[PHP] sessions working? not working?
Hi List, Hi have the following (below) session code at the top of each page.. The 'print_r' (development feature only) confirms that on one particular page I do log out as the session var = (). but, on testing that page via the URL I still get to see the page and all its contents - session var() -.. the page has the following 'session_start, DOCTYPE Info then htmlheadcontaining meta info title/headbodycontaining style/tables/content//body/html // end of page. I have copied the same page without the html content (i.e. a blank page) and I get to fully log out.. when this page is tested in the URL my warning comes up 'you need to login to see this page' which is what I want but, I've tried numerous avenues to reconcile my problem to no avail.. I'm a novice so any help would be appreciated.. ?php session_start(); error_reporting (E_ALL ^ E_NOTICE); $userid = $_SESSION['userid']; $username = $_SESSION['username']; print_r($_SESSION); ?
Re: [PHP] sessions working? not working?
On Aug 12, 2013, at 4:27 AM, Clifford Shuker clifford.shu...@ntlworld.com wrote: Hi have the following (below) session code at the top of each page.. The 'print_r' (development feature only) confirms that on one particular page I do log out as the session var = (). but, on testing that page via the URL I still get to see the page and all its contents - session var() -.. the page has the following 'session_start, DOCTYPE Info then htmlheadcontaining meta info title/headbodycontaining style/tables/content//body/html // end of page. I have copied the same page without the html content (i.e. a blank page) and I get to fully log out.. when this page is tested in the URL my warning comes up 'you need to login to see this page' which is what I want but, I've tried numerous avenues to reconcile my problem to no avail.. I'm a novice so any help would be appreciated.. ?php session_start(); error_reporting (E_ALL ^ E_NOTICE); $userid = $_SESSION['userid']; $username = $_SESSION['username']; print_r($_SESSION); ? Ok, but when are you populating the SESSION's? Such as: $_SESSION['userid'] = $userid; Also, have a look at this: http://sperling.com/php/authorization/log-on.php It might help. tedd ___ tedd sperling tedd.sperl...@gmail.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and expirations and isolations
On Tue, Jan 17, 2012 at 5:17 PM, Haluk Karamete halukkaram...@gmail.com wrote: This brings the question to the following; WHEN DOES THE SERVER KNOW THAT A USER IS REALLY GONE OR HE CLOSED HIS BROWSER? Just addressing this quesiton -- you are correct that the browser does not tell the application when it closes. What *does* happen is that the cookie associated with that browser session is destroyed or nullified, thus when the use reopens their browser and opens the application again, there won't be a session cookie sent to the application on start. As explained above, this has nothing to do with how long the session data may be stored on the server, it just won't be accessed if the browser has been closed in the meantime. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and expirations and isolations
On 17 Jan 2012, at 23:17, Haluk Karamete wrote: Back to this session expiration... that old quote said... begin The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: session.cookie_lifetime = 300. end Reflecting on this a little more, I got interested in the part that says The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. How would do the server know that a browser is closed? No browser sends such a data to a server. If you re-open your browser, sure you will get asked to relogin ( cause that session id cookie is gone ) but that does not mean that old session data has been erased form the server. How could it? The only way for that to happen is to run session_destroy programmatically but for that your users has to click on a link. Certainly, closing a browser won't cause that! This brings the question to the following; WHEN DOES THE SERVER KNOW THAT A USER IS REALLY GONE OR HE CLOSED HIS BROWSER? I'm afraid session.cookie_lifetime = 0 keeps all session data ( that is past and present ) in server memory until a server restart/stop takes place. Correct me if I'm wrong. You are wrong. What you need to understand is that the cleanup of the data is controlled by a completely separate system to that which enables requests to get access to it. The session.gc_maxlifetime setting controls how long it must be since the session data was saved before it is considered for cleanup. The description above is correct in that the default behaviour is for the session cookie to die with the browser session, but that has absolutely no effect on how long the data will be retained on the server. If you want a full description of how the session cleanup logic works I'm happy to provide it, but you should be able to work it out by looking at the descriptions of the gc_probability, gc_divisor and gc_maxlifetime settings on this page: http://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/
RE: [PHP] sessions and expirations and isolations
-Original Message- From: Stuart Dallas [mailto:stu...@3ft9.com] Sent: 18 January 2012 12:02 On 17 Jan 2012, at 23:17, Haluk Karamete wrote: I'm afraid session.cookie_lifetime = 0 keeps all session data ( that is past and present ) in server memory until a server restart/stop takes place. Correct me if I'm wrong. You are wrong. What you need to understand is that the cleanup of the data is controlled by a completely separate system to that which enables requests to get access to it. The session.gc_maxlifetime setting controls how long it must be since the session data was saved before it is considered for cleanup. The description above is correct in that the default behaviour is for the session cookie to die with the browser session, but that has absolutely no effect on how long the data will be retained on the server. And you are also possibly wrong that session information is kept in system memory, as the default is for it to be serialized and saved in a regular file on disk. There are other options (database, shared memory, ...), but disk files are the default. Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Portland PD507, City Campus, Leeds Metropolitan University, Portland Way, LEEDS, LS1 3HE, United Kingdom E: m.f...@leedsmet.ac.uk T: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and expirations and isolations
Back to this session expiration... that old quote said... begin The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: session.cookie_lifetime = 300. end Reflecting on this a little more, I got interested in the part that says The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. How would do the server know that a browser is closed? No browser sends such a data to a server. If you re-open your browser, sure you will get asked to relogin ( cause that session id cookie is gone ) but that does not mean that old session data has been erased form the server. How could it? The only way for that to happen is to run session_destroy programmatically but for that your users has to click on a link. Certainly, closing a browser won't cause that! This brings the question to the following; WHEN DOES THE SERVER KNOW THAT A USER IS REALLY GONE OR HE CLOSED HIS BROWSER? I'm afraid session.cookie_lifetime = 0 keeps all session data ( that is past and present ) in server memory until a server restart/stop takes place. Correct me if I'm wrong. On Mon, Jan 16, 2012 at 4:19 PM, Stuart Dallas stu...@3ft9.com wrote: On 16 Jan 2012, at 22:51, Haluk Karamete wrote: Hi, in ASP, sessions expire when the client does not request an asp page for more than 20 min. (The 20 min thing is a server level setting - which can be changed by IIS settings ) And sessions work out of the box. I use sessions a lot. So, most likely, I would keep that style in my PHP apps too. I read the following about PHP sessions... I wanted to know how accurate this info is. quote The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: Listing 23 Keeping a session alive for five minutes (listing-23.txt) session.cookie_lifetime = 300. Remember to restart your web server after making this change. /quote That's totally accurate, except that it doesn't touch upon how sessions are cleaned up... Now, if this info is correct and it is this simple, why do we have some elaborate posts like this one? http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes ...which explains that post. The session.cookie_lifetime is simply the expiry time that will be set on the cookie that specifies the visitor's session ID. That ID is used as the unique identifier on the server in the session storage system (defaults to files of serialized data). If you want to have more precise control over the session lifetime (though I can't see any reason why you would need to) then you can write your own session handler and implement the timeout logic yourself. You could also handle it by storing a timestamp in the session and using that to decide whether the session data should be considered valid (as described in the accepted answer on that post). What do you do when you write a PHP app that relies on sessions? how do you manage the server memory allocation issues? Say you wanted to keep session vars alive for 20 min ( from the last request from the client ) and you wanted your server to completely empty the session if there no request, no new php page is requested from that client within that next 20 min. And if a client requests a page say on the 19th min, session gets extended another 20 from that time on, just like the ASP works. The only reason there would be memory allocation issues is if you're storing huge amounts of data in the session. If you are then I'd suggest that you either re-architect your application so you don't need to, or implement a custom storage mechanism for that data that doesn't use the session system. My second question on session is abut keeping sessions apart from one another - if such a concept exists... Let's say you have a session var FirstName in app1 and another session variable exactly named as FirstName in app2. how do you keep them seperate? In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. I don't know much about the way ASP implements sessions but I highly doubt there is anything significantly different in there to the way PHP does it. For all intents and purposes the isolation of a given user's session
[PHP] sessions and expirations and isolations
Hi, in ASP, sessions expire when the client does not request an asp page for more than 20 min. (The 20 min thing is a server level setting - which can be changed by IIS settings ) And sessions work out of the box. I use sessions a lot. So, most likely, I would keep that style in my PHP apps too. I read the following about PHP sessions... I wanted to know how accurate this info is. quote The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: Listing 23 Keeping a session alive for five minutes (listing-23.txt) session.cookie_lifetime = 300. Remember to restart your web server after making this change. /quote Now, if this info is correct and it is this simple, why do we have some elaborate posts like this one? http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes What do you do when you write a PHP app that relies on sessions? how do you manage the server memory allocation issues? Say you wanted to keep session vars alive for 20 min ( from the last request from the client ) and you wanted your server to completely empty the session if there no request, no new php page is requested from that client within that next 20 min. And if a client requests a page say on the 19th min, session gets extended another 20 from that time on, just like the ASP works. My second question on session is abut keeping sessions apart from one another - if such a concept exists... Let's say you have a session var FirstName in app1 and another session variable exactly named as FirstName in app2. how do you keep them seperate? In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. Is this concept even applicable in PHP? Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and expirations and isolations
On 16 Jan 2012, at 22:51, Haluk Karamete wrote: Hi, in ASP, sessions expire when the client does not request an asp page for more than 20 min. (The 20 min thing is a server level setting - which can be changed by IIS settings ) And sessions work out of the box. I use sessions a lot. So, most likely, I would keep that style in my PHP apps too. I read the following about PHP sessions... I wanted to know how accurate this info is. quote The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: Listing 23 Keeping a session alive for five minutes (listing-23.txt) session.cookie_lifetime = 300. Remember to restart your web server after making this change. /quote That's totally accurate, except that it doesn't touch upon how sessions are cleaned up... Now, if this info is correct and it is this simple, why do we have some elaborate posts like this one? http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes ...which explains that post. The session.cookie_lifetime is simply the expiry time that will be set on the cookie that specifies the visitor's session ID. That ID is used as the unique identifier on the server in the session storage system (defaults to files of serialized data). If you want to have more precise control over the session lifetime (though I can't see any reason why you would need to) then you can write your own session handler and implement the timeout logic yourself. You could also handle it by storing a timestamp in the session and using that to decide whether the session data should be considered valid (as described in the accepted answer on that post). What do you do when you write a PHP app that relies on sessions? how do you manage the server memory allocation issues? Say you wanted to keep session vars alive for 20 min ( from the last request from the client ) and you wanted your server to completely empty the session if there no request, no new php page is requested from that client within that next 20 min. And if a client requests a page say on the 19th min, session gets extended another 20 from that time on, just like the ASP works. The only reason there would be memory allocation issues is if you're storing huge amounts of data in the session. If you are then I'd suggest that you either re-architect your application so you don't need to, or implement a custom storage mechanism for that data that doesn't use the session system. My second question on session is abut keeping sessions apart from one another - if such a concept exists... Let's say you have a session var FirstName in app1 and another session variable exactly named as FirstName in app2. how do you keep them seperate? In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. I don't know much about the way ASP implements sessions but I highly doubt there is anything significantly different in there to the way PHP does it. For all intents and purposes the isolation of a given user's session is guaranteed by the use of cookies. As I mentioned earlier, the session ID is stored in a cookie. Cookies are not shared between domain names, so there is no way that two sites, or applications, could use the same session [1]. -Stuart [1] This is not entirely true, but since it requires some nasty trickery to make it happen it's not something you need to worry about unless it sharing sessions is required which is incredibly rare and almost certainly another sign of poor architecture! -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and expirations and isolations
Well Stuart, When I said this In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. I did not mean that aspect of the business which you replied to. I did not mean that 2 user's session can get being mixed up. Of course, neither PHP nor ASP would allow that and that's all thru the current session cookie ID - which is nearly impossible to guess for somebody else's session cookie ID for that session time. Instead, I was meaning something totally different. Sorry for not being very clear about it. Here is another shot at it. Here, you are developing an app and the app is being developed under say domain.com/app1/. Let's call this app APP_1 And this app got say 10 php files and these files use lots of some session vars to pass some data from one another. That's the case for APP_1. now you need a second app... which is totally different that APP_1. And that is to be developed under say the same server as say domain.com/APP_2/ and this one too has its 5 php files too. But there is nothing common between two apps. Now, ASP allows me to treat these apps ( APP_1 and APP_2 ) as two separate apps ( virtual apps they call it ) and once I do that ( and that's thru the IS settings ), the sessions vars I store in APP_1 does not get overwritten by the APP_2, even though they may or may not share the ame names... With that, I can set up a session var Age as 43 right there in APP_1 and I can have another session variable in the other app, still named as Age where I store age value as a string, something like say middle-age. If I weren't create these virtual apps at IIS, ASP would have overwritten the value 43 with the value middle-age and vice versa back and forth. I'm trying to understand if the same flexibility is available or not with PHP. I should be able to go the APP_1 and do a _SESSION dump and I should see 10 session variables in there and then I should be able to go APP_2 and there I should se only 8. That's the case with classic ASP. On Mon, Jan 16, 2012 at 4:19 PM, Stuart Dallas stu...@3ft9.com wrote: On 16 Jan 2012, at 22:51, Haluk Karamete wrote: Hi, in ASP, sessions expire when the client does not request an asp page for more than 20 min. (The 20 min thing is a server level setting - which can be changed by IIS settings ) And sessions work out of the box. I use sessions a lot. So, most likely, I would keep that style in my PHP apps too. I read the following about PHP sessions... I wanted to know how accurate this info is. quote The default behaviour for sessions is to keep a session open indefinitely and only to expire a session when the browser is closed. This behaviour can be changed in the php.ini file by altering the line: session.cookie_lifetime = 0 If you wanted the session to finish in 5 minutes you would set this to: Listing 23 Keeping a session alive for five minutes (listing-23.txt) session.cookie_lifetime = 300. Remember to restart your web server after making this change. /quote That's totally accurate, except that it doesn't touch upon how sessions are cleaned up... Now, if this info is correct and it is this simple, why do we have some elaborate posts like this one? http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes ...which explains that post. The session.cookie_lifetime is simply the expiry time that will be set on the cookie that specifies the visitor's session ID. That ID is used as the unique identifier on the server in the session storage system (defaults to files of serialized data). If you want to have more precise control over the session lifetime (though I can't see any reason why you would need to) then you can write your own session handler and implement the timeout logic yourself. You could also handle it by storing a timestamp in the session and using that to decide whether the session data should be considered valid (as described in the accepted answer on that post). What do you do when you write a PHP app that relies on sessions? how do you manage the server memory allocation issues? Say you wanted to keep session vars alive for 20 min ( from the last request from the client ) and you wanted your server to completely empty the session if there no request, no new php page is requested from that client within that next 20 min. And if a client requests a page say on the 19th min, session gets extended another 20 from that time on, just like the ASP works. The only reason there would be memory allocation issues is if you're storing huge amounts of data in the session. If you are then I'd suggest that you either re-architect your application so you don't need to, or implement a custom storage
Re: [PHP] sessions and expirations and isolations
On 17 Jan 2012, at 02:21, Haluk Karamete wrote: Well Stuart, When I said this In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. I did not mean that aspect of the business which you replied to. I did not mean that 2 user's session can get being mixed up. Of course, neither PHP nor ASP would allow that and that's all thru the current session cookie ID - which is nearly impossible to guess for somebody else's session cookie ID for that session time. Instead, I was meaning something totally different. Sorry for not being very clear about it. Here is another shot at it. Here, you are developing an app and the app is being developed under say domain.com/app1/. Let's call this app APP_1 And this app got say 10 php files and these files use lots of some session vars to pass some data from one another. That's the case for APP_1. now you need a second app... which is totally different that APP_1. And that is to be developed under say the same server as say domain.com/APP_2/ and this one too has its 5 php files too. But there is nothing common between two apps. Now, ASP allows me to treat these apps ( APP_1 and APP_2 ) as two separate apps ( virtual apps they call it ) and once I do that ( and that's thru the IS settings ), the sessions vars I store in APP_1 does not get overwritten by the APP_2, even though they may or may not share the ame names... With that, I can set up a session var Age as 43 right there in APP_1 and I can have another session variable in the other app, still named as Age where I store age value as a string, something like say middle-age. If I weren't create these virtual apps at IIS, ASP would have overwritten the value 43 with the value middle-age and vice versa back and forth. I'm trying to understand if the same flexibility is available or not with PHP. I should be able to go the APP_1 and do a _SESSION dump and I should see 10 session variables in there and then I should be able to go APP_2 and there I should se only 8. That's the case with classic ASP. Of course. I did touch on this in my reply but I obviously wasn't verbose enough. Sessions are tied to an ID, and that ID is (usually) stored in a cookie. Therefore the cookie is what links a session to a user, and it's the limits on that cookie that determine the level of isolation. In the case you describe above, the default behaviour would be for both apps to share the session because the cookie would be set on domain.com with the default path of /. You can change the path with the session.cookie_path setting. See here for more details: http://www.php.net/manual/en/session.configuration.php#ini.session.cookie_path Basically, each app would need to use the ini_set function to set session.cookie_path to /APP_1 or /APP_2 accordingly, before calling session_start. That will effectively isolate the sessions for the two apps in the same way that virtual directories do in ASP. Hope that makes it clearer. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and expirations and isolations
great exp. now I'm heading towards the http://www.php.net/manual/en/session.configuration.php#ini.session.cookie_path. you definitely deserved a good chocolate cookie! On Mon, Jan 16, 2012 at 6:38 PM, Stuart Dallas stu...@3ft9.com wrote: On 17 Jan 2012, at 02:21, Haluk Karamete wrote: Well Stuart, When I said this In ASP, I create a virtual app at the IIS server - assigning a virtual dir path to the app, and from that point on, any page being served under that virtual path is treated as an isolated ASP app and thus the sessions are kept isolated and not get mixed up by asp pages that do not live under that virtual app path. I did not mean that aspect of the business which you replied to. I did not mean that 2 user's session can get being mixed up. Of course, neither PHP nor ASP would allow that and that's all thru the current session cookie ID - which is nearly impossible to guess for somebody else's session cookie ID for that session time. Instead, I was meaning something totally different. Sorry for not being very clear about it. Here is another shot at it. Here, you are developing an app and the app is being developed under say domain.com/app1/. Let's call this app APP_1 And this app got say 10 php files and these files use lots of some session vars to pass some data from one another. That's the case for APP_1. now you need a second app... which is totally different that APP_1. And that is to be developed under say the same server as say domain.com/APP_2/ and this one too has its 5 php files too. But there is nothing common between two apps. Now, ASP allows me to treat these apps ( APP_1 and APP_2 ) as two separate apps ( virtual apps they call it ) and once I do that ( and that's thru the IS settings ), the sessions vars I store in APP_1 does not get overwritten by the APP_2, even though they may or may not share the ame names... With that, I can set up a session var Age as 43 right there in APP_1 and I can have another session variable in the other app, still named as Age where I store age value as a string, something like say middle-age. If I weren't create these virtual apps at IIS, ASP would have overwritten the value 43 with the value middle-age and vice versa back and forth. I'm trying to understand if the same flexibility is available or not with PHP. I should be able to go the APP_1 and do a _SESSION dump and I should see 10 session variables in there and then I should be able to go APP_2 and there I should se only 8. That's the case with classic ASP. Of course. I did touch on this in my reply but I obviously wasn't verbose enough. Sessions are tied to an ID, and that ID is (usually) stored in a cookie. Therefore the cookie is what links a session to a user, and it's the limits on that cookie that determine the level of isolation. In the case you describe above, the default behaviour would be for both apps to share the session because the cookie would be set on domain.com with the default path of /. You can change the path with the session.cookie_path setting. See here for more details: http://www.php.net/manual/en/session.configuration.php#ini.session.cookie_path Basically, each app would need to use the ini_set function to set session.cookie_path to /APP_1 or /APP_2 accordingly, before calling session_start. That will effectively isolate the sessions for the two apps in the same way that virtual directories do in ASP. Hope that makes it clearer. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP sessions expiring early
I'm having trouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings? The current settings I have are: session.auto_start Off session.bug_compat_42 On session.bug_compat_warn On session.cache_expire180 session.cache_limiter nocache session.cookie_domain no value session.cookie_httponly Off session.cookie_lifetime 0 session.cookie_path / session.cookie_secure Off session.entropy_fileno value session.entropy_length 0 session.gc_divisor 100 session.gc_maxlifetime 3600 session.gc_probability 1 session.hash_bits_per_character 4 session.hash_function 0 session.namePHPSESSID session.referer_check no value session.save_handlerfiles session.save_path /shared/sessions session.serialize_handler php session.use_cookies On session.use_only_cookiesOff session.use_trans_sid 0 The only options I have changed from the defaults are gc_maxlifetime, gc_probability and save_path. There are several sites on the same server, some are https, others just plain http. They all use the same session options. session_start() is called once on every page. The PHP version we're running is: PHP 5.2.6-1+lenny13 with Suhosin-Patch 0.9.6.2 (cli) (built: Jul 1 2011 16:01:01). I'm aware it's an old version before anyone tells me to upgrade (it's the latest stable version in Debian Lenny). :) Potential problems I have already ruled out: 1. I don't think it's a browser problem as the users have a variety of browsers and versions (we log the user agent for each login, they're mostly IE7/8 on XP/Vista/7 with a few Chrome users), and I can't reproduce the problem using the same browsers on my machine. 2. The server time is correct. 3. The sessions aren't stored in a directory which is being regularly cleared out, such as /var/lib/php5 or /tmp. 4. The web server has permission to write to the save_path directory, and I can see session files being created. 5. No output buffering functions are being used. Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. Thanks in advance. Paul -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 09/07/2011 03:50 PM, Paul Waring wrote: I'm having trouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings? You have set gc_maxlifetime to 3600 seconds. How much expire time have you set? Because, every 3600 seconds, session data stored is considered as garbage and php clears them out itself. If your expiration time is more than 3600 seconds, then this will not work. You need to increase gc_maxlifetime. For the other case, I'm clueless. -- Nilesh Govindarajan http://nileshgr.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 11:47, Nilesh Govindarajan wrote: On 09/07/2011 03:50 PM, Paul Waring wrote: I'm having trouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings? You have set gc_maxlifetime to 3600 seconds. How much expire time have you set? Because, every 3600 seconds, session data stored is considered as garbage and php clears them out itself. Yes, I'm aware of that. However, users are being logged out after a few minutes, not one hour of inactivity (which is what I'd expect with 3600 seconds). If your expiration time is more than 3600 seconds, then this will not work. You need to increase gc_maxlifetime. If you mean the expiration time of the session cookie, it is set to 0, which means it shouldn't be deleted until the browser is closed (or the user logs out, at which point it is deleted immediately). Paul -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 7 September 2011 11:20, Paul Waring p...@phpdeveloper.org.uk wrote: I'm having trouble with a PHP website which requires users to be logged in to access all content other than the home page and a couple of static pages (about us, contact us etc.). Several users have said they are being logged out every few minutes whilst using the site - they can login but will be shown the login form again after a few minutes. I can't confirm this myself as the site seems to work fine for me - even using the same browser as they are and under their accounts - but I'm wondering if this could be a problem with the session settings? The current settings I have are: session.auto_start Off session.bug_compat_42 On session.bug_compat_warn On session.cache_expire 180 session.cache_limiter nocache session.cookie_domain no value session.cookie_httponly Off session.cookie_lifetime 0 session.cookie_path / session.cookie_secure Off session.entropy_file no value session.entropy_length 0 session.gc_divisor 100 session.gc_maxlifetime 3600 session.gc_probability 1 session.hash_bits_per_character 4 session.hash_function 0 session.name PHPSESSID session.referer_check no value session.save_handler files session.save_path /shared/sessions session.serialize_handler php session.use_cookies On session.use_only_cookies Off session.use_trans_sid 0 The only options I have changed from the defaults are gc_maxlifetime, gc_probability and save_path. There are several sites on the same server, some are https, others just plain http. They all use the same session options. session_start() is called once on every page. The PHP version we're running is: PHP 5.2.6-1+lenny13 with Suhosin-Patch 0.9.6.2 (cli) (built: Jul 1 2011 16:01:01). I'm aware it's an old version before anyone tells me to upgrade (it's the latest stable version in Debian Lenny). :) Potential problems I have already ruled out: 1. I don't think it's a browser problem as the users have a variety of browsers and versions (we log the user agent for each login, they're mostly IE7/8 on XP/Vista/7 with a few Chrome users), and I can't reproduce the problem using the same browsers on my machine. 2. The server time is correct. 3. The sessions aren't stored in a directory which is being regularly cleared out, such as /var/lib/php5 or /tmp. 4. The web server has permission to write to the save_path directory, and I can see session files being created. 5. No output buffering functions are being used. Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. Thanks in advance. Paul How do you handle multiple logins? If I login using my laptop and get Session A for my account and then I login using my desktop and get Session B for my account, does Session A get killed? Do you allow multiple, simultaneous logins per account? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 7 September 2011 11:20, Paul Waring p...@phpdeveloper.org.uk wrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). Is the potential for cached pages to be returned for a user NOT logged in? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
Just confirm once that you are not calling session_destroy somewhere. Thanks, Vikash Kumar -- http://vika.sh On 7 September 2011 16:46, Richard Quadling rquadl...@gmail.com wrote: On 7 September 2011 11:20, Paul Waring p...@phpdeveloper.org.uk wrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). Is the potential for cached pages to be returned for a user NOT logged in? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 12:15, Richard Quadling wrote: How do you handle multiple logins? If I login using my laptop and get Session A for my account and then I login using my desktop and get Session B for my account, does Session A get killed? Session A is killed, your last login is always the current one. Do you allow multiple, simultaneous logins per account? No, but then each user is accessing their account from a single machine and browser anyway (i.e. they don't switch from desktop to laptop and then back again), so we don't even have people trying to have simultaneous logins. -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 12:20, vikash.i...@gmail.com wrote: Just confirm once that you are not calling session_destroy somewhere. The only place session_destroy is called is in the logout function, which itself is only called if a user clicks the logout link. -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 12:16, Richard Quadling wrote: On 7 September 2011 11:20, Paul Waringp...@phpdeveloper.org.uk wrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). I hadn't thought of that. However, we audit all user logins and logouts, as well as all page requests. If the browser was pre-fetching the logout page, we'd have 'user logout' entries in our logs, but the only notices we have are for users logging in. If users were being logged out because of pre-fetching, I'd expect to see each login entry have a corresponding logout entry. Is the potential for cached pages to be returned for a user NOT logged in? Any pages which a user has viewed whilst logged in shouldn't be cached, assuming the browser is respecting the headers. They are all sent with: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions expiring early
On 07/09/11 13:42, Richard Quadling wrote: On 7 September 2011 12:32, Paul Waringp...@phpdeveloper.org.uk wrote: On 07/09/11 12:16, Richard Quadling wrote: On 7 September 2011 11:20, Paul Waringp...@phpdeveloper.org.ukwrote: Can anyone suggest things which I could try? I cannot work out why this problem is happening for some users but not me. For browsers/extensions that do automatic read ahead (I load page A and linked pages B and C are also retrieved). I hadn't thought of that. However, we audit all user logins and logouts, as well as all page requests. If the browser was pre-fetching the logout page, we'd have 'user logout' entries in our logs, but the only notices we have are for users logging in. If users were being logged out because of pre-fetching, I'd expect to see each login entry have a corresponding logout entry. Is the potential for cached pages to be returned for a user NOT logged in? Any pages which a user has viewed whilst logged in shouldn't be cached, assuming the browser is respecting the headers. They are all sent with: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 How is your code determining if they need to be redirected back to the login page? The test is whether two $_SESSION elements are set and match ones in the database, plus whether the last page view by the user (stored in the database, updated on each request) was less than one hour ago. What changes that information? A page load changed the 'last page view time'. Nothing changes the other session data, except an explicit logout (which sets $_SESSION = array() and calls session_destroy). Can you monitor it externally? I'm not sure what you mean by 'externally'. Most of the site requires a login, so it's not possible for a third-party to monitor it if that's what you mean. -- Paul Waring http://www.phpdeveloper.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions - More Info
Dear List - Thank you for your help in the past. This an update on my session problems. Here is a simple test program. It never increments the session counter; ie, does not detect that $_SESSION has been set. ?php session_start(); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; html body ?php if(isset($_SESSION['views'])) $_SESSION['views']=$_SESSION['views']+1; else $_SESSION['views']=1; echo Views=. $_SESSION['views']; ? /body /html I have no idea what is wrong. I need to make my session variables work so that I can finish a project. Help and advice, please. Ethan Rosenberg MySQL 5.1 PHP 5.3.3-6 Linux [Debian (sid)] I tried your code on my testing computer (PHP 5.2.14) and everything works fine. $_SESSION['views'] is counting up correctly. Maybe a problem with your configuration? Beste regards. Steven -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions - More Info
Dear List - Thank you for your help in the past. This an update on my session problems. Here is a simple test program. It never increments the session counter; ie, does not detect that $_SESSION has been set. ?php session_start(); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; html body ?php if(isset($_SESSION['views'])) $_SESSION['views']=$_SESSION['views']+1; else $_SESSION['views']=1; echo Views=. $_SESSION['views']; ? /body /html I have no idea what is wrong. I need to make my session variables work so that I can finish a project. Help and advice, please. Ethan Rosenberg MySQL 5.1 PHP 5.3.3-6 Linux [Debian (sid)] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions - More Info
On Wed, 2011-03-30 at 19:20 -0400, Ethan Rosenberg wrote: Dear List - Thank you for your help in the past. This an update on my session problems. Here is a simple test program. It never increments the session counter; ie, does not detect that $_SESSION has been set. ?php session_start(); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; html body ?php if(isset($_SESSION['views'])) $_SESSION['views']=$_SESSION['views']+1; else $_SESSION['views']=1; echo Views=. $_SESSION['views']; ? /body /html I have no idea what is wrong. I need to make my session variables work so that I can finish a project. Help and advice, please. Ethan Rosenberg MySQL 5.1 PHP 5.3.3-6 Linux [Debian (sid)] That code works perfectly for me, only thing I would change is the $_SESSION['views']=$_SESSION['views']+1; line to $_SESSION['views']++; for readability. If you're using Firefox, grab the Firebug plugin, which should show you the headers that are being sent to and from the server to the browser. From that, you might get an idea why the sessions don't seem to be working. Just to make sure, turn on display_errors in your php.ini file and restart Apache. Some whitespace (space or new line, for example) before that first ?php line could cause the headers to send and the sessions headers to fail (headers already sent error) which would give you the problems you're seeing now. Also, some editors have issues with the BOM (byte order marker) which could cause white-space to be perceived where there is none. If you are sure there isn't any, then try saving the script with a different character encoding to test if it is the BOM causing problems. -- Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Sessions - More Info - SOLVED
At 07:28 PM 3/30/2011, Ashley Sheridan wrote: On Wed, 2011-03-30 at 19:20 -0400, Ethan Rosenberg wrote: Dear List - Thank you for your help in the past. This an update on my session problems. Here is a simple test program. It never increments the session counter; ie, does not detect that $_SESSION has been set. ?php session_start(); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; html body ?php if(isset($_SESSION['views'])) $_SESSION['views']=$_SESSION['views']+1; else $_SESSION['views']=1; echo Views=. $_SESSION['views']; ? /body /html I have no idea what is wrong. I need to make my session variables work so that I can finish a project. Help and advice, please. Ethan Rosenberg MySQL 5.1 PHP 5.3.3-6 Linux [Debian (sid)] That code works perfectly for me, only thing I would change is the $_SESSION['views']=$_SESSION['views']+1; line to $_SESSION['views']++; for readability. If you're using Firefox, grab the Firebug plugin, which should show you the headers that are being sent to and from the server to the browser. From that, you might get an idea why the sessions don't seem to be working. Just to make sure, turn on display_errors in your php.ini file and restart Apache. Some whitespace (space or new line, for example) before that first ?php line could cause the headers to send and the sessions headers to fail (headers already sent error) which would give you the problems you're seeing now. Also, some editors have issues with the BOM (byte order marker) which could cause white-space to be perceived where there is none. If you are sure there isn't any, then try saving the script with a different character encoding to test if it is the BOM causing problems. -- Thanks, Ash http://www.ashleysheridan.co.uk ++ Ash - Thanks. What did it was to 1] explicitly declare the character set and 2] close and restart Apache. Ethan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP sessions - users being automatically logged out
I'm having trouble with a PHP site whereby some users are being logged out on a regular basis. This will usually happen after they have been using the site for a few minutes, they can login without any problems and access a few pages, but then suddenly they will request a page and be sent to the login form, which suggests that their session no longer exists. However, this doesn't affect all users - I can login and use the application without any problems, as can some other users. According to phpinfo(), the following session values are set (all are what I'd expect - either the default or something I've deliberately changed): session.auto_start = Off session.bug_compat_42 = On session.bug_compat_warn = On session.cache_expire = 180 session.cache_limiter = nocache session.cookie_domain = no value session.cookie_httponly = Off session.cookie_lifetime = 0 session.cookie_path = / session.cookie_secure = Off session.entropy_file = no value session.entropy_length = 0 session.gc_divisor = 100 session.gc_maxlifetime = 1440 session.gc_probability = 1 session.hash_bits_per_character = 4 session.hash_function = 0 session.name = PHPSESSID session.referer_check = no value session.save_handler = files session.save_path = /shared/sessions session.serialize_handler = php session.use_cookies = On session.use_only_cookies = Off session.use_trans_sid = 0 I've tried checking a few obvious things: * IP addresses - the site doesn't use the IP address as part of the authentication process, and almost all our users (including the ones experiencing problems) have static IP addresses anyway. * Number of sessions - there are between 40-60 session files on disk at any one time, so I doubt there's a maximum number of session files limit being broken, if such a configuration option exists. * Permissions - the web server user (www-data) has read/write permissions to the directory where the sessions are stored and all the files within it, and they are all owned by this user. Is there anything else obvious which could be causing the problem? This seemed to occur when we moved hosts, and I haven't changed the site's session handling code for some time, so I suspect it might be a configuration issue but can't figure out what. Thanks, Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions - users being automatically logged out
Inc session.cache_expire. You have only 3 minutes. This means browser will drop cookie containing session id in three minutes, or even less, of clients inactivity. I prefer to set expire-time to zero. So, browser will never forget session id. In other case, if security requires, i usually set it to 24 hours, to avoid some mystic problems, in case of misconfigured servers and/or clients TZ; they are rare. 2010/11/4, Paul Waring p...@xk7.net: I'm having trouble with a PHP site whereby some users are being logged out on a regular basis. This will usually happen after they have been using the site for a few minutes, they can login without any problems and access a few pages, but then suddenly they will request a page and be sent to the login form, which suggests that their session no longer exists. However, this doesn't affect all users - I can login and use the application without any problems, as can some other users. According to phpinfo(), the following session values are set (all are what I'd expect - either the default or something I've deliberately changed): session.auto_start = Off session.bug_compat_42 = On session.bug_compat_warn = On session.cache_expire = 180 session.cache_limiter = nocache session.cookie_domain = no value session.cookie_httponly = Off session.cookie_lifetime = 0 session.cookie_path = / session.cookie_secure = Off session.entropy_file = no value session.entropy_length = 0 session.gc_divisor = 100 session.gc_maxlifetime = 1440 session.gc_probability = 1 session.hash_bits_per_character = 4 session.hash_function = 0 session.name = PHPSESSID session.referer_check = no value session.save_handler = files session.save_path = /shared/sessions session.serialize_handler = php session.use_cookies = On session.use_only_cookies = Off session.use_trans_sid = 0 I've tried checking a few obvious things: * IP addresses - the site doesn't use the IP address as part of the authentication process, and almost all our users (including the ones experiencing problems) have static IP addresses anyway. * Number of sessions - there are between 40-60 session files on disk at any one time, so I doubt there's a maximum number of session files limit being broken, if such a configuration option exists. * Permissions - the web server user (www-data) has read/write permissions to the directory where the sessions are stored and all the files within it, and they are all owned by this user. Is there anything else obvious which could be causing the problem? This seemed to occur when we moved hosts, and I haven't changed the site's session handling code for some time, so I suspect it might be a configuration issue but can't figure out what. Thanks, Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions - users being automatically logged out
On 04/11/10 14:56, Alexander Holodny wrote: Inc session.cache_expire. You have only 3 minutes. This means browser will drop cookie containing session id in three minutes, or even less, of clients inactivity. According to the PHP manual: session.cache_expire specifies time-to-live for cached session pages in minutes, this has no effect for nocache limiter. So the value of session.cache_expire should be ignored, as session.cache_limiter is set to nocache. Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions only work in SSL
I have a strange issue here. I am running a CentOS machine, with apache 2.2.3 php 5.1.6 kernel 2.6.18-194.8.1.el5xen My sessions will work using https, but not using simple http. I've compared my configs with another identical machine which works with both, and I can't figure out why. Anyone got an idea? Here's the simple script I run to test. ?php session_start(); echo 'session started'; if (isset($_SESSION['name'])) { echo 'br /' . $_SESSION['name']; session_destroy(); } else { echo 'br /No session found'; $_SESSION['name'] = 'My session'; } phpinfo(); ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions only work in SSL
On Mon, Oct 18, 2010 at 8:46 PM, Daniel Houle drho...@hotmail.com wrote: I have a strange issue here. I am running a CentOS machine, with apache 2.2.3 php 5.1.6 kernel 2.6.18-194.8.1.el5xen My sessions will work using https, but not using simple http. I've compared my configs with another identical machine which works with both, and I can't figure out why. Anyone got an idea? Here's the simple script I run to test. ?php session_start(); echo 'session started'; if (isset($_SESSION['name'])) { echo 'br /' . $_SESSION['name']; session_destroy(); } else { echo 'br /No session found'; $_SESSION['name'] = 'My session'; } phpinfo(); ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Are you sure session.cookie_secure is not turned on somewhere? Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions only work in SSL
On 10/19/2010 09:41 AM, Andrew Ballard wrote: On Mon, Oct 18, 2010 at 8:46 PM, Daniel Houledrho...@hotmail.com wrote: I have a strange issue here. I am running a CentOS machine, with apache 2.2.3 php 5.1.6 kernel 2.6.18-194.8.1.el5xen My sessions will work using https, but not using simple http. I've compared my configs with another identical machine which works with both, and I can't figure out why. Anyone got an idea? Here's the simple script I run to test. ?php session_start(); echo 'session started'; if (isset($_SESSION['name'])) { echo 'br /' . $_SESSION['name']; session_destroy(); } else { echo 'br /No session found'; $_SESSION['name'] = 'My session'; } phpinfo(); ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Are you sure session.cookie_secure is not turned on somewhere? Andrew No, it was not set anywhere. But I did add it in with session.cookie_secure 0 and it solved my issue. Thank you very much Andrew! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions and Security Concerns
Hi, I'm just wondering whether there are any apparent security concerns I should be aware of when using sessions in my PHP scripts. I understand that sessions are tracked with an individual user via a session ID which is stored in a temporary location on the server, as well as a PHPSESSID cookie assigned to the end user's client, but the server my website is hosted on (and which I'll be developing my PHP script on) doesn't allow you to create a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only the server can generate a session ID for the end user when I call the session_start function? So do I still need to call session_regenerate_id for security purposes when an end user has entered the correct login credentials - would this be necessary since you cant set a session ID via the URL? Thanks, Ben.
Re: [PHP] Sessions and Security Concerns
On Mon, 2010-03-29 at 12:24 +0100, Ben Stones wrote: Hi, I'm just wondering whether there are any apparent security concerns I should be aware of when using sessions in my PHP scripts. I understand that sessions are tracked with an individual user via a session ID which is stored in a temporary location on the server, as well as a PHPSESSID cookie assigned to the end user's client, but the server my website is hosted on (and which I'll be developing my PHP script on) doesn't allow you to create a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only the server can generate a session ID for the end user when I call the session_start function? So do I still need to call session_regenerate_id for security purposes when an end user has entered the correct login credentials - would this be necessary since you cant set a session ID via the URL? Thanks, Ben. Just setting a URL variable won't actually create a session, you have to use the PHP session functions to create one. Using session_regenerate_id() won't do that much for security. If you are really worried, then consider a security certificate. Even a self-issued one is better than nothing, and you can generate these for free. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Sessions and Security Concerns
Ashley Sheridan wrote: On Mon, 2010-03-29 at 12:24 +0100, Ben Stones wrote: Hi, I'm just wondering whether there are any apparent security concerns I should be aware of when using sessions in my PHP scripts. I understand that sessions are tracked with an individual user via a session ID which is stored in a temporary location on the server, as well as a PHPSESSID cookie assigned to the end user's client, but the server my website is hosted on (and which I'll be developing my PHP script on) doesn't allow you to create a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only the server can generate a session ID for the end user when I call the session_start function? So do I still need to call session_regenerate_id for security purposes when an end user has entered the correct login credentials - would this be necessary since you cant set a session ID via the URL? Thanks, Ben. Just setting a URL variable won't actually create a session, you have to use the PHP session functions to create one. Using session_regenerate_id() won't do that much for security. If you are really worried, then consider a security certificate. Even a self-issued one is better than nothing, and you can generate these for free. worth noting that you can also issue client side ssl certificates to your users; 100% secure, self-signed thus free, either by creating a pki12 w/ php or by using the html KEYGEN element - the ssl cert installs directly in the users browser. You can use the subjectAltName attribute of the certificate to save a users unique id. And thus, 0 click login, perfectly secure auth all done through https - further meaning you can completely negate sessions/cookies and all the related insecurities. further still, you can boot this up to foaf+ssl giving users one unique web id for themselves, and in full control of there own profile / login etc; (like openid done right and one steriods) Will be the defacto industry standard in a couple of years, so may as well adopt early. Regards! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Sessions
On Fri, 2010-03-12 at 21:33 -0500, Martine Osias wrote: The sessions variables are OK. They don't print when I put them on the HTML page with this code. tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr Thank you. Martine Martine Osias webi...@gmail.com wrote in message news:95.0c.13686.c7cda...@pb1.pair.com... Hi: I need to store variables to send then between pages. I don't need the variables in a database so I try to send them with sessions. The variables don't seem to be there when I try to get them. What could be the problem. Here are the pages where I store and retrieve the variables. Page 1 (variables stored): ?php session_start(); $_SESSION['scripture_text'] = $row_scripture['ScriptureText']; $_SESSION['scripture_ref'] = $row_scripture['ScriptureRef']; ? Page 2 (variables retrieved): ?php session_start(); include(includes/config.php); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head /head body table width=100% align=center border=0 tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr /table /body /html Don't use ?=, it's a crappy short tag and most hosting doesn't support those sorts of tags. Instead, use something like this: ?php echo $_SESSION['scripture_text']; ? Short tags end up causing more problems than they solve sometimes... Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Re: PHP Sessions
Hello Martine, As you have been already told, the ?=...? is not always supported. However I'd suggest you to do the following (since I love this form of tag): td align=leftlaquo;?=$_SESSION['scripture_text']?raquo;/td Note: I put within the tag only the variable. -- With best regards from Ukraine, Andre Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @ jabber.org Yahoo! messenger: andre.polykanine; ICQ: 191749952 Twitter: m_elensule - Original message - From: Martine Osias webi...@gmail.com To: php-general@lists.php.net php-general@lists.php.net Date: Saturday, March 13, 2010, 4:33:34 AM Subject: [PHP] Re: PHP Sessions The sessions variables are OK. They don't print when I put them on the HTML page with this code. tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr Thank you. Martine Martine Osias webi...@gmail.com wrote in message news:95.0c.13686.c7cda...@pb1.pair.com... Hi: I need to store variables to send then between pages. I don't need the variables in a database so I try to send them with sessions. The variables don't seem to be there when I try to get them. What could be the problem. Here are the pages where I store and retrieve the variables. Page 1 (variables stored): ?php session_start(); $_SESSION['scripture_text'] = $row_scripture['ScriptureText']; $_SESSION['scripture_ref'] = $row_scripture['ScriptureRef']; ? Page 2 (variables retrieved): ?php session_start(); include(includes/config.php); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head /head body table width=100% align=center border=0 tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr /table /body /html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Sessions
On Sat, 2010-03-13 at 12:22 +0200, Andre Polykanine wrote: Hello Martine, As you have been already told, the ?=...? is not always supported. However I'd suggest you to do the following (since I love this form of tag): td align=leftlaquo;?=$_SESSION['scripture_text']?raquo;/td Note: I put within the tag only the variable. -- With best regards from Ukraine, Andre Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @ jabber.org Yahoo! messenger: andre.polykanine; ICQ: 191749952 Twitter: m_elensule - Original message - From: Martine Osias webi...@gmail.com To: php-general@lists.php.net php-general@lists.php.net Date: Saturday, March 13, 2010, 4:33:34 AM Subject: [PHP] Re: PHP Sessions The sessions variables are OK. They don't print when I put them on the HTML page with this code. tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr Thank you. Martine Martine Osias webi...@gmail.com wrote in message news:95.0c.13686.c7cda...@pb1.pair.com... Hi: I need to store variables to send then between pages. I don't need the variables in a database so I try to send them with sessions. The variables don't seem to be there when I try to get them. What could be the problem. Here are the pages where I store and retrieve the variables. Page 1 (variables stored): ?php session_start(); $_SESSION['scripture_text'] = $row_scripture['ScriptureText']; $_SESSION['scripture_ref'] = $row_scripture['ScriptureRef']; ? Page 2 (variables retrieved): ?php session_start(); include(includes/config.php); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head /head body table width=100% align=center border=0 tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr /table /body /html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php That's still using short tags. The time you save on typing is nothing compared to the time you spend trying to figure out why your script doesn't work since you moved servers, or copied it to your live server, or why you are having trouble using XML... Thanks, Ash http://www.ashleysheridan.co.uk
Re[2]: [PHP] Re: PHP Sessions
Hello Ashley, And if the site is full of that code?)) I think it's worth to learn what's really the reason of the fact that it doesn't work. Besides that, it's more readable for me. And the right thing that was said here is the following: check the php.ini settings and change them if possible. -- With best regards from Ukraine, Andre Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @ jabber.org Yahoo! messenger: andre.polykanine; ICQ: 191749952 Twitter: m_elensule - Original message - From: Ashley Sheridan a...@ashleysheridan.co.uk To: Andre Polykanine an...@oire.org Date: Saturday, March 13, 2010, 12:33:46 PM Subject: [PHP] Re: PHP Sessions On Sat, 2010-03-13 at 12:22 +0200, Andre Polykanine wrote: Hello Martine, As you have been already told, the ?=...? is not always supported. However I'd suggest you to do the following (since I love this form of tag): td align=leftlaquo;?=$_SESSION['scripture_text']?raquo;/td Note: I put within the tag only the variable. -- With best regards from Ukraine, Andre Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @ jabber.org Yahoo! messenger: andre.polykanine; ICQ: 191749952 Twitter: m_elensule - Original message - From: Martine Osias webi...@gmail.com To: php-general@lists.php.net php-general@lists.php.net Date: Saturday, March 13, 2010, 4:33:34 AM Subject: [PHP] Re: PHP Sessions The sessions variables are OK. They don't print when I put them on the HTML page with this code. tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr Thank you. Martine Martine Osias webi...@gmail.com wrote in message news:95.0c.13686.c7cda...@pb1.pair.com... Hi: I need to store variables to send then between pages. I don't need the variables in a database so I try to send them with sessions. The variables don't seem to be there when I try to get them. What could be the problem. Here are the pages where I store and retrieve the variables. Page 1 (variables stored): ?php session_start(); $_SESSION['scripture_text'] = $row_scripture['ScriptureText']; $_SESSION['scripture_ref'] = $row_scripture['ScriptureRef']; ? Page 2 (variables retrieved): ?php session_start(); include(includes/config.php); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head /head body table width=100% align=center border=0 tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr /table /body /html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php That's still using short tags. The time you save on typing is nothing compared to the time you spend trying to figure out why your script doesn't work since you moved servers, or copied it to your live server, or why you are having trouble using XML... Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Re: PHP Sessions
On Sat, 2010-03-13 at 12:49 +0200, Andre Polykanine wrote: Hello Ashley, And if the site is full of that code?)) I think it's worth to learn what's really the reason of the fact that it doesn't work. Besides that, it's more readable for me. And the right thing that was said here is the following: check the php.ini settings and change them if possible. If the site is full of that code I'd make a start on replacing it. A simple find/replace will work in cases like this. I try to write my code so that I don't have to make unnecessary changes to my php.ini. For example, what if I don't have access to my php.ini and can't set a directive in my .htaccess file? What if I'm sharing my code with someone? What if I need to work with outputting XML headers? All of these factors I think outweigh any gains I would get from short tags. As for readability, I tend to use a text editor with syntax highlighting which makes my code readable. Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] PHP Sessions
Hi: I need to store variables to send then between pages. I don't need the variables in a database so I try to send them with sessions. The variables don't seem to be there when I try to get them. What could be the problem. Here are the pages where I store and retrieve the variables. Page 1 (variables stored): ?php session_start(); $_SESSION['scripture_text'] = $row_scripture['ScriptureText']; $_SESSION['scripture_ref'] = $row_scripture['ScriptureRef']; ? Page 2 (variables retrieved): ?php session_start(); include(includes/config.php); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head /head body table width=100% align=center border=0 tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr /table /body /html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Sessions
On Fri, 2010-03-12 at 19:29 -0500, Martine Osias wrote: Hi: I need to store variables to send then between pages. I don't need the variables in a database so I try to send them with sessions. The variables don't seem to be there when I try to get them. What could be the problem. Here are the pages where I store and retrieve the variables. Page 1 (variables stored): ?php session_start(); $_SESSION['scripture_text'] = $row_scripture['ScriptureText']; $_SESSION['scripture_ref'] = $row_scripture['ScriptureRef']; ? Page 2 (variables retrieved): ?php session_start(); include(includes/config.php); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head /head body table width=100% align=center border=0 tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr /table /body /html Are there any errors, either displayed or in the error log? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] PHP Sessions
Martine Osias wrote: Hi: I need to store variables to send then between pages. I don't need the variables in a database so I try to send them with sessions. The variables don't seem to be there when I try to get them. What could be the problem. Here are the pages where I store and retrieve the variables. Page 1 (variables stored): ?php session_start(); $_SESSION['scripture_text'] = $row_scripture['ScriptureText']; $_SESSION['scripture_ref'] = $row_scripture['ScriptureRef']; Do sessions work at all? Something simple, like ?php //a.php session_start(); $_SESSION['test']=foo; echo 'a href=b.phpClick me/a'; ? ?php //b.php session_start(); echo $_SESSION['test']; // should say foo ? * ... would be a good 1st test. If that works, I'd suspect that $row_scripture['ScriptureText'] and friends are empty. If it doesn't, I'd suspect a combination of very strict browser privacy settings (disallow all cookies) with lame server config (use_only_cookies), or that session support is missing or disabled. HTH, KDK -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Sessions
Forgot to mention, you could check into the privacy vs. server settings by doing: session_start(); echo session_id(); on both pages. If they're different, then this is the problem. KDK -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Sessions
Hello Martine, Try to make on the second page a print_r ($_SESSION); -- With best regards from Ukraine, Andre Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @ jabber.org Yahoo! messenger: andre.polykanine; ICQ: 191749952 Twitter: m_elensule - Original message - From: Martine Osias webi...@gmail.com To: php-general@lists.php.net php-general@lists.php.net Date: Saturday, March 13, 2010, 2:29:41 AM Subject: [PHP] PHP Sessions Hi: I need to store variables to send then between pages. I don't need the variables in a database so I try to send them with sessions. The variables don't seem to be there when I try to get them. What could be the problem. Here are the pages where I store and retrieve the variables. Page 1 (variables stored): ?php session_start(); $_SESSION['scripture_text'] = $row_scripture['ScriptureText']; $_SESSION['scripture_ref'] = $row_scripture['ScriptureRef']; ? Page 2 (variables retrieved): ?php session_start(); include(includes/config.php); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head /head body table width=100% align=center border=0 tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr /table /body /html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Sessions
The sessions variables are OK. They don't print when I put them on the HTML page with this code. tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr Thank you. Martine Martine Osias webi...@gmail.com wrote in message news:95.0c.13686.c7cda...@pb1.pair.com... Hi: I need to store variables to send then between pages. I don't need the variables in a database so I try to send them with sessions. The variables don't seem to be there when I try to get them. What could be the problem. Here are the pages where I store and retrieve the variables. Page 1 (variables stored): ?php session_start(); $_SESSION['scripture_text'] = $row_scripture['ScriptureText']; $_SESSION['scripture_ref'] = $row_scripture['ScriptureRef']; ? Page 2 (variables retrieved): ?php session_start(); include(includes/config.php); ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head /head body table width=100% align=center border=0 tr td align=left?=laquo;.$_SESSION['scripture_text'].raquo;?/td /tr tr td style=font-size: smaller; align=right?=$_SESSION['scripture_ref']?/td /tr /table /body /html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions across subdomains
Hi, I've always thought that session data was subdomain specific and would not carry over between http://www.mydomain.com and https://secure.mydomain.com, but it seems to be working for me now. Can I rely on this and post from http://www.mydomain.com to https://secure.mydomain.com and simply pass a hidden input containing PHPSESSID, or do I need to pass each key=value pair that _SESSION contains at www. and reset them as _SESSION vars at secure. https://secure.mydomain.com ? Thanks in advance, Ben
Re: [PHP] Sessions across subdomains
Op 1/30/10 2:25 AM, Ben Miller schreef: Hi, I've always thought that session data was subdomain specific and would not carry over between http://www.mydomain.com and https://secure.mydomain.com, but it seems to be working for me now. Can I rely on this and post from http://www.mydomain.com to https://secure.mydomain.com and simply pass a hidden input containing PHPSESSID, or do I need to pass each key=value pair that _SESSION contains at www. and reset them as _SESSION vars at secure. https://secure.mydomain.com ? 1. cookies are shared automatically on SUB domains, so if you set your cookie domain to example.com it will be available at both www.example.com and secure.example.com 2. cookies can have a HTTPS flag set which means they will not be shared with non-HTTPS connections. 3. DONT put the contents of $_SESSION on the wire. (given the question you're asking I'd hazard a guess you don't have the skills to sufficiently 4. google/read/search/learn about the security implications of sharing a cookie between HTTPS and non-HTTPS domains. 5. session_regenerate_id() - I would use this if you intend to pass session ids around, although it will probably give you a stack of problems in terms of usability (e.g. back button usage), actually I'd use it any time you log someone in or out or have a user perform a particularly sensitive action. 6. the $_SESSION will only be available on both sites if they are both on the same server and running with the same session ini settings (i.e. session save path, session name) - different servers could obviously be using a shared filesystem or an alternative session storage (e.g. memcached or database server). 7. consider not sharing the session - instead pass just the data that you need (e.g. shopping basket contents etc) and either including a hash of the data (which uses a secret string that is not included in the form/url/etc but that both servers/sites know about AND/OR using 2-way public key encryption on the data that you pass in between the servers/sites personally for higher end commercial sites I prefer to just to put everything on HTTPS solving all potential issues with sharing a cookie or data between nonHTTPS and HTTPS sites, and everything directly related ... the cost being extra overhead per request - but hardware is cheap and security is difficult to get exactly right. the biggest names on the web have [had] security loophopes/problems related to these issues, and they generally have tons of man power and some very clever/knowledgable people on their teams - which is to say: your chance (and mine for that matter) of not making any mistakes on this front are slimmer than theirs. Thanks in advance, Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SESSIONS classes
I am trying to implement a relatively complete login system code for my website, but the code is a bit dated ($HTTP_POST_VARS for example). I am not too familiar with classes and I'm having trouble with this one. I have an include which is the login form if the SESSION is not set, and a mini control panel when it is. I will post the code below because it is a bit extensive. My problem: When I try to log in (POST username/password to same page and validate with the class, the page simply reloads MINUS THE FORM SUBMIT BUTTON. It's very odd. I have a working system on another website without using this class, I just hoping to be more object-oriented with this one. Like I said, the code is a bit lengthy, and if you are kind enough to take a look at I can even send you the php files for the sake of readability (ie. formatted better than here). Anything you can help with would be greatly appreciated; I'll have my wife bake you some cookies or something! The basic page looks like this: ?php // Get the PHP file containing the DbConnector class require_once('../includes/DbConnector.php'); // Create an instance of DbConnector $connector = new DbConnector(); // sets $thispage and $directory include('../includes/pagedefinition.php'); // Include functions require_once('../includes/functions.php'); //content include('../includes/signupform.php'); include('../includes/signup_val_inser_eml.php'); include('../includes/signinform.php'); include('../includes/header.php'); include('../includes/body.php'); ? The page definition file looks like this: ?php require_once(Sentry.php); if ($_GET['action'] == 'logout'){ if ($sentry-logout()){ echo 'p align=\center\ class=\confirm\You have been logged out/pbr'; } } . . . // site content-grabbing code excluded /// // Attempted login url - use for redirect after login. $redirect = http://mwclans.com/{$_SERVER['REQUEST_URI'http://mwclans.com/%7B$_SERVER['REQUEST_URI' ]}; // Defined in includes/Sentry.php $sentry = new Sentry(); // If logging in, POST['login'] will be set - check credentials (9 is used to specify the minimum group level that's allowed to access this resource) if ($_POST['login'] != ''){ $sentry-checkLogin($_POST['username'],$_POST['password'],9,'$redirect',/user/index.php'); } if ($minlevel 9) { if (!$sentry-checkLogin($minlevel) ){ header(Location: /user/http://www.mwclans.com/user/); die(); } } ? Here is the Sentry class: ?php // Class: sentry // Purpose: Control access to pages /// class sentry { var $loggedin = false; // Boolean to store whether the user is logged in var $userdata; // Array to contain user's data function sentry(){ session_start(); header(Cache-control: private); } //== // Log out, destroy session function logout(){ if (is_object($this-userdata)) { unset($this-userdata); $session_name = session_name(); return true; } else { $message = p align=\center\ class=\error\Call to non-object by function: logout()/p; } } //== // Log in, and either redirect to goodRedirect or badRedirect depending on success function checkLogin($username = '',$password = '',$role_id = 9,$goodRedirect = '',$badRedirect = ''){ // Include database and validation classes, and create objects require_once('DbConnector.php'); require_once('Validator.php'); $validate = new Validator(); $loginConnector = new DbConnector(); // If user is already logged in then check credentials if ($_SESSION['username'] $_SESSION['password']){ // Validate session data if (!$validate-validateTextOnly($_SESSION['username'])){return false;} if (!$validate-validateTextOnly($_SESSION['password'])){return false;} $getUser = $loginConnector-query(SELECT * FROM user WHERE username = '.$_SESSION['username'].' AND password = '.$_SESSION['password'].' AND role_id = .$role_id.' AND verified = 1'); if ($loginConnector-getNumRows($getUser) 0){ // Existing user ok, continue if ($goodRedirect != '') { header(Location: .$goodRedirect.?.strip_tags(session_id())) ; } return true; }else{ // Existing user not ok, logout $this-logout(); return false; } // User isn't logged in, check credentials }else{ // Validate input if (!$validate-validateTextOnly($username)){return false;} if (!$validate-validateTextOnly($password)){return false;} // Look up user in DB $getUser = $loginConnector-query(SELECT * FROM user WHERE username = '$username' AND password = PASSWORD('$password') AND role_id = $role_id AND verified = 1); $this-userdata = $loginConnector-fetchArray($getUser); if ($loginConnector-getNumRows($getUser) 0){ //
[PHP] PHP sessions, AJAX, authentication and security.
Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance.
Re: [PHP] PHP sessions, AJAX, authentication and security.
You could use a one time token on each request Bastien Sent from my iPod On Nov 21, 2009, at 6:30 AM, Angus Mann angusm...@pobox.com wrote: Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/ authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions, AJAX, authentication and security.
At 9:30 PM +1000 11/21/09, Angus Mann wrote: Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance. Angus: First, don't trust anything that comes from the client -- period. Second, Ajax is just another way to send stuff to the server. When the data gets to the server then authenticate and set a session variable to indicate such. This is not rocket science, but if you don't do it right you'll leave a crater. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP sessions, AJAX, authentication and security.
Angus Mann wrote: Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance. same as everywhere else in your apps.. ajax is no different in any way at all, not even slightly. as far as PHP and web server is concerned it's just a plain old request same as any other; thus.. if( !$_SESSION['is_logged_in'] ) { exit(); } // do stuff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP sessions, AJAX, authentication and security.
same as everywhere else in your apps.. ajax is no different in any way at all, not even slightly. as far as PHP and web server is concerned it's just a plain old request same as any other; thus.. if( !$_SESSION['is_logged_in'] ) { exit(); } // do stuff Thanks for that. Sometimes the solution is right there in front of you. The bit of code below does the job nicely for me : session_start(); if(!isset($_SESSION['username'])){ echo(Go Away.); exit(); } // now work with sensitive data... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] sessions and email
All, I am using sessions for my application to verify a user has logged in: // Verify the user is logged in. if (!isset($_SESSION['basic_is_logged_in']) || $_SESSION['basic_is_logged_in'] !== true) { // If not logged in, redirect to the login page. header('Location: login.php'); exit; } If anyone tries to go to any page in the application via the address bar, they are correctly redirected to the login page. However, if someone that is currently logged into the application using I.E. goes to File - Send - Page by Email, the person they email the link to can open it and use the application without logging in and the address bar uses a local path like: C:\Documents and Settings\my_name\Local Settings\Temporary Internet Files\OLK18\My Page (2).htm How can I prevent the emailed pages from being able to access the application if it is a local path or the user hasn't logged in?
Re: [PHP] sessions and email
On Thu, 2009-11-12 at 13:17 -0500, Dan Shirah wrote: All, I am using sessions for my application to verify a user has logged in: // Verify the user is logged in. if (!isset($_SESSION['basic_is_logged_in']) || $_SESSION['basic_is_logged_in'] !== true) { // If not logged in, redirect to the login page. header('Location: login.php'); exit; } If anyone tries to go to any page in the application via the address bar, they are correctly redirected to the login page. However, if someone that is currently logged into the application using I.E. goes to File - Send - Page by Email, the person they email the link to can open it and use the application without logging in and the address bar uses a local path like: C:\Documents and Settings\my_name\Local Settings\Temporary Internet Files\OLK18\My Page (2).htm How can I prevent the emailed pages from being able to access the application if it is a local path or the user hasn't logged in? You can't really. When someone is emailing the page, it's the equivalent of them saving the page to their local computer, and then sending that as an attachment. As this is all client-side, it has no contact with PHP. You could have some sort of Javascript to detect the domain the page has, and then redirect if it's not your domain, but this fails when someone turns Javascript off. Apart from that, I don't know of any other way you could stop someone from emailing a page, aside from making the site completely Ajax based and pulling in every scrap of content via Ajax. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] sessions and email
On Thu, Nov 12, 2009 at 1:21 PM, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Thu, 2009-11-12 at 13:17 -0500, Dan Shirah wrote: All, I am using sessions for my application to verify a user has logged in: // Verify the user is logged in. if (!isset($_SESSION['basic_is_logged_in']) || $_SESSION['basic_is_logged_in'] !== true) { // If not logged in, redirect to the login page. header('Location: login.php'); exit; } If anyone tries to go to any page in the application via the address bar, they are correctly redirected to the login page. However, if someone that is currently logged into the application using I.E. goes to File - Send - Page by Email, the person they email the link to can open it and use the application without logging in and the address bar uses a local path like: C:\Documents and Settings\my_name\Local Settings\Temporary Internet Files\OLK18\My Page (2).htm How can I prevent the emailed pages from being able to access the application if it is a local path or the user hasn't logged in? You can't really. When someone is emailing the page, it's the equivalent of them saving the page to their local computer, and then sending that as an attachment. As this is all client-side, it has no contact with PHP. You could have some sort of Javascript to detect the domain the page has, and then redirect if it's not your domain, but this fails when someone turns Javascript off. Apart from that, I don't know of any other way you could stop someone from emailing a page, aside from making the site completely Ajax based and pulling in every scrap of content via Ajax. Thanks, Ash http://www.ashleysheridan.co.uk And even then, it has become part of the DOM and will be saved with the rest of the page. The presence of Javascript in the page *might* remove it/hide it/obscure it/etc., but it will still be there in the saved document. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions seems to kill db connection
Hi Kranthi kranthi wrote on 2009-10-24 07:27: Db error: Access denied for user 'www-data'@'localhost' (using password: NO) WTF? I´m not using a user called www-data for MySQL connections, but apache runs as this user in the case where $test is true there is an open mysql connection, but when $test is false there is no open connection is available. may be you have opened a connection when $test is true or used a mysql_close() when $test is false or when $_SESSION['login']['uid'] is set. I think you missed my words about resolving the matter, when you were cutting the quoted text :-) regarding www-data, when mysql_query() fails to find a valid MySql connection, it tries to open a new connection with mysql.default_user and mysql.default_password (u can see these values trough phpinfo()); http://php.net/manual/en/function.mysql-connect.php Thanks, that explained the www-data user -- Kind regards Kim Emax - masterminds.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions seems to kill db connection
Kim Madsen wrote on 2009-10-22 17:51: Hi PHPeople I have an odd problem at my new work and wonder if it's some sort of odd setup that is causing this problem when using sessions: Like I said, my new work and odd setup, an include file had a mysql_close() in the bottom Speaking of mysql_close(), I think I've read somewhere that in PHP6 a db connection will not be closed, when the script is done. Is this true? Cause then it would definetly be best practice to to _always_ have a mysql_close() in the end for the main file. -- Kind regards Kim Emax - masterminds.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions seems to kill db connection
Db error: Access denied for user 'www-data'@'localhost' (using password: NO) WTF? I´m not using a user called www-data for MySQL connections, but apache runs as this user in the case where $test is true there is an open mysql connection, but when $test is false there is no open connection is available. may be you have opened a connection when $test is true or used a mysql_close() when $test is false or when $_SESSION['login']['uid'] is set. regarding www-data, when mysql_query() fails to find a valid MySql connection, it tries to open a new connection with mysql.default_user and mysql.default_password (u can see these values trough phpinfo()); http://php.net/manual/en/function.mysql-connect.php this used to be the behavior earlier, seems it was changed from PHP 5.3.0 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions seems to kill db connection
Hi PHPeople I have an odd problem at my new work and wonder if it's some sort of odd setup that is causing this problem when using sessions: if($test) { $query = SELECT count(*) FROM articles WHERE group1 = 'fp';# AND group2 = 'login'; $r = mysql_query($query) or die('Db error: ' . mysql_error() . 'p'.$SQL); print There´s . mysql_num_rows($r) . rows; // 3 rows print session: . $_SESSION['login']['uid']; // 1234 exit; } else { if($_SESSION['login']['uid']) { $query = SELECT count(*) FROM articles WHERE group1 = 'fp';# AND group2 = 'login'; $r = mysql_query($query) or die('Db error: ' . mysql_error() . 'p'.$SQL); print There´s . mysql_num_rows($r) . rows; } } if $test is true it´s okay, if it´s false, this error occurs: Db error: Access denied for user 'www-data'@'localhost' (using password: NO) WTF? I´m not using a user called www-data for MySQL connections, but apache runs as this user. I've outcommented and login = to exclude a collision in variables (if register globals is on, haven't checked that yet) Anyone seen this wierd behaviour and know a solution or someway to test/debug this? -- Kind regards Kim Emax -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [Fwd: [PHP] Sessions in databases]
Il pinguino volante wrote: (There were some erroros in the previous email, I'm sorry) Hi to all. I have to realize an authentication system for a lot of users. I heard that someone uses to store session states (?) into a database. I'd like to know how and, expecially, WHY to do it and what's would be better (considering that I CANNOT -d'oh!- edit the php.ini file). Considering you cannot edit the php.ini-file i suspect you are on a shared host. Using the database for intense work in a shared environment is not always popular. I would guess that file based session-files are more scalable. And as you are using a shared hosting service you are probably not load balanced between physical different boxes and this would not gain from using the DB. So if you have to manage a large number of user sessions i would suggest you choose a VPS or deducated/colo box and then use DB with memcached in between for fast caching. That is the way i have done it for a couple of sites i am working on. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[Fwd: [PHP] Sessions in databases]
(There were some erroros in the previous email, I'm sorry) Hi to all. I have to realize an authentication system for a lot of users. I heard that someone uses to store session states (?) into a database. I'd like to know how and, expecially, WHY to do it and what's would be better (considering that I CANNOT -d'oh!- edit the php.ini file). Thanks in advance, Alfio. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions in databases
Hi to all. I have to realize an authentication system for a lot of users. I heard that someone uses to store session states (?) to a database. I'd like to know how by expecially WHY doing that and what's would be better (considering that I can -d'oh!- touch the php.ini file). Thanks in advance, Alfio. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [Fwd: [PHP] Sessions in databases]
If you are distributing your application over multiple servers, using a database for session tracking allows a user to continue there session regardless of which server their request bounces too. It prevents the need for 'sticky' network connections which time out anyways. Databases can make scaling applications to enterprise size considerably easier. There are other file based solutions that are dirty and require you to play with file locking and all that nastyness. You also don't need access to the php.ini file to implement session in a database, check out http://php.net/session_set_save_handler Il pinguino volante wrote: (There were some erroros in the previous email, I'm sorry) Hi to all. I have to realize an authentication system for a lot of users. I heard that someone uses to store session states (?) into a database. I'd like to know how and, expecially, WHY to do it and what's would be better (considering that I CANNOT -d'oh!- edit the php.ini file). Thanks in advance, Alfio. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [Fwd: [PHP] Sessions in databases]
On 10/6/09 10:26 AM, Il pinguino volante tuxs...@codeinside.it wrote: I have to realize an authentication system for a lot of users. I heard that someone uses to store session states (?) into a database. I'd like to know how and, expecially, WHY to do it and what's would be better (considering that I CANNOT -d'oh!- edit the php.ini file). i think you can modify the PHP session handler without touching php.ini: http://www.php.net/manual/en/function.session-set-save-handler.php i've read a lot on the web about this in recent weeks. different people offer their own justifications for the various approaches to session handling: PHP's file handler, user DB methods for the PHP session handler, PHP's memcache handler, zend session clustering, or do it yourself and don't use PHP sessions at all. there's a lot of controversy on the topic because different people have different requirements and preferences. so your question WHY? is quite complex. my motivation for considering user DB back-end to the PHP session handler was that it would replicate the session data over the DB cluster. retaining the PHP session front-end means less code rework and you keep its session locking. but it adds DB load, and the DB is often an app's bottleneck. whether or not that's ok depends on app specifics. i looked at memcache but i have two problems with it. one is that it is a cache system so it's not designed to be reliable: if it runs out of memory, restarts or crashes, the sessions are gone. the other is that the PHP session implementation is barely documented. i couldn't figure out how it implements the clustering (does it?) so i couldn't see how i would implement failover, recovery and maintenance procedures. http://phpslacker.com/2009/03/02/php-session-clustering-with-memcache/ one class i saw used memcached combined with DB in case of cache miss. it speeds up the reads but every write goes to both cache and DB. one thing that obviously helps is don't write the session to the DB if it hasn't changed. i'm not sure how best to do that yet. and you can optimize the writing of the session timestamp to the DB too. then there's the question of whether or not to use one DB connection for both session handling and the main app or use two connections. the latter is easier to code. row locking in the session table would be preferable to table locking. maybe we should work together on the code for all this? there's a webinar on zend platform session clustering that discusses various issues, bearing in mind it's a technical sales pitch. i don't think it's entirely fair to the DB methods. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [Fwd: [PHP] Sessions in databases]
Sam Stelfox wrote on 2009-10-06 18:09: If you are distributing your application over multiple servers, using a database for session tracking allows a user to continue there session regardless of which server their request bounces too. It prevents the need for 'sticky' network connections which time out anyways. I know Alfio don't have access to the php.ini file, but if you do and have the above setup, consider using a tmp dir like /phptmp and have one root server and mount the other servers /phptmp to the root servers /phptmp Kind regards Kim Emax Il pinguino volante wrote: (There were some erroros in the previous email, I'm sorry) Hi to all. I have to realize an authentication system for a lot of users. I heard that someone uses to store session states (?) into a database. I'd like to know how and, expecially, WHY to do it and what's would be better (considering that I CANNOT -d'oh!- edit the php.ini file). Thanks in advance, Alfio. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes - SOLVED
-Original Message- From: Angelo Zanetti [mailto:ang...@zlogic.co.za] Sent: 24 August 2009 04:30 PM To: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 02:58 PM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 02:34:54PM +0200, Angelo Zanetti wrote: Hi Leon, No harm intended :) Just thought that people were missing my post now and only answering yours. Angelo, excuse me if I'm bringing up something very basic, but I'm new to this. Just trying to help. I imagine redirects couldn't be the cause of the problem, right? http://www.oscarm.org/news/detail/1877-avoiding_frustration_with_php_session s http://www.webmasterworld.com/forum88/8486.htm Hi thanks for the links it appears that its all in order also I'm not losing SESSIONS on the redirect but somewhere else. I have checked the garbage collection, disk space and other settings in the PHP.ini file. ALL FINE. So now I am really stuck and confused as to what could sometimes cause the loss of these variables and other times it just works fine. Is there possibly a way that I can call some function that will ensure that the sessions are saved (I checked the manual - nothing much). Any other ideas? Anything that you think might be causing issues? Thanks Angelo Hi all, I have solved the issue of lost session variables. It appeared to be losing the SESSION variables when going from a POST from HTTP to HTTPS, however it didn't always happen, so the logging allowed me to narrow down where the losing was occurring. The solution. In my form that I post from the HTTP site, I put a hidden variable in there and with the session variable. In HTTPS it sometimes doesn't carry over the hidden variable therefore we need to start the session with the old SESSION ID from the HTTP site. So what I did was the following on the https site: if (isset($_POST['sessionID'])) { //http://stackoverflow.com/questions/441496/session-lost-when-switching-from -http-to-https-in-php // Retrieve the session ID as passed via the GET method. $currentSessionID = $_POST['sessionID']; //echo $currentSessionID; // Set a cookie for the session ID. $sessionid2 = session_id($currentSessionID); } Therefore setting the session ID with the session_id() function. This must go before the session_start() function!!! Very NB!. Hope this helps anyone who has a similar problem. Regards Angelo http://www.elemental.co.za http://www.wapit.co.za -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
-Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 02:58 PM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 02:34:54PM +0200, Angelo Zanetti wrote: Hi Leon, No harm intended :) Just thought that people were missing my post now and only answering yours. Angelo, excuse me if I'm bringing up something very basic, but I'm new to this. Just trying to help. I imagine redirects couldn't be the cause of the problem, right? http://www.oscarm.org/news/detail/1877-avoiding_frustration_with_php_session s http://www.webmasterworld.com/forum88/8486.htm Hi thanks for the links it appears that its all in order also I'm not losing SESSIONS on the redirect but somewhere else. I have checked the garbage collection, disk space and other settings in the PHP.ini file. ALL FINE. So now I am really stuck and confused as to what could sometimes cause the loss of these variables and other times it just works fine. Is there possibly a way that I can call some function that will ensure that the sessions are saved (I checked the manual - nothing much). Any other ideas? Anything that you think might be causing issues? Thanks Angelo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
-Original Message- From: Ben Dunlap [mailto:bdun...@agentintellect.com] Sent: 19 August 2009 08:18 PM To: Angelo Zanetti Cc: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes We have a server with a site that does some XML calls. After lots of testing I have found that the server is losing session variables. [8] Also the site goes from HTTP to HTTPS at some point but this isn't the issue as it loses the sessions as soon as they are set sometimes. Therefore I would like to know what I could check. I have read in other Can you clarify what you mean by losing sessions? Have you taken a network trace to see whether the client is consistently sending the session ID with every request? When the problem happens, is $_SESSION completely empty or is it only missing some variables? Does it seem to happen on any page, or only certain ones? Thanks, Ben Hi Ben, When the problem happens the $_SESSION is partially empty. It only has the some of the variables set. It happens on a certain page only, but the strange thing is that it never happened before its only happening now. But the code hasn't changed so is it safe to assume that it's a server issue? Thanks Angelo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. If someone perhaps have a solution or can confirm this as a known issue and maybe is the same or related to Angelo's problem? -Original Message- From: Angelo Zanetti [mailto:ang...@zlogic.co.za] Sent: 20 August 2009 08:53 AM To: 'Ben Dunlap' Cc: php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes -Original Message- From: Ben Dunlap [mailto:bdun...@agentintellect.com] Sent: 19 August 2009 08:18 PM To: Angelo Zanetti Cc: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes We have a server with a site that does some XML calls. After lots of testing I have found that the server is losing session variables. [8] Also the site goes from HTTP to HTTPS at some point but this isn't the issue as it loses the sessions as soon as they are set sometimes. Therefore I would like to know what I could check. I have read in other Can you clarify what you mean by losing sessions? Have you taken a network trace to see whether the client is consistently sending the session ID with every request? When the problem happens, is $_SESSION completely empty or is it only missing some variables? Does it seem to happen on any page, or only certain ones? Thanks, Ben Hi Ben, When the problem happens the $_SESSION is partially empty. It only has the some of the variables set. It happens on a certain page only, but the strange thing is that it never happened before its only happening now. But the code hasn't changed so is it safe to assume that it's a server issue? Thanks Angelo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
-Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 09:44 AM To: php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. If someone perhaps have a solution or can confirm this as a known issue and maybe is the same or related to Angelo's problem? If different browser windows/tabs on the same client-side computer didn't share session info then you'd get the effect of being able to log onto a site with one browser window, but find in a second browser window that you were not yet logged on. Experience will tell you that you're logged on in both browser windows (try it with your online bank). It's not an issue, it's a feature. If you want to be able to use different browser windows as though they were different users then use different browsers e.g. IE and FF on the same client-side computer will look like two separate end users to the server, and they don't share session info or cookies. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
It's not an issue, it's a feature. Thanks Arno...but it is a pain also. If I work with user A in Tab1 (window1), I want to work with user B separately in Tab2. When user in Tab2 logs off, I still want user A to work, and not suddenly have to re-login. Same with bank. If I work with my company account, then my personal account must not become an issue because I am on the same machine and site. I have no issue with using FF and IE to do testing as that takes care of browser compatibility testing at the same time :-), but I think when you start a new session with new values, it should be kept under that window/tab alone. Cookies can take care of more details, but my opinion is data should never be affected across windows/tabs unless the same user is logged in on botheven then I would expect PHP to keep data per session. Maybe it goes beyond being an IE or FF issue..the questiojn is...will PHP allow variables from session A become corrupted when session B is in progress when they should actually be handled seperately? In the end I think it is something I do wrong in PHP with the SESSION variables and how I clear themif so...I don't think PHP should allow clearing SESSION variables from other sessions. -Original Message- From: Arno Kuhl [mailto:ak...@telkomsa.net] Sent: 20 August 2009 10:03 AM To: 'Leon du Plessis'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 09:44 AM To: php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. If someone perhaps have a solution or can confirm this as a known issue and maybe is the same or related to Angelo's problem? If different browser windows/tabs on the same client-side computer didn't share session info then you'd get the effect of being able to log onto a site with one browser window, but find in a second browser window that you were not yet logged on. Experience will tell you that you're logged on in both browser windows (try it with your online bank). It's not an issue, it's a feature. If you want to be able to use different browser windows as though they were different users then use different browsers e.g. IE and FF on the same client-side computer will look like two separate end users to the server, and they don't share session info or cookies. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSIONS lost sometimes
On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSIONS lost sometimes
Leon du Plessis wrote: It's not an issue, it's a feature. Thanks Arno...but it is a pain also. If I work with user A in Tab1 (window1), I want to work with user B separately in Tab2. When user in Tab2 logs off, I still want user A to work, and not suddenly have to re-login. Same with bank. If I work with my company account, then my personal account must not become an issue because I am on the same machine and site. I have no issue with using FF and IE to do testing as that takes care of browser compatibility testing at the same time :-), but I think when you start a new session with new values, it should be kept under that window/tab alone. Cookies can take care of more details, but my opinion is data should never be affected across windows/tabs unless the same user is logged in on botheven then I would expect PHP to keep data per session. Maybe it goes beyond being an IE or FF issue..the questiojn is...will PHP allow variables from session A become corrupted when session B is in progress when they should actually be handled seperately? In the end I think it is something I do wrong in PHP with the SESSION variables and how I clear themif so...I don't think PHP should allow clearing SESSION variables from other sessions. -Original Message- From: Arno Kuhl [mailto:ak...@telkomsa.net] Sent: 20 August 2009 10:03 AM To: 'Leon du Plessis'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 09:44 AM To: php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. If someone perhaps have a solution or can confirm this as a known issue and maybe is the same or related to Angelo's problem? If different browser windows/tabs on the same client-side computer didn't share session info then you'd get the effect of being able to log onto a site with one browser window, but find in a second browser window that you were not yet logged on. Experience will tell you that you're logged on in both browser windows (try it with your online bank). It's not an issue, it's a feature. If you want to be able to use different browser windows as though they were different users then use different browsers e.g. IE and FF on the same client-side computer will look like two separate end users to the server, and they don't share session info or cookies. Cheers Arno The key thing is that both tabs (or windows) from the same browser are in the *same* session - they send the *same* PHPID cookie. PHP is essentially stateless - it doesn't care where the request comes from, and ties a session to the PHPID cookie if it gets one. As far as PHP knows, requests from different tabs with the same PHPID cookie are requests from the same place in the same session. To get a different session you need a different instance of the browser - that's the way browsers have been coded to work. It's not too hard with Firefox, since you can set up multiple profiles to have independent Firefox windows on the same screen. -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSIONS lost sometimes
On Thu, Aug 20, 2009 at 10:26:35AM +0200, Leon du Plessis wrote: It's not an issue, it's a feature. Thanks Arno...but it is a pain also. If I work with user A in Tab1 (window1), I want to work with user B separately in Tab2. When user in Tab2 logs off, I still want user A to work, and not suddenly have to re-login. Same with bank. If I work with my company account, then my personal account must not become an issue because I am on the same machine and site. As mentioned in my other email, I've only been able to get this to work by using different user profiles under Firefox. If you need to run them both at the same time, the following document helps explaining how to accomplish it: http://lifehacker.com/software/firefox/geek-to-live--manage-multiple-firefox-profiles-231646.php I never tested it because I don't run Windows, but a similar setup works just fine for Linux. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. Yes. I agree. But in this case the Tab being opened is used with the same authentication details either via POST, GET or Cookie variables. The problem comes in when a totally different set of login credentials are being used (for the same tab/window). Other user's login particulars should not affect your login variables. -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 10:40 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
That is how I know browsers to work, yet for a while the bahaviour has changed. The question in light of this then is, should a new browser or tab not open a new PHP SESSION ID. Session ID's should be kept if called from existing pages or ID's? But new pages has no parent? Just wondering. -Original Message- From: Peter Ford [mailto:p...@justcroft.com] Sent: 20 August 2009 10:47 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes Leon du Plessis wrote: It's not an issue, it's a feature. Thanks Arno...but it is a pain also. If I work with user A in Tab1 (window1), I want to work with user B separately in Tab2. When user in Tab2 logs off, I still want user A to work, and not suddenly have to re-login. Same with bank. If I work with my company account, then my personal account must not become an issue because I am on the same machine and site. I have no issue with using FF and IE to do testing as that takes care of browser compatibility testing at the same time :-), but I think when you start a new session with new values, it should be kept under that window/tab alone. Cookies can take care of more details, but my opinion is data should never be affected across windows/tabs unless the same user is logged in on botheven then I would expect PHP to keep data per session. Maybe it goes beyond being an IE or FF issue..the questiojn is...will PHP allow variables from session A become corrupted when session B is in progress when they should actually be handled seperately? In the end I think it is something I do wrong in PHP with the SESSION variables and how I clear themif so...I don't think PHP should allow clearing SESSION variables from other sessions. -Original Message- From: Arno Kuhl [mailto:ak...@telkomsa.net] Sent: 20 August 2009 10:03 AM To: 'Leon du Plessis'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 09:44 AM To: php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. If someone perhaps have a solution or can confirm this as a known issue and maybe is the same or related to Angelo's problem? If different browser windows/tabs on the same client-side computer didn't share session info then you'd get the effect of being able to log onto a site with one browser window, but find in a second browser window that you were not yet logged on. Experience will tell you that you're logged on in both browser windows (try it with your online bank). It's not an issue, it's a feature. If you want to be able to use different browser windows as though they were different users then use different browsers e.g. IE and FF on the same client-side computer will look like two separate end users to the server, and they don't share session info or cookies. Cheers Arno The key thing is that both tabs (or windows) from the same browser are in the *same* session - they send the *same* PHPID cookie. PHP is essentially stateless - it doesn't care where the request comes from, and ties a session to the PHPID cookie if it gets one. As far as PHP knows, requests from different tabs with the same PHPID cookie are requests from the same place in the same session. To get a different session you need a different instance of the browser - that's the way browsers have been coded to work. It's not too hard with Firefox, since you can set up multiple profiles to have independent Firefox windows on the same screen. -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
Hi, Just a re-iteration on the problem: Browser 1 has user A details Browser 2 has user B details User B logs off, then user A is suddenly in logged of status also. The method used to destroy the session is: // Unset all of the session variables. $_SESSION = array(); // Finally, destroy the session. session_destroy(); Problem. User's A session is also destroyed. The concern is, that this should not be the case. User A must happily continue to work. So, should PHP destroy the whole browser's session id's variables? My answer is No. User A and user B should have different session ids, if not, then it is wrong. A new window should have PHP to spawn a new session id (that is, the request does not come from an existing page where an id has been created already. If the ids are different, then session_destroy should only clear variables for relevant session_id, ie only User B's details In this example. The problem then probably lies in the session_ids being either the same for the two different logins (although they are on different browser) or session_destroy clearing data across sessions. (I will test that later). It would then seem that session ids is setup per location/machine by MS Windows as per Peter's explanation. Setting up profiles is the the resolution as suggested. Otherwise, it would be nice if Windows/IE/FF/PHP could identify when a BRAND NEW page is being opened and then create a brand new session id for that window/tab. It is not a huge issue, I was just wondering if someone else had the same annoying condition. I am happy with the responses and the functionality somewhere on a wish-list. Now Back to Angelo's SESSION problem which sounded like it could be related. Greetings! Leon -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 10:57 AM To: 'Peter Ford'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes That is how I know browsers to work, yet for a while the bahaviour has changed. The question in light of this then is, should a new browser or tab not open a new PHP SESSION ID. Session ID's should be kept if called from existing pages or ID's? But new pages has no parent? Just wondering. -Original Message- From: Peter Ford [mailto:p...@justcroft.com] Sent: 20 August 2009 10:47 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes Leon du Plessis wrote: It's not an issue, it's a feature. Thanks Arno...but it is a pain also. If I work with user A in Tab1 (window1), I want to work with user B separately in Tab2. When user in Tab2 logs off, I still want user A to work, and not suddenly have to re-login. Same with bank. If I work with my company account, then my personal account must not become an issue because I am on the same machine and site. I have no issue with using FF and IE to do testing as that takes care of browser compatibility testing at the same time :-), but I think when you start a new session with new values, it should be kept under that window/tab alone. Cookies can take care of more details, but my opinion is data should never be affected across windows/tabs unless the same user is logged in on botheven then I would expect PHP to keep data per session. Maybe it goes beyond being an IE or FF issue..the questiojn is...will PHP allow variables from session A become corrupted when session B is in progress when they should actually be handled seperately? In the end I think it is something I do wrong in PHP with the SESSION variables and how I clear themif so...I don't think PHP should allow clearing SESSION variables from other sessions. -Original Message- From: Arno Kuhl [mailto:ak...@telkomsa.net] Sent: 20 August 2009 10:03 AM To: 'Leon du Plessis'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 09:44 AM To: php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. If someone perhaps have a solution or can confirm this as a known issue and maybe is the same or related to Angelo's problem? If different browser windows
RE: [PHP] SESSIONS lost sometimes
On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote: It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. Yes. I agree. But in this case the Tab being opened is used with the same authentication details either via POST, GET or Cookie variables. The problem comes in when a totally different set of login credentials are being used (for the same tab/window). Other user's login particulars should not affect your login variables. -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 10:40 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The point is you are misunderstanding how browsers work. What the server app is seeing is a new login that replaces the first. This is the way browsers work, and if it changed to the idea you have for it, then millions of sites would suddenly fail to work; i.e. any site that requires a new tab or window to be opened in order to function, like banks, etc. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
Thanks Ashley, I just want to iterate again that when a new page is opened by another existing page in a new browser or Tab, the session_id is already created and therefore the current way browsers work is in no way compremised. The new browser/tab would receive the session id along with GET or POST variables. What I am suggesting/hoping is that when a new browser is opened or a new tab is opened via the application, the protocols would reckognize that this is the first time the page is served and is not being called from another page. That is, a new page is loaded by the user entering it, and NOT by clicking login or some other link from an existing page. Yes, I know..that creates other scenarios, so is happy to not meddle with the way browsers work. It is just a limitation I will live with and can get by with it. Regards Leon -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: 20 August 2009 11:39 AM To: Leon du Plessis Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote: It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. Yes. I agree. But in this case the Tab being opened is used with the same authentication details either via POST, GET or Cookie variables. The problem comes in when a totally different set of login credentials are being used (for the same tab/window). Other user's login particulars should not affect your login variables. -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 10:40 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The point is you are misunderstanding how browsers work. What the server app is seeing is a new login that replaces the first. This is the way browsers work, and if it changed to the idea you have for it, then millions of sites would suddenly fail to work; i.e. any site that requires a new tab or window to be opened in order to function, like banks, etc. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
On Thu, 2009-08-20 at 12:04 +0200, Leon du Plessis wrote: Thanks Ashley, I just want to iterate again that when a new page is opened by another existing page in a new browser or Tab, the session_id is already created and therefore the current way browsers work is in no way compremised. The new browser/tab would receive the session id along with GET or POST variables. What I am suggesting/hoping is that when a new browser is opened or a new tab is opened via the application, the protocols would reckognize that this is the first time the page is served and is not being called from another page. That is, a new page is loaded by the user entering it, and NOT by clicking login or some other link from an existing page. Yes, I know..that creates other scenarios, so is happy to not meddle with the way browsers work. It is just a limitation I will live with and can get by with it. Regards Leon -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: 20 August 2009 11:39 AM To: Leon du Plessis Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote: It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. Yes. I agree. But in this case the Tab being opened is used with the same authentication details either via POST, GET or Cookie variables. The problem comes in when a totally different set of login credentials are being used (for the same tab/window). Other user's login particulars should not affect your login variables. -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 10:40 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The point is you are misunderstanding how browsers work. What the server app is seeing is a new login that replaces the first. This is the way browsers work, and if it changed to the idea you have for it, then millions of sites would suddenly fail to work; i.e. any site that requires a new tab or window to be opened in order to function, like banks, etc. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php There is one way to get around it, and that is to use arrays within your session variables. So for example, it might look something like this: $_SESSION['your_app_name']['username']['some_value'] This way, if the username doesn't exist, you know there is no session for them. It's ugly, but it will get around what you see as a limitation. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
Thanks Ashley. Will implement if the need arise again.. By limitation I actually meant annoyance. Limitation was the wrong word to use. (I think all browsers has something great and something not so great) :-) Greetings -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: 20 August 2009 12:05 PM To: Leon du Plessis Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes On Thu, 2009-08-20 at 12:04 +0200, Leon du Plessis wrote: Thanks Ashley, I just want to iterate again that when a new page is opened by another existing page in a new browser or Tab, the session_id is already created and therefore the current way browsers work is in no way compremised. The new browser/tab would receive the session id along with GET or POST variables. What I am suggesting/hoping is that when a new browser is opened or a new tab is opened via the application, the protocols would reckognize that this is the first time the page is served and is not being called from another page. That is, a new page is loaded by the user entering it, and NOT by clicking login or some other link from an existing page. Yes, I know..that creates other scenarios, so is happy to not meddle with the way browsers work. It is just a limitation I will live with and can get by with it. Regards Leon -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: 20 August 2009 11:39 AM To: Leon du Plessis Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote: It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. Yes. I agree. But in this case the Tab being opened is used with the same authentication details either via POST, GET or Cookie variables. The problem comes in when a totally different set of login credentials are being used (for the same tab/window). Other user's login particulars should not affect your login variables. -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 10:40 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The point is you are misunderstanding how browsers work. What the server app is seeing is a new login that replaces the first. This is the way browsers work, and if it changed to the idea you have for it, then millions of sites would suddenly fail to work; i.e. any site that requires a new tab or window to be opened in order to function, like banks, etc. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php There is one way to get around it, and that is to use arrays within your session variables. So for example, it might look something like this: $_SESSION['your_app_name']['username']['some_value'] This way, if the username doesn't exist, you know there is no session for them. It's ugly
RE: [PHP] SESSIONS lost sometimes
Hi Leon and all. LEON you are misunderstanding how the sessions work. Also please start your own thread and don't hijack mine. To the rest that replied. Thanks, I am still stuck with the problem I have asked the hosting company to check the storage capacity and also any other issues with the SESSIONS on the server. However if anyone has other things they think I can look at, I'd appreciate that very much. Thanks Angelo http://www.elemental.co.za -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 12:04 PM To: a...@ashleysheridan.co.uk Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Thanks Ashley, I just want to iterate again that when a new page is opened by another existing page in a new browser or Tab, the session_id is already created and therefore the current way browsers work is in no way compremised. The new browser/tab would receive the session id along with GET or POST variables. What I am suggesting/hoping is that when a new browser is opened or a new tab is opened via the application, the protocols would reckognize that this is the first time the page is served and is not being called from another page. That is, a new page is loaded by the user entering it, and NOT by clicking login or some other link from an existing page. Yes, I know..that creates other scenarios, so is happy to not meddle with the way browsers work. It is just a limitation I will live with and can get by with it. Regards Leon -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: 20 August 2009 11:39 AM To: Leon du Plessis Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote: It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. Yes. I agree. But in this case the Tab being opened is used with the same authentication details either via POST, GET or Cookie variables. The problem comes in when a totally different set of login credentials are being used (for the same tab/window). Other user's login particulars should not affect your login variables. -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 10:40 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The point is you are misunderstanding how browsers work. What the server app is seeing is a new login that replaces the first. This is the way browsers work, and if it changed to the idea you have for it, then millions of sites would suddenly fail to work; i.e. any site that requires a new tab or window to be opened in order to function, like banks, etc. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSIONS lost sometimes
On Thu, Aug 20, 2009 at 12:04:08PM +0200, Leon du Plessis wrote: Thanks Ashley, I just want to iterate again that when a new page is opened by another existing page in a new browser or Tab, the session_id is already created and therefore the current way browsers work is in no way compremised. The new browser/tab would receive the session id along with GET or POST variables. What I am suggesting/hoping is that when a new browser is opened or a new tab is opened via the application, the protocols would reckognize that this is the first time the page is served and is not being called from another page. That is, a new page is loaded by the user entering it, and NOT by clicking login or some other link from an existing page. Out of curiosity. Did you test it under Google Chrome? I believe each tab is a separate process in the case of that browser. I wonder how that might affect something like this. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
Hi Angelo, No need to be nasty and touchy. If you have done trouble to read I have closed the discussion in a prior listing and referred back to your original thread. thanks -Original Message- From: Angelo Zanetti [mailto:ang...@zlogic.co.za] Sent: 20 August 2009 01:21 PM To: 'Leon du Plessis'; a...@ashleysheridan.co.uk Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Hi Leon and all. LEON you are misunderstanding how the sessions work. Also please start your own thread and don't hijack mine. To the rest that replied. Thanks, I am still stuck with the problem I have asked the hosting company to check the storage capacity and also any other issues with the SESSIONS on the server. However if anyone has other things they think I can look at, I'd appreciate that very much. Thanks Angelo http://www.elemental.co.za -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 12:04 PM To: a...@ashleysheridan.co.uk Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Thanks Ashley, I just want to iterate again that when a new page is opened by another existing page in a new browser or Tab, the session_id is already created and therefore the current way browsers work is in no way compremised. The new browser/tab would receive the session id along with GET or POST variables. What I am suggesting/hoping is that when a new browser is opened or a new tab is opened via the application, the protocols would reckognize that this is the first time the page is served and is not being called from another page. That is, a new page is loaded by the user entering it, and NOT by clicking login or some other link from an existing page. Yes, I know..that creates other scenarios, so is happy to not meddle with the way browsers work. It is just a limitation I will live with and can get by with it. Regards Leon -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: 20 August 2009 11:39 AM To: Leon du Plessis Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote: It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. Yes. I agree. But in this case the Tab being opened is used with the same authentication details either via POST, GET or Cookie variables. The problem comes in when a totally different set of login credentials are being used (for the same tab/window). Other user's login particulars should not affect your login variables. -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 10:40 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The point is you are misunderstanding how browsers work. What the server app is seeing is a new login that replaces the first. This is the way browsers work, and if it changed to the idea you have for it, then millions of sites would suddenly fail to work; i.e. any site that requires a new tab or window to be opened in order to function, like banks, etc. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General
Re: [PHP] SESSIONS lost sometimes
Leon, Sessions are used on a per-domain basis. So, no matter how many windows or tabs you have open for mydomain.com it will be the same session for all. Having a different session start up for each window or tab would be a major pain. If you needed to keep track of a user ID, for example, you wouldn't be able to. As already mentioned you can use different browsers. You can also set up sub-domains which would each have their own sessions. Take care, Floyd On Aug 20, 2009, at 4:26 AM, Leon du Plessis wrote: It's not an issue, it's a feature. Thanks Arno...but it is a pain also. If I work with user A in Tab1 (window1), I want to work with user B separately in Tab2. When user in Tab2 logs off, I still want user A to work, and not suddenly have to re-login. Same with bank. If I work with my company account, then my personal account must not become an issue because I am on the same machine and site. I have no issue with using FF and IE to do testing as that takes care of browser compatibility testing at the same time :-), but I think when you start a new session with new values, it should be kept under that window/tab alone. Cookies can take care of more details, but my opinion is data should never be affected across windows/tabs unless the same user is logged in on botheven then I would expect PHP to keep data per session. Maybe it goes beyond being an IE or FF issue..the questiojn is...will PHP allow variables from session A become corrupted when session B is in progress when they should actually be handled seperately? In the end I think it is something I do wrong in PHP with the SESSION variables and how I clear themif so...I don't think PHP should allow clearing SESSION variables from other sessions. -Original Message- From: Arno Kuhl [mailto:ak...@telkomsa.net] Sent: 20 August 2009 10:03 AM To: 'Leon du Plessis'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 09:44 AM To: php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. If someone perhaps have a solution or can confirm this as a known issue and maybe is the same or related to Angelo's problem? If different browser windows/tabs on the same client-side computer didn't share session info then you'd get the effect of being able to log onto a site with one browser window, but find in a second browser window that you were not yet logged on. Experience will tell you that you're logged on in both browser windows (try it with your online bank). It's not an issue, it's a feature. If you want to be able to use different browser windows as though they were different users then use different browsers e.g. IE and FF on the same client-side computer will look like two separate end users to the server, and they don't share session info or cookies. Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSIONS lost sometimes
On Thu, Aug 20, 2009 at 02:34:54PM +0200, Angelo Zanetti wrote: Hi Leon, No harm intended :) Just thought that people were missing my post now and only answering yours. Angelo, excuse me if I'm bringing up something very basic, but I'm new to this. Just trying to help. I imagine redirects couldn't be the cause of the problem, right? http://www.oscarm.org/news/detail/1877-avoiding_frustration_with_php_sessions http://www.webmasterworld.com/forum88/8486.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] SESSIONS lost sometimes
Hi Leon, No harm intended :) Just thought that people were missing my post now and only answering yours. Anyways hope your issue got resolved. Angelo -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 01:46 PM To: php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Hi Angelo, No need to be nasty and touchy. If you have done trouble to read I have closed the discussion in a prior listing and referred back to your original thread. thanks -Original Message- From: Angelo Zanetti [mailto:ang...@zlogic.co.za] Sent: 20 August 2009 01:21 PM To: 'Leon du Plessis'; a...@ashleysheridan.co.uk Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Hi Leon and all. LEON you are misunderstanding how the sessions work. Also please start your own thread and don't hijack mine. To the rest that replied. Thanks, I am still stuck with the problem I have asked the hosting company to check the storage capacity and also any other issues with the SESSIONS on the server. However if anyone has other things they think I can look at, I'd appreciate that very much. Thanks Angelo http://www.elemental.co.za -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 12:04 PM To: a...@ashleysheridan.co.uk Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Thanks Ashley, I just want to iterate again that when a new page is opened by another existing page in a new browser or Tab, the session_id is already created and therefore the current way browsers work is in no way compremised. The new browser/tab would receive the session id along with GET or POST variables. What I am suggesting/hoping is that when a new browser is opened or a new tab is opened via the application, the protocols would reckognize that this is the first time the page is served and is not being called from another page. That is, a new page is loaded by the user entering it, and NOT by clicking login or some other link from an existing page. Yes, I know..that creates other scenarios, so is happy to not meddle with the way browsers work. It is just a limitation I will live with and can get by with it. Regards Leon -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: 20 August 2009 11:39 AM To: Leon du Plessis Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote: It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. Yes. I agree. But in this case the Tab being opened is used with the same authentication details either via POST, GET or Cookie variables. The problem comes in when a totally different set of login credentials are being used (for the same tab/window). Other user's login particulars should not affect your login variables. -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 10:40 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The point is you are misunderstanding how browsers work. What the server app is seeing
RE: [PHP] SESSIONS lost sometimes
No problem! Thx -Original Message- From: Angelo Zanetti [mailto:ang...@zlogic.co.za] Sent: 20 August 2009 02:35 PM To: 'Leon du Plessis'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Hi Leon, No harm intended :) Just thought that people were missing my post now and only answering yours. Anyways hope your issue got resolved. Angelo -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 01:46 PM To: php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Hi Angelo, No need to be nasty and touchy. If you have done trouble to read I have closed the discussion in a prior listing and referred back to your original thread. thanks -Original Message- From: Angelo Zanetti [mailto:ang...@zlogic.co.za] Sent: 20 August 2009 01:21 PM To: 'Leon du Plessis'; a...@ashleysheridan.co.uk Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Hi Leon and all. LEON you are misunderstanding how the sessions work. Also please start your own thread and don't hijack mine. To the rest that replied. Thanks, I am still stuck with the problem I have asked the hosting company to check the storage capacity and also any other issues with the SESSIONS on the server. However if anyone has other things they think I can look at, I'd appreciate that very much. Thanks Angelo http://www.elemental.co.za -Original Message- From: Leon du Plessis [mailto:l...@dsgnit.com] Sent: 20 August 2009 12:04 PM To: a...@ashleysheridan.co.uk Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes Thanks Ashley, I just want to iterate again that when a new page is opened by another existing page in a new browser or Tab, the session_id is already created and therefore the current way browsers work is in no way compremised. The new browser/tab would receive the session id along with GET or POST variables. What I am suggesting/hoping is that when a new browser is opened or a new tab is opened via the application, the protocols would reckognize that this is the first time the page is served and is not being called from another page. That is, a new page is loaded by the user entering it, and NOT by clicking login or some other link from an existing page. Yes, I know..that creates other scenarios, so is happy to not meddle with the way browsers work. It is just a limitation I will live with and can get by with it. Regards Leon -Original Message- From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] Sent: 20 August 2009 11:39 AM To: Leon du Plessis Cc: 'Nitebirdz'; php-general@lists.php.net Subject: RE: [PHP] SESSIONS lost sometimes On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote: It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again to be able to edit it. Yes. I agree. But in this case the Tab being opened is used with the same authentication details either via POST, GET or Cookie variables. The problem comes in when a totally different set of login credentials are being used (for the same tab/window). Other user's login particulars should not affect your login variables. -Original Message- From: Nitebirdz [mailto:nitebi...@sacredchaos.com] Sent: 20 August 2009 10:40 AM To: php-general@lists.php.net Subject: Re: [PHP] SESSIONS lost sometimes On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote: Since we are on the subject: I have the following similar problem: When testing page on internet explorer, I find that one tab's variables can affect another tab's variables. Thus when having the same web-site open and using SESSION variables but for different users, Internet explorer can become disorientated. This also sometimes happen when I have two separate browsing windows open with Internet Explorer for the same site. I have yet to determine if this is an internet explorer, or PHP or combination of the two that is causing this condition. To my understanding _SESSION variables should be maintained per session, tab or window. If this has been addressed already, my apologies, but thought it worthwhile to mention. I'm a total newbie when it comes to these issues, but it seems to me that Firefox behaves in the very same manner. It's not limited to PHP sessions either. It's always been my experience on any website that requires authentication, including the likes of Google Mail, etc. When I want to run multiple sessions for different GMail accounts, for example, I just create a different user profile in Firefox. It'd make sense for things to run this way, I think. After all, I'd find it quite confusing if I log into Google Docs, open a document (by default, it opens in a new tab) and I had to log in yet again
Re: [PHP] SESSIONS lost sometimes
The original problem.. server is losing session variables. I dont think PHP is not good at unset() ing variables while the script is executing. general logger will be of use in this case (especially when cant reproduce the problem every time). PEAR, Zend, FirePHP, files... any thing will do... try to log every thing related to sessions at the start of the page... session_id, $_SESSION super global, _SERVER['PHP_SELF'] do the same thing after the script exists... i had a similar problem earlier... a page in my app used to change $_SESSION['id']. It took me ages to find out the source... even grep was of no use... at last i was able to isolate the page that was causing this, with the help of logging. Of course, the main problem was that my production server has register_globals on, while my development server has them off. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSIONS lost sometimes
On Thu, 2009-08-20 at 18:38 +0530, kranthi wrote: The original problem.. server is losing session variables. I dont think PHP is not good at unset() ing variables while the script is executing. general logger will be of use in this case (especially when cant reproduce the problem every time). PEAR, Zend, FirePHP, files... any thing will do... try to log every thing related to sessions at the start of the page... session_id, $_SESSION super global, _SERVER['PHP_SELF'] do the same thing after the script exists... i had a similar problem earlier... a page in my app used to change $_SESSION['id']. It took me ages to find out the source... even grep was of no use... at last i was able to isolate the page that was causing this, with the help of logging. Of course, the main problem was that my production server has register_globals on, while my development server has them off. Register globals is really not a good thing to use for modern setups. It makes it a little easier for people to exploit holes in weaker PHP scripts. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSIONS lost sometimes
I imagine redirects couldn't be the cause of the problem, right? Thanks, this is really a life saver.. I never used session_write_close() before any redirects... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SESSIONS lost sometimes
We have a server with a site that does some XML calls. After lots of testing I have found that the server is losing session variables. [8] Also the site goes from HTTP to HTTPS at some point but this isn't the issue as it loses the sessions as soon as they are set sometimes. Therefore I would like to know what I could check. I have read in other Can you clarify what you mean by losing sessions? Have you taken a network trace to see whether the client is consistently sending the session ID with every request? When the problem happens, is $_SESSION completely empty or is it only missing some variables? Does it seem to happen on any page, or only certain ones? Thanks, Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions
2009/7/3 Daniel Brown danbr...@php.net On Thu, Jul 2, 2009 at 23:27, Jason Carsonja...@jasoncarson.ca wrote: Hello all, Do I have to add session_start() at the beginning of every page so that the $_SESSION variables work on all pages or do I use session_start() on the first page and something else on other pages? Yes, unless you're using session autoloading. Also, in most cases, you will only need to call session_start() once (before referencing $_SESSION), even if $_SESSION is accessed in an included file. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Some people have a file called init.php, which would contain session_start(); as well as other things that need to be done every page load (connect to the database perhaps?) and they just 'require' that at the top of every page. -- Luke Slater http://dinosaur-os.com/ :O)
Re: [PHP] Sessions
2009/7/3 Luke l...@blog-thing.com 2009/7/3 Daniel Brown danbr...@php.net On Thu, Jul 2, 2009 at 23:27, Jason Carsonja...@jasoncarson.ca wrote: Hello all, Do I have to add session_start() at the beginning of every page so that the $_SESSION variables work on all pages or do I use session_start() on the first page and something else on other pages? Yes, unless you're using session autoloading. Also, in most cases, you will only need to call session_start() once (before referencing $_SESSION), even if $_SESSION is accessed in an included file. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Some people have a file called init.php, which would contain session_start(); as well as other things that need to be done every page load (connect to the database perhaps?) and they just 'require' that at the top of every page. -- Luke Slater http://dinosaur-os.com/ :O) Never thought of that. Sounds like quite a good idea. Can anyone tell me if there's any reason for not doing that, even on pages that do not require session data? Or perhaps use an htaccess file to server side include a file file to all files under an admin folder or something and another to destroy the session. I'm thinking of smaller, low-traffic sites. I know people are going to say, if they're small sites, why can't you only start sessions on the relevant pages but it sounds like it could work well for me.
Re: [PHP] Sessions
On Friday 03 July 2009 09:41:40 Tom Chubb wrote: 2009/7/3 Luke l...@blog-thing.com 2009/7/3 Daniel Brown danbr...@php.net On Thu, Jul 2, 2009 at 23:27, Jason Carsonja...@jasoncarson.ca wrote: Hello all, Do I have to add session_start() at the beginning of every page so that the $_SESSION variables work on all pages or do I use session_start() on the first page and something else on other pages? Yes, unless you're using session autoloading. Also, in most cases, you will only need to call session_start() once (before referencing $_SESSION), even if $_SESSION is accessed in an included file. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Some people have a file called init.php, which would contain session_start(); as well as other things that need to be done every page load (connect to the database perhaps?) and they just 'require' that at the top of every page. -- Luke Slater http://dinosaur-os.com/ :O) Never thought of that. Sounds like quite a good idea. Can anyone tell me if there's any reason for not doing that, even on pages that do not require session data? Or perhaps use an htaccess file to server side include a file file to all files under an admin folder or something and another to destroy the session. I'm thinking of smaller, low-traffic sites. I know people are going to say, if they're small sites, why can't you only start sessions on the relevant pages but it sounds like it could work well for me. It's easier to maintain if you use one include file like Luke said. You won't get much overhead from a call to session_start() on a page that doesn't use sessions. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions
2009/7/3 Ashley Sheridan a...@ashleysheridan.co.uk On Friday 03 July 2009 09:41:40 Tom Chubb wrote: 2009/7/3 Luke l...@blog-thing.com 2009/7/3 Daniel Brown danbr...@php.net On Thu, Jul 2, 2009 at 23:27, Jason Carsonja...@jasoncarson.ca wrote: Hello all, Do I have to add session_start() at the beginning of every page so that the $_SESSION variables work on all pages or do I use session_start() on the first page and something else on other pages? Yes, unless you're using session autoloading. Also, in most cases, you will only need to call session_start() once (before referencing $_SESSION), even if $_SESSION is accessed in an included file. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Some people have a file called init.php, which would contain session_start(); as well as other things that need to be done every page load (connect to the database perhaps?) and they just 'require' that at the top of every page. -- Luke Slater http://dinosaur-os.com/ :O) Never thought of that. Sounds like quite a good idea. Can anyone tell me if there's any reason for not doing that, even on pages that do not require session data? Or perhaps use an htaccess file to server side include a file file to all files under an admin folder or something and another to destroy the session. I'm thinking of smaller, low-traffic sites. I know people are going to say, if they're small sites, why can't you only start sessions on the relevant pages but it sounds like it could work well for me. It's easier to maintain if you use one include file like Luke said. You won't get much overhead from a call to session_start() on a page that doesn't use sessions. Thanks, Ash http://www.ashleysheridan.co.uk Great, Cheers Ash, T -- Tom Chubb t...@tomchubb.com | tomch...@gmail.com
Re: [PHP] Sessions
2009/7/3 Ashley Sheridan a...@ashleysheridan.co.uk: On Friday 03 July 2009 09:41:40 Tom Chubb wrote: 2009/7/3 Luke l...@blog-thing.com 2009/7/3 Daniel Brown danbr...@php.net On Thu, Jul 2, 2009 at 23:27, Jason Carsonja...@jasoncarson.ca wrote: Hello all, Do I have to add session_start() at the beginning of every page so that the $_SESSION variables work on all pages or do I use session_start() on the first page and something else on other pages? Yes, unless you're using session autoloading. Also, in most cases, you will only need to call session_start() once (before referencing $_SESSION), even if $_SESSION is accessed in an included file. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Some people have a file called init.php, which would contain session_start(); as well as other things that need to be done every page load (connect to the database perhaps?) and they just 'require' that at the top of every page. -- Luke Slater http://dinosaur-os.com/ :O) Never thought of that. Sounds like quite a good idea. Can anyone tell me if there's any reason for not doing that, even on pages that do not require session data? Or perhaps use an htaccess file to server side include a file file to all files under an admin folder or something and another to destroy the session. I'm thinking of smaller, low-traffic sites. I know people are going to say, if they're small sites, why can't you only start sessions on the relevant pages but it sounds like it could work well for me. It's easier to maintain if you use one include file like Luke said. You won't get much overhead from a call to session_start() on a page that doesn't use sessions. It's also worth noting that every call to session_start() will result in the expiry time of the session being updated. Not calling it for pages that don't use the session could lead to the session expiring if the user doesn't hit a page that uses it for a while. -Stuart -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions
Hi, .. This is precisely what I do, albeit my file is called config.php, and not init.php. Not that it makes a jot of difference. This file is used to setup the environment, so that way everything I commonly need is available simply by including one file. One thing to note though is that a database connection is not established by default. I used to get a lot of comment spam on my blog and because it was needlessly connecting to the database, it was bringing down the server. So now I simply use something like this to quickly and easily get a reference to a database object: $db = getDatabase(); Wunderbar. -- Richard Heyes HTML5 graphing: RGraph (www.rgraph.net - updated 3rd July) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions
Hello all, Do I have to add session_start() at the beginning of every page so that the $_SESSION variables work on all pages or do I use session_start() on the first page and something else on other pages? Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php