RE: [PHP] How do I prevent a session from rebuilding itself?
On 13 July 2006 00:20, Daevid Vincent wrote: Sequence of events: script starts you rm -rf /tmp/sess_* script writes out data script ends Exactly WHAT do you think should happen in this case?... I expect this to work like it USED TO WORK! Bug or not. I expect: Script starts Calls session_start(1234) No existing sess_1234 file. Creates a new EMPTY sess_1234 I make $_SESSION['authorized'] = true and PHP writes at that time Bad assumption there -- the session file isn't necessarily written at this point, only the value in the $_SESSION array. I rm /tmp/sess_1234 Script ends ... and the session file is written as part of script shutdown. Boink! If you really want the session file to be written (and closed) at the point of setting $_SESSION['authorized'], you need a call to session_write_close() [aka session_commit() since PHP 4.3.11]. Page load again. Calls session_start(1234). No existing sess_1234 file. Creates a new EMPTY sess_1234 Therefore $_SESSION['authorized'] doesn't exist == false But what happens is that PHP actually is writing a new sess_1234 WITH ALL THE SHIT IT HAD IN RAM *sigh* Why is this so complicated for anyone to understand? Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I prevent a session from rebuilding itself?
If anyone reads DailyWTF, then you might remember this post: http://thedailywtf.com/forums/thread/78892.aspx Explaining the dangers of rm -rf /tmp I'm sure you won't fall victim to this, but it is a fun read :) Andrew - Original Message - From: Daevid Vincent [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Tuesday, July 11, 2006 10:27 PM Subject: [PHP] How do I prevent a session from rebuilding itself? I would expect that if I 'rm -rf /tmp/sess_*' that the user would get prompted to re-login (since the flag is not set). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I prevent a session from rebuilding itself?
At 11:58 AM +0100 7/13/06, Andrew Brampton wrote: If anyone reads DailyWTF, then you might remember this post: http://thedailywtf.com/forums/thread/78892.aspx Explaining the dangers of rm -rf /tmp I'm sure you won't fall victim to this, but it is a fun read :) Andrew Fun read. But the technique would make an interesting backdoor for clients who use your code, but don't pay. Not advocating, just thinking out loud. :-) tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How do I prevent a session from rebuilding itself?
On Wed, July 12, 2006 6:20 pm, Daevid Vincent wrote: Sequence of events: script starts you rm -rf /tmp/sess_* script writes out data script ends Exactly WHAT do you think should happen in this case?... I expect this to work like it USED TO WORK! Bug or not. I expect: Script starts Calls session_start(1234) No existing sess_1234 file. Creates a new EMPTY sess_1234 I make $_SESSION['authorized'] = true and PHP writes at that time I rm /tmp/sess_1234 Script ends Page load again. Calls session_start(1234). No existing sess_1234 file. Creates a new EMPTY sess_1234 Therefore $_SESSION['authorized'] doesn't exist == false But what happens is that PHP actually is writing a new sess_1234 WITH ALL THE SHIT IT HAD IN RAM *sigh* Why is this so complicated for anyone to understand? Why did you rely on an undocumented feature hack? And why would you expect it to continue working after you relied on it? Neither of these is a Good Idea, and the combination together... Well, the future is not looking bright for you. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How do I prevent a session from rebuilding itself?
I would expect that if I 'rm -rf /tmp/sess_*' that the user would get prompted to re-login (since the flag is not set). Does it say someplace in the manual that you should be able to do that? Or is this a case of what you expect is not what the rest of the world expects? This is how it used to work. I know this, because (as mentioned in other email), we have a custom bug tracker and people were being randomly logged out it seemed. Well turns out a cronjob was periodically deleting all the sess_ files. Basically all I want is that if the sess_ file is gone, then PHP should NOT create a new one. It should only save it's memory out to the same sess_ file with the same session ID. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I prevent a session from rebuilding itself?
On Tue, July 11, 2006 4:27 pm, Daevid Vincent wrote: I've noticed a 'feature' that seems to be causing me some pain. When a user logs in, we store various pieces of info and their user class in a $_SESSION variables. This includes a flag saying that they've ben authenticated. I would expect that if I 'rm -rf /tmp/sess_*' that the user would get prompted to re-login (since the flag is not set). However what actually happens, is that PHP silently just re-creates the session with a new unique identifier but with all the same data in it. GRRR. How can I force this to NOT happen (either via php.ini or via some function or directive call in each page load)? Sequence of events: script starts you rm -rf /tmp/sess_* script writes out data script ends Exactly WHAT do you think should happen in this case?... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How do I prevent a session from rebuilding itself?
Sequence of events: script starts you rm -rf /tmp/sess_* script writes out data script ends Exactly WHAT do you think should happen in this case?... I expect this to work like it USED TO WORK! Bug or not. I expect: Script starts Calls session_start(1234) No existing sess_1234 file. Creates a new EMPTY sess_1234 I make $_SESSION['authorized'] = true and PHP writes at that time I rm /tmp/sess_1234 Script ends Page load again. Calls session_start(1234). No existing sess_1234 file. Creates a new EMPTY sess_1234 Therefore $_SESSION['authorized'] doesn't exist == false But what happens is that PHP actually is writing a new sess_1234 WITH ALL THE SHIT IT HAD IN RAM *sigh* Why is this so complicated for anyone to understand? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How do I prevent a session from rebuilding itself?
I've noticed a 'feature' that seems to be causing me some pain. When a user logs in, we store various pieces of info and their user class in a $_SESSION variables. This includes a flag saying that they've ben authenticated. I would expect that if I 'rm -rf /tmp/sess_*' that the user would get prompted to re-login (since the flag is not set). However what actually happens, is that PHP silently just re-creates the session with a new unique identifier but with all the same data in it. GRRR. How can I force this to NOT happen (either via php.ini or via some function or directive call in each page load)? ÐÆ5ÏÐ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I prevent a session from rebuilding itself?
On Tue, 2006-07-11 at 17:27, Daevid Vincent wrote: I've noticed a 'feature' that seems to be causing me some pain. When a user logs in, we store various pieces of info and their user class in a $_SESSION variables. This includes a flag saying that they've ben authenticated. I would expect that if I 'rm -rf /tmp/sess_*' that the user would get prompted to re-login (since the flag is not set). Does it say someplace in the manual that you should be able to do that? Or is this a case of what you expect is not what the rest of the world expects? Ok, that's maybe not fair, but rm -rf /tmp/sess_* is completely prone to race conditions. However what actually happens, is that PHP silently just re-creates the session with a new unique identifier but with all the same data in it. GRRR. Are you sure that PHP is the one completely recreating the session? Do you have some kind of remember me facility using a permanent cookie that enables your scripts to recreate a session with a new identifier? Because PHP doesn't usually do that by itself. How can I force this to NOT happen (either via php.ini or via some function or directive call in each page load)? Try this... /etc/init.d/apache stop rm -rf /tmp/sess_* /etc/init.d/apache start If that doesn't prevent recreation of the session then see the remember me comment above (you may need to replace the above shutdown/startup commands with whatever works for your OS/distro. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php