Brett Patterson wrote:
Well, if you look in your phpinfo() file, you will see a SESSION_TIMEOUT or
SESSION_LENGTH value that is something like 18... different for each
server.
If you hold all your session values in the array, then you can use
session_destory(); as long as session_start() is
When a session object is created - where is it store?
Assuming you mean session data, it is stored on the server, in /tmp by
default.
To destroy the session object (widht all session vairables inside the
particluar session object) can I use session_destroy();
Well, if you look in your phpinfo() file, you will see a SESSION_TIMEOUT or
SESSION_LENGTH value that is something like 18... different for each
server.
If you hold all your session values in the array, then you can use
session_destory(); as long as session_start() is previous to that.
I am
At 15:49 19.02.2003, Sidar Lopez Cruz spoke out and said:
[snip]
1, What i got to do for manages sessions in my RedHat 8,
2, What i got to do for manages cookies in my RedHat 8,
I try to use session vars, but no work
I try to use cookies, and when i open
I'm trying to use cookies in PHP4 (.whatever the latest release is). I
want
to use them for validation (ensuring a user has logged in) but all I can
find
is setcookie, which seems only to create the cookie. In trying to use PHP
sessions, I end up with odd errors.
When I try to use sessions
acleave wrote:
My Questions:
If I create a cookie with set_cookie how do I read it/check it?
$_COOKIE superglobal array.
How do I use sessions if they can't be sent in the code?
The session_start function has to be at the VERY top of the of the code,
below ANY output (even blank spaces
Well, that is natural - cookies can only be set before any output is
produced by the script. And since sessions in this case use cookies, it
follows that sessions can also be started before any output is produced.
Why is that? Because cookies are transmitted by means of http headers, and
http
Peter Janett wrote:
Sessions themselves use cookies, though, right? So, if you want your app to
work for those who don't have cookies, you have to pass the session data in
the url string, at least that's my understanding.
With sessions, its only the session ID that is put in the cookie or url
Sessions themselves use cookies, though, right? So, if you want your app to
work for those who don't have cookies, you have to pass the session data in
the url string, at least that's my understanding.
Cookies are used by default. However, if cookies are disabled in a
client, a session
--- Peter Janett [EMAIL PROTECTED] wrote:
Sessions themselves use cookies, though, right?
So, if you want your app to work for those who
don't have cookies, you have to pass the session
data in the url string, at least that's my
understanding.
That's not quite right.
Session management
--- Cesar Aracena [EMAIL PROTECTED] wrote:
Should I use the no-so-secure old cookies method
or should I start a new session every time a client
drops in and handle each cart by session name or ID?
My advice is to only use cookies to identify a Web client.
Any data you want to associate with
Shiflett [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 17, 2003 9:29 AM
To: Cesar Aracena; [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions or Cookies?
--- Cesar Aracena [EMAIL PROTECTED] wrote:
Should I use the no-so-secure old cookies method
or should I start a new session every time
Message -
From: Daevid Vincent [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; 'Cesar Aracena' [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Friday, January 17, 2003 6:32 PM
Subject: RE: [PHP] Sessions or Cookies?
Agreed. Sessions are much more secure and convienient to use too. Since
it's not reliant
No.
http://www.php.net/manual/en/ref.session.php
- E
R. Z. wrote:
I've just read on MSDN that ASP sessions only work if the client has
cookies enabled,
Is that true for PHP as well.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
Hi,
I've just read on MSDN that ASP sessions only work if
the client has cookies enabled, Is that true for PHP as well.
No, not if you have session.use_trans_sid = 1 in your php.ini.
Cheers
Jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
On Tuesday 08 October 2002 23:34, R. Z. wrote:
I've just read on MSDN that ASP sessions only work if the client has
cookies enabled,
Is that true for PHP as well.
Yes.
Note that some browsers actually differentiate between session cookies (stored
in memory) and 'permanent' cookies (stored
On Tuesday 08 October 2002 23:34, R. Z. wrote:
I've just read on MSDN that ASP sessions only work if the client has
cookies enabled,
Is that true for PHP as well.
Yes.
Note that some browsers actually differentiate between session cookies
(stored
in memory) and 'permanent' cookies
John, et al --
...and then John W. Holmes said...
%
% You can pass the session ID in a form, too. Just use POST, and make it a
% hidden element passed to the next page.
Yeah, I figured that.
%
% input type=hidden name=PHPSESSID value=?=$PHPSESSID?
%
% It's no different than passing it in
Justin, et al --
...and then Justin French said...
%
% on 07/10/02 11:32 AM, David T-G ([EMAIL PROTECTED]) wrote:
%
% It's a start; it confirms some of what I think I understand about
% sessions. Now if only I can get the session ID out of the URL without
% using any cookies... Any ideas,
on 07/10/02 7:18 PM, David T-G ([EMAIL PROTECTED]) wrote:
% re-write any relative URLs in your pages to include the session ID... it's
So I can code without having to put the ID on the URLs myself? So the
transparent-ness is for the programmer? Well, I do like that...
Yes.
% So, this
% The most common method is plain cookies. But if you want guaranteed
state,
Sure, but I know that cookies won't work, so that rules them out.
Won't work, or you don't want to use them?
% So, this rules out a complaint about complicated URLs, because you
don't
% have to type them.
I
I think you're under a little misconception about how sessions are used.
Maintaining a session is simply just having a unique identifier for each
user, so that the server can recognise the user from page to page,
maintaining state.
Typically this is done by passing a session id around in he URL
Justin, et al --
...and then Justin French said...
%
% I think you're under a little misconception about how sessions are used.
Perhaps. I'm new to them :-)
% Maintaining a session is simply just having a unique identifier for each
% user, so that the server can recognise the user from page
General list
Cc: Justin French
Subject: Re: [PHP] sessions without cookies *or* URLs
Justin, et al --
...and then Justin French said...
%
% I think you're under a little misconception about how sessions are
used.
Perhaps. I'm new to them :-)
% Maintaining a session is simply just
on 07/10/02 11:32 AM, David T-G ([EMAIL PROTECTED]) wrote:
It's a start; it confirms some of what I think I understand about
sessions. Now if only I can get the session ID out of the URL without
using any cookies... Any ideas, anyone?
I Thought I made it clear, but I'll try again :)
You
You need to start the session before any html. So:
?php session_start(); ?
html
Cheers!
Rick
Too much caution is bad for you. By avoiding things you fear, you may let
yourself in for unhappy consequences. It is usually wiser to stand up to a
scary-seeming experience and walk right into it,
Sure, why not? Users can't create session variables (unless you're
on a
virtual server...)
... and I am -- A shared host server that is.
Now I'm not sure on this, I haven't tested it. Has anyone?
If we're on a virtual server, why can't I just open the
session.save_path with PHP and read
on 17/07/02 6:51 PM, John Holmes ([EMAIL PROTECTED]) wrote:
... and I am -- A shared host server that is.
Now I'm not sure on this, I haven't tested it. Has anyone?
Is this particular vulnerability only in existence when the server is pretty
open? I mean, on my particular host, I can't FTP
... and I am -- A shared host server that is.
Now I'm not sure on this, I haven't tested it. Has anyone?
Is this particular vulnerability only in existence when the server is
pretty
open? I mean, on my particular host, I can't FTP to anything outside
my
docroot, and I can't use SSH,
snip
What I'm looking to do is when a user logs in, I start up the session.. I
then have the registered session var to verify they are authenticated as
they move throughout the site.
/snip
This solution is no garantuee that the authenticated user is in control
during that session. The only
Anyone? Can someone at least point me to some web article for
recommendations? I saw some examples where a password variable was stored,
but is that really safe (as long as I MD5 it first?)
Chad
-Original Message-
From: Chad Day [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 16, 2002
What I'm looking to do is when a user logs in, I start up the
session.. I
then have the registered session var to verify they are
authenticated as
they move throughout the site.
Now, when they close the browser and come back, I want them
to still be authenticated.
I don't think this
based on any of the user data.
www.php.net/uniqid
---John Holmes...
- Original Message -
From: Chad Day [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 16, 2002 3:30 PM
Subject: RE: [PHP] Sessions / logins / cookies / security
Anyone? Can someone at least point me to some web
Chad Day wrote:
What I'm looking to do is when a user logs in, I start up the session.. I
then have the registered session var to verify they are authenticated as
they move throughout the site.
Now, when they close the browser and come back, I want them to still be
authenticated. Obviously, I
On my sites, I have a check box next to the login form which says remember
me. If they tick this box, and they userid/password is valid, I set a
cookie on their system which remembers them, which is just their username
and an md5() of their pasword (the same data I add to the session).
When
So, if there is no uid and pwd in $_SESSION, I check in $_COOKIE. If
there's nothing there, they aren't logged in as far as I can tell. On
every
page I validate the uid and pwd against the database, so the only way
you
could fake being another user is to know the uid AND md5()'d pwd.
Or
On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote:
I set a
cookie on their system which remembers them, which is just their username
and an md5() of their pasword (the same data I add to the session).
OUCH! Sending the password back out to the net is a scarry prospect.
--Dan
--
on 17/07/02 11:11 AM, Analysis Solutions
([EMAIL PROTECTED]) wrote:
On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote:
I set a
cookie on their system which remembers them, which is just their username
and an md5() of their pasword (the same data I add to the session).
OUCH!
on 17/07/02 11:11 AM, John Holmes ([EMAIL PROTECTED]) wrote:
Or steal it. :)
I hope you have checked your site for any cross-site scripting
vulnerabilities. This is exactly where vulnerabilities like this come
into play...
Interesting -- I'm only a few days away from launching this...
Or steal it. :)
I hope you have checked your site for any cross-site scripting
vulnerabilities. This is exactly where vulnerabilities like this
come
into play...
Interesting -- I'm only a few days away from launching this... could
you
elaborate on the potential risk, or point me to
Thanks heaps John,
So as a basic rule, having a uid and pwd stored as session variables is NOT
the problem, but storing the uid and/or pwd in a cookie on the browser is
just plain asking for it :)
So, how do you implement a remember me safely?
Setting JUST the uid in a cookie prevents people
So as a basic rule, having a uid and pwd stored as session variables
is
NOT
the problem, but storing the uid and/or pwd in a cookie on the browser
is
just plain asking for it :)
You shouldn't even have to do this. Just set a $_SESSION['logged_on']
variable to true and check for that. Why
on 17/07/02 12:35 PM, John Holmes ([EMAIL PROTECTED]) wrote:
You shouldn't even have to do this. Just set a $_SESSION['logged_on']
variable to true and check for that. Why carry around the username and
password??
Well, I guess it's because I started with someone else's script, and built
my
You shouldn't even have to do this. Just set a
$_SESSION['logged_on']
variable to true and check for that. Why carry around the username
and
password??
Well, I guess it's because I started with someone else's script, and
built
my own from there. Not being a security expert, I assumed
on 17/07/02 1:05 PM, John Holmes ([EMAIL PROTECTED]) wrote:
Sure, why not? Users can't create session variables (unless you're on a
virtual server...)
... and I am -- A shared host server that is.
Justin French
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 16, 2002 4:51 PM
To: Chad Day; [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions / logins / cookies / security
There really isn't a good way to do this, I think.
Any time you're taking just a cookie, and using that data to assume
who
the
user
maintain state accross requests. This is done in 3 different ways.
1. Cookies
2. URL Mangling
3. HTTP Authentication
#4 Passing a SID/Session info in hidden fields, but it means
you must push every page move through a submit (which can be
done with Javascript, image buttons, etc),
Use standard HTTP authentication over SSL - that's the only other way.
On Tue, 14 May 2002, Matthew Walker wrote:
We have a shopping cart product we're developing in PHP, and I've
recently come across I dilemma that I need to find a reliable solution
to.
Many of the people who will be
On Tue, 14 May 2002, Matthew Walker wrote:
Many of the people who will be shopping on our sites have cookies
disabled, which presents a problem when using sessions. Now, I am aware
of the fact that we could append the SID constant to every URL, but this
will not work for us. None of our sites
Senior Software Engineer
ePliant Marketing
-Original Message-
From: Miguel Cruz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 14, 2002 5:48 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions Without Cookies or SID Passing...
On Tue, 14 May 2002, Matthew Walker wrote:
Many
Lerdorf [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 14, 2002 5:42 PM
To: Matthew Walker
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions Without Cookies or SID Passing...
Use standard HTTP authentication over SSL - that's the only other way.
On Tue, 14 May 2002, Matthew Walker wrote:
We have
is, and other related information.
Matthew Walker
Senior Software Engineer
ePliant Marketing
-Original Message-
From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 14, 2002 5:42 PM
To: Matthew Walker
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions Without Cookies
On Tue, 14 May 2002, Matthew Walker wrote:
The sites are not dynamic, but the shopping cart /is/. The problem is,
if people don't have cookies on, when they return to the site to order
more products, they loose the SID that has been appended to the links
inside the cart, and thus loose the
Walker
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Without Cookies or SID Passing...
I am understanding the problem perfectly. HTTP is stateless. You want to
maintain state accross requests. This is done in 3 different ways.
1. Cookies
2. URL Mangling
3. HTTP Authentication
You said you
]
Subject: RE: [PHP] Sessions Without Cookies or SID Passing...
I am understanding the problem perfectly. HTTP is stateless. You want
to
maintain state accross requests. This is done in 3 different ways.
1. Cookies
2. URL Mangling
3. HTTP Authentication
You said you did not want to do 1 or 2
:[EMAIL PROTECTED]]
Sent: Wednesday, May 15, 2002 10:04 AM
To: Matthew Walker
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Without Cookies or SID Passing...
I am understanding the problem perfectly. HTTP is stateless. You want to
maintain state accross requests. This is done in 3
Could you explain how this could be accomplished, because I'm not
understanding how to do it.
As I understand HTTP Authentication (correct me if I'm wrong), the
user's computer still has to send a 'username/password' pair to perform
the authentication. I can't see how this could be used to
: RE: [PHP] Sessions Without Cookies or SID Passing...
You're missing one method - using the user's IP address
It's not a guaranteed fool-proof method, but if you don't want to use
cookies or the URL, then this sorta works.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit
PROTECTED]]
Sent: Tuesday, May 14, 2002 5:30 PM
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Without Cookies or SID Passing...
If it ain't foolproof then only a fool would use it ...
IP addresses are just about the worst way to identify anyone.
-Original Message-
From: Martin Towell
Engineer
ePliant Marketing
-Original Message-
From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 14, 2002 6:26 PM
To: Matthew Walker
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Without Cookies or SID Passing...
Could you explain how this could be accomplished, because
You're missing one method - using the user's IP address
It's not a guaranteed fool-proof method, but if you don't
want to use cookies or the URL, then this sorta works.
Unless there's a firewall using NAT or a proxy cache involved. I know
for a fact that our internal network only ever
on 8/27/01 10:31 AM, Richard Baskett at [EMAIL PROTECTED] wrote:
Ok on a pc when I have cookies turned off I am still able to access my
session variables, but on a mac I can not. Is there a difference between
the way session variables are stored on each platform? And if a session is
indeed
I just used the url to pass it since no matter what I did I couldn¹t seem to
get it to work when cookies were turned off on my mac. I've read the
session url on the php site from top to bottom and the transparent sessions
are even enabled on the server, but yet to no avail on the mac :(
on
I am about to write a new admin system for a website I do and
it will have many different logins. I was wondering overall which
most of you thought would be better for such a thing? Wants really
a pro about sessions over cookies?
If it's for an admin section, then you may as well use
Chris Anderson pressed the little lettered thingies in this order...
I am about to write a new admin system for a website I do and it will have
many different logins. I was wondering overall which most of you thought
would be better for such a thing? Wants really a pro about sessions over
As I understand it, PHP's session management uses cookies anyway unless
they are turned off by the browser, in which case session info is attached
to the URL.
So I'd use sessions rather than cookies alone.
Mick
On Thu, 21 Jun 2001, Chris Anderson wrote:
I am about to write a new admin
Jason Murray pressed the little lettered thingies in this order...
I am about to write a new admin system for a website I do and
it will have many different logins. I was wondering overall which
most of you thought would be better for such a thing? Wants really
a pro about sessions
I don't recommend putting the Session ID in the URL. Subscibed members could
pass URL's to eachother and that way they could have eachother's settings.
""David Hynes"" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I am using sessions to password protect a
You can use URL mode for PHP4 session if you want session w/o cookie.
How about read this link?
http://www.zend.com/zend/tut/session.php
--
Yasuo Ohgaki
"duirfire" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hi, can someone point me toward a tutorial that
Eric, I gotta ask the obvious question: did you have cookies disabled in
your browser when you were checking this out? PHPSESSID only gets appended
when cookies are disabled. If that is not the problem, I have no
suggestions. Works for me as advertised.
Kirk
-Original Message-
From:
How can you get something like:
header ("Location: $PHP_SELF?");
to redirect with the sessid in the url? In my tests, it redirects, but
does not append the sessid.
I have compiled with --enable-trans-sid. Transparent sid is working, I
can use it on links like:
A HREF="?php echo
if yours only storeing one or two variables in a db, dont mind writing
either functions to store all this in the db, or having 5-10 lines of code
per page to this then fine. But sessions are so simple...
?
session_start();
$test[] = '123';
$test[] = '456';
"allow per session cookies(not stored)" will enable cookies,
IE just does some garbage collection when its closed thats all.
so php realizes that IE is accepting cookies in this case and
uses cookies vs trans-sid.
Ok. Makes sense.
However, when this option is enabled, I see PHPSESSID
make sure of course too that session_start() is called from
in your code too. else your not using sessions :)
These are the 3 files I'm using; they all reside in the same dir:
"index.php"
script language="php"
session_start();
header( "location: page1.php?" . SID );
exit();
74 matches
Mail list logo