Re: [PHP] Session Confusion.
On Wed, Jul 22, 2009 at 1:19 PM, Dare Williamsdarrenwi...@yahoo.com wrote: Dear Forums, Kindly advice me professionally because, am getting more confused on what to do about my application that needed to be online very soon. The fear is about Session and Authentication. Here are my questions. 1. Must a Page Authentication be done by Session or Cookie. If not what are the other options. hidden id field in the html form 2. How secured is Session without encoding. encoding data? can be done, but as long as the session is stored local to the site and not in a shared folder on a shared hosting machine, its pretty safe Another option is to store the session in the database 3. Must you encode Sessions at all time and if not what type of Session. all depends on the application and your own level of paranoia 4. Is it dangerous to pass one Session on several Page. Nope, its the essence of sessions. How else to get the session data shared between pages? 5. What about locking a Session to an IP ..(tips needed) Don't. Some ISPs host a pool of addresses and the user's IP may switch during a single session. 5. Session Security tips please. This was just discussed in another thread here on sessions today. Search the archives. Thank You All. Williams. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Confusion.
Dear Dare, I would recommend you to get the free copy of *chapter 10: Security from Zend Certification Study guide* by Ben Ramsey Davey Shafik at www.zceguide.com shorter tips: 1. You can apply session_regenerate_id() to prevent *session riding* or *session fixation* 2. You can keep $_SESSION['user_agent']=$_SERVER['HTTP_USER_AGENT'] and check for logged in user to prevent *session hijacking* 3. Cookie must be encrypted. 4. Filter All inputs and validate them 5. Escape all output 6. while filtering inputs use whitelist blacklist method Regards Lenin http://twitter.com/nine_L
RE: [PHP] Session Confusion.
Hello For the authentication you can do a form, it will pass the login informations to some class who do the sql validation and put in session the informations of user, but not the password, i prefer put in session because when he close the browser the session will down for 2 , On the first point, session variables are not something people can get to from the client side unless you send them to them. What you see on the client side is a session identifier that allows the server to retrieve the actual session values. for 3 You dont need encode all the session for the security, if you want more security for some variables, encode just these for 4 One of the intentions of the session is store informations for the easy aplication access for 5 I think its not a good idea, the ip can change in the middle of the aplication Yuri Yarlei. Programmer PHP, CSS, Java, PostregreSQL; Today PHP, tomorrow Java, after the world. Kyou wa PHP, ashita wa Java, sono ato sekai desu. Date: Wed, 22 Jul 2009 10:19:44 -0700 From: darrenwi...@yahoo.com To: php-general@lists.php.net Subject: [PHP] Session Confusion. Dear Forums, Kindly advice me professionally because, am getting more confused on what to do about my application that needed to be online very soon. The fear is about Session and Authentication. Here are my questions. 1. Must a Page Authentication be done by Session or Cookie. If not what are the other options. 2. How secured is Session without encoding. 3. Must you encode Sessions at all time and if not what type of Session. 4. Is it dangerous to pass one Session on several Page. 5. What about locking a Session to an IP ..(tips needed) 5. Session Security tips please. Thank You All. Williams. _ Descubra todas as novidades do novo Internet Explorer 8 http://brasil.microsoft.com.br/IE8/mergulhe/?utm_source=MSN%3BHotmailutm_medium=Taglineutm_campaign=IE8
RE: [PHP] Session confusion again :( - Thanks!
On 14 April 2004 17:53, Paul Fine wrote:
Thanks guys but I have register globals ON so once the
session variable is
defined I should be able to address it without specifying $_SESSION ?
I don't think the documentation is clear on this point -- it may be that the
association between the global variable and the $_SESSION array doesn't
take until the next page load and session_start(), and in any case the
behaviour seems to be different between 4.2 and 4.3. I *think* you may have
to session_register('element_countp') to make the association in the current
page, but this is buggy and seriously disrecommended in 4.2 (although fixed
in 4.3).
Personally, I'd just use the $_SESSION[] variable anyway, and not bother
with the equivalent global.
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session confusion again :( - Thanks!
Actually for me it isn't unclear at all:
The (super-) global variables are created when php starts working on
your script.
That pesky function/ini parameter (register_globals=on) is just a
replacement for an extract() on each of the global vars just then.
Whatever you do later with any of the variables is up to you - that
extract won't 'run' again - even with register_globals on
Similar to this: if you change some $_POST or $_GET var 'manually' the
$_REQUEST doesn't get updated ...
Richard
Thursday, April 15, 2004, 1:35:19 PM, you wrote:
On 14 April 2004 17:53, Paul Fine wrote:
Thanks guys but I have register globals ON so once the
session variable is
defined I should be able to address it without specifying $_SESSION ?
I don't think the documentation is clear on this point -- it may be that the
association between the global variable and the $_SESSION array doesn't
take until the next page load and session_start(), and in any case the
behaviour seems to be different between 4.2 and 4.3. I *think* you may have
to session_register('element_countp') to make the association in the current
page, but this is buggy and seriously disrecommended in 4.2 (although fixed
in 4.3).
Personally, I'd just use the $_SESSION[] variable anyway, and not bother
with the equivalent global.
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Session confusion again :( - Thanks!
Any help with this would be appreciated. the p and v lnames are posted from a form. In the form, the user seperates last names with a /. What I can't understand is why Test1 shows as nothing, while Test2 shows the value I wanted. Thanks a lot! $p_lnames= explode(/, $p_lnames); $_SESSION['element_countp'] = count($p_lnames); echo TEST 1.$element_countp; $element_countp = $_SESSION['element_countp']; echo TEST 2.$element_countp; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session confusion again :( - Thanks!
BOOT mailto:[EMAIL PROTECTED] on Wednesday, April 14, 2004 9:40 AM said: What I can't understand is why Test1 shows as nothing, while Test2 shows the value I wanted. Thanks a lot! [snip] $_SESSION['element_countp'] = count($p_lnames); echo TEST 1.$element_countp; $element_countp = $_SESSION['element_countp']; echo TEST 2.$element_countp; because in test 1 $element_countp has not been assigned anything yet. $_SESSION['element_countp'] and $element_countp are *not* the same variable (it appears that you think they are). in test 2 you assign the value of $_SESSION['element_countp'] to $element_countp so that's why test 2 works. hth, chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session confusion again :( - Thanks!
On 14 April 2004 17:40, BOOT wrote: Any help with this would be appreciated. the p and v lnames are posted from a form. In the form, the user seperates last names with a /. What I can't understand is why Test1 shows as nothing, while Test2 shows the value I wanted. Thanks a lot! $p_lnames= explode(/, $p_lnames); $_SESSION['element_countp'] = count($p_lnames); echo TEST 1.$element_countp; Because here, you haven't assigned anything to $element_countp -- you've only assigned it to $_SESSION['element_countp']. (With register_globals Off, the two are not the same.) If you turned your error_reporting level up to E_ALL, you'd probably get a warning at this point saying that $element_countp is undefined. $element_countp = $_SESSION['element_countp']; echo TEST 2.$element_countp; Now you've assigned a value to $register_countp, so you get it output. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session confusion again :( - Thanks!
Thanks guys but I have register globals ON so once the session variable is defined I should be able to address it without specifying $_SESSION ? -Original Message- From: Chris W. Parker [mailto:[EMAIL PROTECTED] Sent: April 14, 2004 11:48 AM To: BOOT; [EMAIL PROTECTED] Subject: RE: [PHP] Session confusion again :( - Thanks! BOOT mailto:[EMAIL PROTECTED] on Wednesday, April 14, 2004 9:40 AM said: What I can't understand is why Test1 shows as nothing, while Test2 shows the value I wanted. Thanks a lot! [snip] $_SESSION['element_countp'] = count($p_lnames); echo TEST 1.$element_countp; $element_countp = $_SESSION['element_countp']; echo TEST 2.$element_countp; because in test 1 $element_countp has not been assigned anything yet. $_SESSION['element_countp'] and $element_countp are *not* the same variable (it appears that you think they are). in test 2 you assign the value of $_SESSION['element_countp'] to $element_countp so that's why test 2 works. hth, chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session confusion again :( - Thanks!
'Chris W. Parker' [EMAIL PROTECTED] elucidated: Thanks guys but I have register globals ON so once the session variable is defined I should be able to address it without specifying $_SESSION ? WHERE do you have it on? Most sites now have it turned off for VERY valid security reasons. If you are turning it on in your prepend file - Sorry, too late. The only two places to turn it back on, to my knowledge, is in your ini file for the site, or your .htaccess file as a directive. Only those two places are before the GPC processing. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session confusion again :( - Thanks!
Yes in php.ini. I never bothered turning off as (a) I did not take the time to understand the implications and (b) my project is only for internal network use anyway. So I went and turned them off. Now of course my pages don't work properly. I guess I have to go through all my code and address the variables properly ie. $_POST and $_SESSION? Thanks! Dennis Gearon [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] 'Chris W. Parker' [EMAIL PROTECTED] elucidated: Thanks guys but I have register globals ON so once the session variable is defined I should be able to address it without specifying $_SESSION ? WHERE do you have it on? Most sites now have it turned off for VERY valid security reasons. If you are turning it on in your prepend file - Sorry, too late. The only two places to turn it back on, to my knowledge, is in your ini file for the site, or your .htaccess file as a directive. Only those two places are before the GPC processing. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session confusion again :( - Thanks!
BOOT mailto:[EMAIL PROTECTED]
on Wednesday, April 14, 2004 12:17 PM said:
So I went and turned them off. Now of course my pages don't work
properly. I guess I have to go through all my code and address the
variables properly ie. $_POST and $_SESSION?
no.
just assign them at the beginning of your file.
CURRENT FILE:
?php
echo $username is logged in!!;
echo hello $username, you are logged in.;
?
WHAT I THINK YOU WOULD CHANGE IT TO:
?php
echo {$_GET['username']} is logged in!!;
echo hello {$_GET['username']}, you are logged in.;
?
WHAT YOU SHOULD DO INSTEAD:
?php
$username = $_GET['username'];
echo $username is logged in!!;
echo hello $username, you are logged in.;
?
of course. don't forget to validate your incoming data.
hth,
chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session confusion again :( - Thanks!
But if I want to use $username accross many pages then I will have to make
it a session variable and call it as such on each page like
$_SESSION['username']
Thanks again!
Chris W. Parker [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
BOOT mailto:[EMAIL PROTECTED]
on Wednesday, April 14, 2004 12:17 PM said:
So I went and turned them off. Now of course my pages don't work
properly. I guess I have to go through all my code and address the
variables properly ie. $_POST and $_SESSION?
no.
just assign them at the beginning of your file.
CURRENT FILE:
?php
echo $username is logged in!!;
echo hello $username, you are logged in.;
?
WHAT I THINK YOU WOULD CHANGE IT TO:
?php
echo {$_GET['username']} is logged in!!;
echo hello {$_GET['username']}, you are logged in.;
?
WHAT YOU SHOULD DO INSTEAD:
?php
$username = $_GET['username'];
echo $username is logged in!!;
echo hello $username, you are logged in.;
?
of course. don't forget to validate your incoming data.
hth,
chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session confusion again :( - Thanks!
BOOT mailto:[EMAIL PROTECTED] on Wednesday, April 14, 2004 12:37 PM said: But if I want to use $username accross many pages then I will have to make it a session variable and call it as such on each page like $_SESSION['username'] correct. c. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Session confusion
I have a file called sessionvars.php that I require() as the very first thing on all my pages, it has session_register(blah...) and about 40 or 50 variable names after that. sometimes I am seeing behavior where a form on one page that references a session variable doesn't carry over the change to the next page. in other words, i filled in a username in a form on page 1, hit submit, got to page 2 and it was remembered. but now i go back to page 1, change the value in the form, and when i get to page 2 it has the old value, not the new value! i have the following options in my apache config: php_value session.save_path /home/phpsession/ php_value session.name EINFO php_value session.cookie_lifetime 2592000 php_flag register_globals on what do i have to do to get the changes to propagate through?? -jsd- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Session Confusion
Ok these sessions have got me all confused, I need to have two seperate
sessions one for when a user signs up, to stop them using there back button
and inadvertantly signing up twice. And then one when they login. Both of
them work great as standalone but if say I went and log into my account and
then decide I need another, the sign up page blocks me because I already have
a session running. Here is some code will probably help me explain my system.
if(!$PHPSESSID)
{
$SET=1;
}elseif($PHPSESSID=1)
{
echo"CENTERYou are already Registered, please click A HREF='login.php'here
/A to login./CENTER";
die;
}
if($SET=1)
{
session_start();
session_register("SET");
}
This checks to see if there is a session running, if there is it blocks them
and sends them to the log in page, if there isn`t the rest of my script sets
up the account and then forwards them to the log in screen, so if for any
reason they decide to use there back button they can`t create two accounts by
accident.
Then when they log in I start a session as follows:
session_start();
session_register("UserName","Password");
header ("Location: Http://www.tothemembersarea.com/");
So if I go to my system log in and then try to setup a new account it blocks
me, any idea how I can distinguish between the two??
TIA
Ade
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Session Confusion
If that's a copy of your code, you might want to check the if($SET=1)
line...that will always return true, because you're setting a variable, not
checking for equality...should be if($SET==1) instead
jack
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 23, 2001 10:47 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Session Confusion
Ok these sessions have got me all confused, I need to have two seperate
sessions one for when a user signs up, to stop them using there back button
and inadvertantly signing up twice. And then one when they login. Both of
them work great as standalone but if say I went and log into my account and
then decide I need another, the sign up page blocks me because I already
have
a session running. Here is some code will probably help me explain my
system.
if(!$PHPSESSID)
{
$SET=1;
}elseif($PHPSESSID=1)
{
echo"CENTERYou are already Registered, please click A
HREF='login.php'here
/A to login./CENTER";
die;
}
if($SET=1)
{
session_start();
session_register("SET");
}
This checks to see if there is a session running, if there is it blocks them
and sends them to the log in page, if there isn`t the rest of my script sets
up the account and then forwards them to the log in screen, so if for any
reason they decide to use there back button they can`t create two accounts
by
accident.
Then when they log in I start a session as follows:
session_start();
session_register("UserName","Password");
header ("Location: Http://www.tothemembersarea.com/");
So if I go to my system log in and then try to setup a new account it blocks
me, any idea how I can distinguish between the two??
TIA
Ade
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Session Confusion
If that's a copy of your code, you might want to check the if($SET=1) line...that will always return true, because you're setting a variable, not checking for equality...should be if($SET==1) instead jack Ooops ok put that bit right, I should really know better :-) but it still doesn`t solve the overal problem LoL Thanks for pointing it out though Ade -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Session Confusion
Hi, All the session functions check to see if you have a session running first before starting a session, to prevent you from starting two sessions by accident. If for some reason you want to start another session, you can do that by supplying your own session id to the function session_start() to start another session. However, you do not need to do that for your purposes. You can start the only session you need when they submit their form info, and to keep them from signing up twice, before you record the data use an if statement to check if there is a session(if ($PHPSESSID)). If there is already a session, do not record the data, and display a message: "You have already signed up, proceed to login." and redirect them to the login page. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Session Confusion
Hi,
Just to explain a point on my previous post:
If at the top of your page that processes the registration info, you
include:
session_start();
session_register("is_registered");
is_registered="yes";
and then use this test:
if($PHPSESSID)
{
warning, redirect to login
}
else
{
record info, redirect to login
}
Will the condition in the if statement be true? It seems like it should
because you started the session. But a session id is a cookie, and a cookie
is not available on the page it is set. So, the first time this script is
encountered, e.g. when they register for the first time, even though you
started the session, the if statement condition will be false, indicating
the first time someone is registering. Subsequently, if someone uses the
back button and then clicks submit to get to this page again, then the
cookie will be set, and the if statement will return true, causing the other
branch of the if statement to execute.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
