Re: [PHP] Session management
Hi, Friday, October 22, 2004, 4:10:50 PM, you wrote: HS Hi HS I am a PHP newbie from a Java/C/Oracle background. I HS cannot seem to get session management with PHP HS working. HS ?php HS #echo 1; HS $old = ini_set('session.use_cookies', 0); HS session_start(); HS $username = $_REQUEST[username]; HS session_register($username); HS echo old=.$old; HS echo $username; HS include_once(db_security.inc); HS echo PHPSESSID=.$PHPSESSID.\n; HS $Postfrom = $_REQUEST[username]; HS $Postpass = $_REQUEST[password]; HS if (__user_authenticate($Postfrom,$Postpass)) HS { HS $display = 'Welcome '.$Postfrom.' !'; HS echo 'a href=ht_next.phpNext/a'; HS echo $display; HS } else { HS echo Login Failed!; HS } ? HS In ht_next.php I have: HS ?php HS session_start(); HS echo $username; ? HS $username seems to be empty at this point. HS echo PHPSESSID=.$PHPSESSID.\n; HS in the first script does not produce any output HS either. It is best to use session_start(); . .//get username . $_SESSION['username'] = $username; then on the next page session_start(); echo (isset($_SESSION['username']))? $_SESSION['username'] : 'Not in session'; PHP does not fill global variables by default. -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session management
* Thus wrote Herman Scheepers: Hi I am a PHP newbie from a Java/C/Oracle background. I cannot seem to get session management with PHP working. ?php #echo 1; $old = ini_set('session.use_cookies', 0); session_start(); $username = $_REQUEST[username]; session_register($username); session_register() shouldn't be used, it relys on the php ini setting register_globals to be on. As Tom pointed out you simply just need to set the session var like: session_start(); $username = $_REQUEST[username]; $_SESSION['username'] = $username; In ht_next.php I have: ?php session_start(); echo $username; And here: session_start(); $username = $_SESSION['username']; echo $username; Curt -- Quoth the Raven, Nevermore. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session management
There's a sessions tutorial on phpfreaks.com that outlines the basics of using sessions. I'm not 100% sure what you mean when you say you don't want to do url rewriting. Without either cookies or passing a url param, there is no way to determine if the request comes from someone who has an active session. As for session classes, there are many. Try the usual places... google, sourceforge, freshmeat, phpclasses etc. -Original Message- From: ajay [mailto:[EMAIL PROTECTED] Sent: Thursday, January 29, 2004 9:56 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] session management hi! well i do have a MySQL database. The scenario is this, i dont want to use cookies or do any URL rewriting. i'm looking for something that mirrors J2EE's Session object that contains information about the user, their security level(user/admin etc) and this information can then be verified before each request. There would ofcourse be an expiry on the object. Is there a prewritten framework/class to handle this? thanks regards -- ajay --- Who Dares Wins - This mail sent through IMP: www-mail.usyd.edu.au -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session management
Handling Session with PHP 4 http://www.zend.com/zend/tut/session.php (Feb 15, 2000) Session Authentication http://www.zend.com/zend/spotlight/sessionauth7may.php (May 15, 2001) Custom Session Handling http://www.zend.com/zend/spotlight/code-gallery-wade8.php (April 30, 2003) === Maintaining State On The Web - An overview http://www.zend.com/zend/art/maintainingstate.php (November 8, 2001) Beginner's Guide to URL Rewriting http://www.sitepoint.com/article/910 (October 22nd 2002) Forums de WRI - URL Rewriting et .htaccess http://www.webrankinfo.com/forums/forum_12.htm (... in French) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session management
Here's how I do it. User table in mysql UserID, username, password, admin, read, write 1001, John, *#(@(@, 0, 1, 0 1002, betty, KD)#(S, 1, 1, 1 Create a login form. Get their username and password, Run a query to pull the record where username and password match If the username is in the table and the password is correct then $_SESSION['userid'] = UserID (pulled from db query) $_SESSION['admin'] = admin $_SESSION['read'] = read $_SESSION['write'] = write Then create a function to check permissions based on the session variable. For instance if a page has a form for editing information, before loading the form check to see if the Current $_SESSION['write'] variable is set to '1', if so load the form, if not then don't. May not be the best way of doing things but it works well for me. Jeff McKeon IT Manager Telaurus Communications LLC [EMAIL PROTECTED] (973) 889-8990 ex 209 ***The information contained in this communication is confidential. It is intended only for the sole use of the recipient named above and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication, or any of its contents or attachments, is expressly prohibited. If you have received this communication in error, please re-send it to the sender and delete the original message, and any copy of it, from your computer system. Thank You.*** -Original Message- From: ajay [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 12:56 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] session management hi! well i do have a MySQL database. The scenario is this, i dont want to use cookies or do any URL rewriting. i'm looking for something that mirrors J2EE's Session object that contains information about the user, their security level(user/admin etc) and this information can then be verified before each request. There would ofcourse be an expiry on the object. Is there a prewritten framework/class to handle this? thanks regards -- ajay --- Who Dares Wins - This mail sent through IMP: www-mail.usyd.edu.au -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session management
Hi, This has been discussed and hammered out very often in this mailing list in the past, you will find countless solutions in the archives. And anyway no one can help you without knowing what about database or other storage mechanism etc. ajay wrote: hi! i need to maintain session state in my php application. i further need to be able to distinguish between admin levels and user levels and thus the session also needs to keep this info (ie, whether person has logged in as admin or user) any ideas how to do it. thanks -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session management
hi! well i do have a MySQL database. The scenario is this, i dont want to use cookies or do any URL rewriting. i'm looking for something that mirrors J2EE's Session object that contains information about the user, their security level(user/admin etc) and this information can then be verified before each request. There would ofcourse be an expiry on the object. Is there a prewritten framework/class to handle this? thanks regards -- ajay --- Who Dares Wins - This mail sent through IMP: www-mail.usyd.edu.au -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session management
Last time i read the j2ee api i didn't notice anything about storing admin/user staus in the HttpSession object. Anyway like i said if you read the manual and SFTA you would have found the answers. ajay wrote: hi! well i do have a MySQL database. The scenario is this, i dont want to use cookies or do any URL rewriting. i'm looking for something that mirrors J2EE's Session object that contains information about the user, their security level(user/admin etc) and this information can then be verified before each request. There would ofcourse be an expiry on the object. Is there a prewritten framework/class to handle this? thanks regards -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session management
have a user bean, and then session.setAttribute(user, userBean); do session.getAttribute(user) and validate before processing every request. Quoting Raditha Dissanayake [EMAIL PROTECTED]: Last time i read the j2ee api i didn't notice anything about storing admin/user staus in the HttpSession object. Anyway like i said if you read the manual and SFTA you would have found the answers. ajay wrote: hi! well i do have a MySQL database. The scenario is this, i dont want to use cookies or do any URL rewriting. i'm looking for something that mirrors J2EE's Session object that contains information about the user, their security level(user/admin etc) and this information can then be verified before each request. There would ofcourse be an expiry on the object. Is there a prewritten framework/class to handle this? thanks regards -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- ajay --- Who Dares Wins - This mail sent through IMP: www-mail.usyd.edu.au -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session management
On Fri, 2004-01-30 at 01:20, ajay wrote: have a user bean, and then session.setAttribute(user, userBean); do session.getAttribute(user) and validate before processing every request. The php translation of that would be: $_SESSION[user] = $userBean; (some code later, on a different page) $userBean = $_SESSION[user]; RTFM on sessions - http://www.php.net/session -- Adam Bregenzer [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session Management
These were all the same assumptions I made, thanks. I knew that it was more of an HTTP thing than a PHP thing when it came to the blind faith thing... I was just hoping that was something better out there. I'm not willing to use session management as blindly as it is currently implemented. I will find my own solution. If you find a better method, please let everyone know. But I think this is about the best you can do over HTTP. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session Management
I already know how best to go about this. I've been up too long to explain this now. But since eNetwizard Content Management Server is an open source project, you'll be able to make use of its code if you so choose, just wait till I release the next version. ;-) Session Management for eNetwizard is handled by the $State class, so it shouldn't be too hard for others to make use of it independently for their own projects. -Samuel | http://enetwizard.net -Original Message- From: John W. Holmes [mailto:holmes072000;charter.net] Sent: Sunday, November 03, 2002 9:56 AM To: 'Robert Samuel White'; [EMAIL PROTECTED] Subject: RE: [PHP] Session Management These were all the same assumptions I made, thanks. I knew that it was more of an HTTP thing than a PHP thing when it came to the blind faith thing... I was just hoping that was something better out there. I'm not willing to use session management as blindly as it is currently implemented. I will find my own solution. If you find a better method, please let everyone know. But I think this is about the best you can do over HTTP. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Management
first off: IP addresses are not the way to go about this AT ALL. Even if they are behind a proxy, they would most likely be running on a private subnet (say 10.0.0.x) and worse yet, if a company has multiple backbones (like the one I consult at) traffic could go through one of 3 gateway routes (different IP's) and thus i'd end up with 1 of three sessions!? Also i could just go through and guess id's since they're a relatively small set. (Easily scripted to probe for sessions) Creating a 'jump' page is your best bet to cross domains and pass the session id in the url, and then set the id for that domain. There should not be any issues if they use the same session store, etc. As for the internals of php's sessions, I'll leave someone else to answer that. -js Robert Samuel White wrote: I'm looking for some well thought out advice on session management. I've created a class for handling session management across an unlimited number of domains (without using cookies) however it has some inherent problems. In order to differentiate between users, it is using the IP Address. I realize this is completely inefficient, and I was hoping that someone could give me some pointers on how exactly PHP handles session management from the backend. When not using cookies, PHP propagates the Session ID in the URL and a hidden variable in forms. However, is this even safe? Or is this completely blind faith that the Session belongs to that person? Basically, I want to know if PHP *knows for sure* the right user is using the right session. In other words, can it detect hijacked sessions? My guess is a resounding no. I'm wondering if there is some way to determine the real IP Address of a user, even if that user is behind a proxy farm, etc., and if this is, in fact, what PHP does. If not, I'm stuck with figuring out how best to accomplish my goals using cookies. The problem: a cookie can only bet set for a single domain; therefore, the session will not be carried with the person if they browse to another domain which also uses the same eNetwizard Content Management Server. A possibility is to always propagate a State Id with the URL and forms, however even this would not prevent the exact same problem: Is this blind faith? If you can point me to any excellent resources on the state of session management on the web and how to do this securely, please let me know. -Samuel | http://enetwizard.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session Management
I am quite aware that IP's are not the way to go, and why. That is why I asked about the internal ways PHP handles sessions. Thanks. Creating a jump page as you call it does not answer the fundamental question concerning the security of session management, and that is the basis of what I want to discuss. -Original Message- From: Jonathan Sharp [mailto:js-lists;sharpmedia.net] Sent: Saturday, November 02, 2002 3:16 AM To: Robert Samuel White Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Session Management first off: IP addresses are not the way to go about this AT ALL. Even if they are behind a proxy, they would most likely be running on a private subnet (say 10.0.0.x) and worse yet, if a company has multiple backbones (like the one I consult at) traffic could go through one of 3 gateway routes (different IP's) and thus i'd end up with 1 of three sessions!? Also i could just go through and guess id's since they're a relatively small set. (Easily scripted to probe for sessions) Creating a 'jump' page is your best bet to cross domains and pass the session id in the url, and then set the id for that domain. There should not be any issues if they use the same session store, etc. As for the internals of php's sessions, I'll leave someone else to answer that. -js Robert Samuel White wrote: I'm looking for some well thought out advice on session management. I've created a class for handling session management across an unlimited number of domains (without using cookies) however it has some inherent problems. In order to differentiate between users, it is using the IP Address. I realize this is completely inefficient, and I was hoping that someone could give me some pointers on how exactly PHP handles session management from the backend. When not using cookies, PHP propagates the Session ID in the URL and a hidden variable in forms. However, is this even safe? Or is this completely blind faith that the Session belongs to that person? Basically, I want to know if PHP *knows for sure* the right user is using the right session. In other words, can it detect hijacked sessions? My guess is a resounding no. I'm wondering if there is some way to determine the real IP Address of a user, even if that user is behind a proxy farm, etc., and if this is, in fact, what PHP does. If not, I'm stuck with figuring out how best to accomplish my goals using cookies. The problem: a cookie can only bet set for a single domain; therefore, the session will not be carried with the person if they browse to another domain which also uses the same eNetwizard Content Management Server. A possibility is to always propagate a State Id with the URL and forms, however even this would not prevent the exact same problem: Is this blind faith? If you can point me to any excellent resources on the state of session management on the web and how to do this securely, please let me know. -Samuel | http://enetwizard.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session Management
I've created a class for handling session management across an unlimited number of domains (without using cookies) however it has some inherent problems. In order to differentiate between users, it is using the IP Address. I realize this is completely inefficient, and I was hoping that someone could give me some pointers on how exactly PHP handles session management from the backend. When not using cookies, PHP propagates the Session ID in the URL and a hidden variable in forms. However, is this even safe? Or is this completely blind faith that the Session belongs to that person? It's blind faith, just like every other system. That's the nature of HTTP. PHP makes a unique session id that it passes around to identify the user and link all of the requests. Basically, I want to know if PHP *knows for sure* the right user is using the right session. In other words, can it detect hijacked sessions? My guess is a resounding no. No...and neither can any program you write that uses HTTP. The only thing you can do is make it unique enough so that it can't be hijacked. I'm wondering if there is some way to determine the real IP Address of a user, even if that user is behind a proxy farm, etc., and if this is, in fact, what PHP does. No. The PHP session management isn't related to IP at all, that I know of. It shouldn't have to be because of the problem with proxies and people having changing IPs or people sharing IP addresses. If not, I'm stuck with figuring out how best to accomplish my goals using cookies. The problem: a cookie can only bet set for a single domain; therefore, the session will not be carried with the person if they browse to another domain which also uses the same eNetwizard Content Management Server. A possibility is to always propagate a State Id with the URL and forms, however even this would not prevent the exact same problem: Is this blind faith? If you want the session to maintain over different domains, your only option is to pass the unique id in the URL or POST data. It's just as safe as cookies, but, like you said, you can't pass cookies across domains. Put everything behind SSL and that's as secure as you can get. Hopefully I'm not too confusing. Feel free to ask more questions. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session Management
These were all the same assumptions I made, thanks. I knew that it was more of an HTTP thing than a PHP thing when it came to the blind faith thing... I was just hoping that was something better out there. I'm not willing to use session management as blindly as it is currently implemented. I will find my own solution. -Original Message- From: John W. Holmes [mailto:holmes072000;charter.net] Sent: Saturday, November 02, 2002 7:42 AM To: 'Robert Samuel White'; [EMAIL PROTECTED] Subject: RE: [PHP] Session Management I've created a class for handling session management across an unlimited number of domains (without using cookies) however it has some inherent problems. In order to differentiate between users, it is using the IP Address. I realize this is completely inefficient, and I was hoping that someone could give me some pointers on how exactly PHP handles session management from the backend. When not using cookies, PHP propagates the Session ID in the URL and a hidden variable in forms. However, is this even safe? Or is this completely blind faith that the Session belongs to that person? It's blind faith, just like every other system. That's the nature of HTTP. PHP makes a unique session id that it passes around to identify the user and link all of the requests. Basically, I want to know if PHP *knows for sure* the right user is using the right session. In other words, can it detect hijacked sessions? My guess is a resounding no. No...and neither can any program you write that uses HTTP. The only thing you can do is make it unique enough so that it can't be hijacked. I'm wondering if there is some way to determine the real IP Address of a user, even if that user is behind a proxy farm, etc., and if this is, in fact, what PHP does. No. The PHP session management isn't related to IP at all, that I know of. It shouldn't have to be because of the problem with proxies and people having changing IPs or people sharing IP addresses. If not, I'm stuck with figuring out how best to accomplish my goals using cookies. The problem: a cookie can only bet set for a single domain; therefore, the session will not be carried with the person if they browse to another domain which also uses the same eNetwizard Content Management Server. A possibility is to always propagate a State Id with the URL and forms, however even this would not prevent the exact same problem: Is this blind faith? If you want the session to maintain over different domains, your only option is to pass the unique id in the URL or POST data. It's just as safe as cookies, but, like you said, you can't pass cookies across domains. Put everything behind SSL and that's as secure as you can get. Hopefully I'm not too confusing. Feel free to ask more questions. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session management conflicts with xhtml specifications
You can change the arg_separator setting in your php.ini file. ie. arg_separator = amp; or perhaps: arg_separator = ; -Rasmus On Fri, 13 Jul 2001, Jan wrote: My output does not validate as XHTML because of the sign in the a href that is automatically appendet by the php session management. it should be exchanged by an amp; entity. Is there a way to do this? There should be one I guess ... Thanks, Jan. Below are the results of checking this document for XML well-formedness and validity. a.. Line 1, column 963: ... a href=/?PHPSESSID=f40ca6652aa61b790cb53ae541b7904fPHPSESSID=52f628f ... ^ Error: unknown entity PHPSESSID (explanation...) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]