loadtime;
}
//--
/script
/head
body onLoad=LoadDone()
img src=pixel.gif name=fakeimg
This is a long page
/body
/html

===CODE END==

Well, a loading time will be sent to log.php

Hope this helps.

-- 
Best regards,
Martchukov Anton aka vhmailto:[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php