Re: [PHP] session newbyness...
Tony Di Croce wrote: I just started using PHP a week or so ago... And everything is coming along great... But I have some general question about sessions... Actually, about PHP's built in session support. Do I need to call session_start() in every script that needs access to $_SESSION[]? Would it cause any problems if I do? If not, am I supposed to just call it once on the login page for my website and then thats it? I think I would like to store a user id in my $_SESSION[] global. If this variable is set, I will consider this session logged in. Is their a secure way to do this? I would like to have at least an outline of how this works in my head, so tell me if I am wrong in any of this: When session_start() is called, this function sets a cookie in this browser with a unique value that is bound to a set of globals (IE, the contents of $_SESSION[]). When subsequent HTTP requests have this cookie attached, the correct set of $_SESSION[] variables is loaded... Everything right? On any _main_ page that you need to use the session, you need to call session_start() before doing anything with the session. You don't need to call it on pages that are included/required into the _main_ page. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] session newbyness...
I just started using PHP a week or so ago... And everything is coming along great... But I have some general question about sessions... Actually, about PHP's built in session support. Do I need to call session_start() in every script that needs access to $_SESSION[]? Would it cause any problems if I do? If not, am I supposed to just call it once on the login page for my website and then thats it? I think I would like to store a user id in my $_SESSION[] global. If this variable is set, I will consider this session logged in. Is their a secure way to do this? I would like to have at least an outline of how this works in my head, so tell me if I am wrong in any of this: When session_start() is called, this function sets a cookie in this browser with a unique value that is bound to a set of globals (IE, the contents of $_SESSION[]). When subsequent HTTP requests have this cookie attached, the correct set of $_SESSION[] variables is loaded... Everything right? -- td -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session newbyness...
Greg Donald wrote: On Mon, 13 Dec 2004 14:09:02 -0800, Tony Di Croce [EMAIL PROTECTED] wrote: I just started using PHP a week or so ago... And everything is coming along great... Awesome, welcome to the club. :) But I have some general question about sessions... Actually, about PHP's built in session support. Do I need to call session_start() in every script that needs access to $_SESSION[]? Yup. I place the call in my config.php file that I include in all my other PHP files. I think I would like to store a user id in my $_SESSION[] global. If this variable is set, I will consider this session logged in. Is their a secure way to do this? That's pretty much how I do it. User's who are not logged in have a $_SESSION['userid'] equal to zero. Logged-in users have their userid set as it exists in the table of users. it's a very common way of doing it :) (yes, I use it aswell) I would like to have at least an outline of how this works in my head, so tell me if I am wrong in any of this: When session_start() is called, this function sets a cookie in this browser with a unique value that is bound to a set of globals (IE, the contents of $_SESSION[]). When subsequent HTTP requests have this cookie attached, the correct set of $_SESSION[] variables is loaded... Everything right? Yup. There are ways to encrypt you PHP sessions if you need such functionality. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session newbyness...
On Mon, 13 Dec 2004 14:09:02 -0800, Tony Di Croce [EMAIL PROTECTED] wrote: I just started using PHP a week or so ago... And everything is coming along great... Awesome, welcome to the club. :) But I have some general question about sessions... Actually, about PHP's built in session support. Do I need to call session_start() in every script that needs access to $_SESSION[]? Yup. I place the call in my config.php file that I include in all my other PHP files. I think I would like to store a user id in my $_SESSION[] global. If this variable is set, I will consider this session logged in. Is their a secure way to do this? That's pretty much how I do it. User's who are not logged in have a $_SESSION['userid'] equal to zero. Logged-in users have their userid set as it exists in the table of users. I would like to have at least an outline of how this works in my head, so tell me if I am wrong in any of this: When session_start() is called, this function sets a cookie in this browser with a unique value that is bound to a set of globals (IE, the contents of $_SESSION[]). When subsequent HTTP requests have this cookie attached, the correct set of $_SESSION[] variables is loaded... Everything right? Yup. There are ways to encrypt you PHP sessions if you need such functionality. -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session newbyness...
--- Tony Di Croce [EMAIL PROTECTED] wrote: I have some general question about sessions... Actually, about PHP's built in session support. Do I need to call session_start() in every script that needs access to $_SESSION[]? Yes. Would it cause any problems if I do? What sort of problems? If not, am I supposed to just call it once on the login page for my website and then thats it? No, see above answer. Call it in every script that needs to use $_SESSION. I think I would like to store a user id in my $_SESSION[] global. If this variable is set, I will consider this session logged in. Is their a secure way to do this? Sessions are pretty secure by their very nature, since session data is stored on the server and not subject to exposure like most other data. There are still a few security concerns, and I address a few of them in this article: http://shiflett.org/articles/the-truth-about-sessions When session_start() is called, this function sets a cookie in this browser with a unique value that is bound to a set of globals (IE, the contents of $_SESSION[]). When subsequent HTTP requests have this cookie attached, the correct set of $_SESSION[] variables is loaded... Everything right? That's close enough. It misses a lot of details, but there's nothing terribly wrong with your description. You can fill in the gaps and correct minor details as you learn more. The article I mentioned gives a brief introduction to the fundamentals, so it might clarify some things for you. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming Soon http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
