Re: [PHP] sessions working? not working?

[Tedd Sperling]

On Aug 12, 2013, at 4:27 AM, Clifford Shuker  
wrote:
> Hi have the following (below) session code at the top of each page..  The
> 'print_r' (development feature only) confirms that on one particular page I
> do log out as the session var = (). but, on testing that page via the URL I
> still get to see the page and all its contents - session var() -..  the page
> has the following  'session_start, DOCTYPE Info then containing
> meta info & titlecontaining style/tables/content/
> // end of page.  I have copied the same page without the html content (i.e.
> a blank page) and I get to fully log out.. when this page is tested in the
> URL my warning comes up 'you need to login to see this page' which is what I
> want but, I've tried numerous avenues to reconcile my problem to no avail..
> I'm a novice so any help would be appreciated..   
> 
> 
> 
>  
> session_start();
> 
> error_reporting (E_ALL ^ E_NOTICE);
> 
> $userid = $_SESSION['userid'];
> 
> $username = $_SESSION['username'];
> 
> print_r($_SESSION);
> 
> ?>
> 

Ok, but when are you populating the SESSION's? Such as:

$_SESSION['userid'] = $userid;

Also, have a look at this:

http://sperling.com/php/authorization/log-on.php

It might help.

tedd

___
tedd sperling
tedd.sperl...@gmail.com




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] sessions working? not working?

[Clifford Shuker]

Hi List,

 

Hi have the following (below) session code at the top of each page..  The
'print_r' (development feature only) confirms that on one particular page I
do log out as the session var = (). but, on testing that page via the URL I
still get to see the page and all its contents - session var() -..  the page
has the following  'session_start, DOCTYPE Info then containing
meta info & titlecontaining style/tables/content/
// end of page.  I have copied the same page without the html content (i.e.
a blank page) and I get to fully log out.. when this page is tested in the
URL my warning comes up 'you need to login to see this page' which is what I
want but, I've tried numerous avenues to reconcile my problem to no avail..
I'm a novice so any help would be appreciated..   

 

Re: [PHP] sessions and expirations and isolations

[tamouse mailing lists]

On Tue, Jan 17, 2012 at 5:17 PM, Haluk Karamete  wrote:
> This brings the question to the following;
> WHEN DOES THE SERVER KNOW THAT A USER IS REALLY GONE OR HE CLOSED HIS BROWSER?

Just addressing this quesiton -- you are correct that the browser does
not tell the application when it closes. What *does* happen is that
the cookie associated with that browser session is destroyed or
nullified, thus when the use reopens their browser and opens the
application again, there won't be a session cookie sent to the
application on start.

As explained above, this has nothing to do with how long the session
data may be stored on the server, it just won't be accessed if the
browser has been closed in the meantime.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] sessions and expirations and isolations

[Ford, Mike]

> -Original Message-
> From: Stuart Dallas [mailto:stu...@3ft9.com]
> Sent: 18 January 2012 12:02
> 
> On 17 Jan 2012, at 23:17, Haluk Karamete wrote:
> 
> > I'm afraid session.cookie_lifetime = 0 keeps all session data (
> that
> > is past and present ) in server memory until a server restart/stop
> > takes place. Correct me if I'm wrong.
> 
> You are wrong. What you need to understand is that the cleanup of
> the data is controlled by a completely separate system to that which
> enables requests to get access to it. The session.gc_maxlifetime
> setting controls how long it must be since the session data was
> saved before it is considered for cleanup. The description above is
> correct in that the default behaviour is for the session cookie to
> die with the browser session, but that has absolutely no effect on
> how long the data will be retained on the server.

And you are also possibly wrong that session information is kept in
system memory, as the default is for it to be serialized and saved in
a regular file on disk. There are other options (database, shared memory,
...), but disk files are the default.

Cheers!

Mike

-- 
Mike Ford,
Electronic Information Developer, Libraries and Learning Innovation,  
Portland PD507, City Campus, Leeds Metropolitan University,
Portland Way, LEEDS,  LS1 3HE,  United Kingdom 
E: m.f...@leedsmet.ac.uk T: +44 113 812 4730






To view the terms under which this email is distributed, please go to 
http://disclaimer.leedsmet.ac.uk/email.htm

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] sessions and expirations and isolations

[Stuart Dallas]

On 17 Jan 2012, at 23:17, Haluk Karamete wrote:

> Back to this session expiration...
> 
> that old quote said...
> 
> The default behaviour for sessions is to keep a session open
> indefinitely and only to expire a session when the browser is closed.
> This behaviour can be changed in the php.ini file by altering the
> line:
> 
> session.cookie_lifetime = 0
> If you wanted the session to finish in 5 minutes you would set this to:
> session.cookie_lifetime = 300.
> 
> 
> Reflecting on this a little more, I got interested in the part that
> says "The default behaviour for sessions is to keep a session open
> indefinitely and only to expire a session when the browser is closed."
> 
> How would do the server know that a browser is closed? No browser
> sends such a data to a server.
> 
> If you re-open your browser, sure you will get asked to relogin (
> cause that session id cookie is gone ) but that does not mean that old
> session data has been erased form the server. How could it?  The only
> way for that to happen is to run session_destroy programmatically but
> for that your users has to click on a link. Certainly, closing a
> browser won't cause that!
> 
> This brings the question to the following;
> WHEN DOES THE SERVER KNOW THAT A USER IS REALLY GONE OR HE CLOSED HIS BROWSER?
> 
> I'm afraid session.cookie_lifetime = 0 keeps all session data ( that
> is past and present ) in server memory until a server restart/stop
> takes place. Correct me if I'm wrong.

You are wrong. What you need to understand is that the cleanup of the data is 
controlled by a completely separate system to that which enables requests to 
get access to it. The session.gc_maxlifetime setting controls how long it must 
be since the session data was saved before it is considered for cleanup. The 
description above is correct in that the default behaviour is for the session 
cookie to die with the browser session, but that has absolutely no effect on 
how long the data will be retained on the server.

If you want a full description of how the session cleanup logic works I'm happy 
to provide it, but you should be able to work it out by looking at the 
descriptions of the gc_probability, gc_divisor and gc_maxlifetime settings on 
this page: 
http://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability

-Stuart

-- 
Stuart Dallas
3ft9 Ltd
http://3ft9.com/

Re: [PHP] sessions and expirations and isolations

[Haluk Karamete]

Back to this session expiration...

that old quote said...

The default behaviour for sessions is to keep a session open
indefinitely and only to expire a session when the browser is closed.
This behaviour can be changed in the php.ini file by altering the
line:

session.cookie_lifetime = 0
If you wanted the session to finish in 5 minutes you would set this to:
session.cookie_lifetime = 300.


Reflecting on this a little more, I got interested in the part that
says "The default behaviour for sessions is to keep a session open
indefinitely and only to expire a session when the browser is closed."

How would do the server know that a browser is closed? No browser
sends such a data to a server.

If you re-open your browser, sure you will get asked to relogin (
cause that session id cookie is gone ) but that does not mean that old
session data has been erased form the server. How could it?  The only
way for that to happen is to run session_destroy programmatically but
for that your users has to click on a link. Certainly, closing a
browser won't cause that!

This brings the question to the following;
WHEN DOES THE SERVER KNOW THAT A USER IS REALLY GONE OR HE CLOSED HIS BROWSER?

I'm afraid session.cookie_lifetime = 0 keeps all session data ( that
is past and present ) in server memory until a server restart/stop
takes place. Correct me if I'm wrong.




On Mon, Jan 16, 2012 at 4:19 PM, Stuart Dallas  wrote:
> On 16 Jan 2012, at 22:51, Haluk Karamete wrote:
>
>> Hi, in ASP, sessions expire when the client does not request an asp
>> page for more than 20 min. (The 20 min thing is a server level setting
>> - which can be changed by IIS settings )  And sessions work out of the
>> box.
>>
>> I use sessions a lot. So, most likely, I would keep that style in my
>> PHP apps too.
>>
>> I read the following about PHP sessions...  I wanted to know how
>> accurate this info is.
>>
>> 
>> The default behaviour for sessions is to keep a session open
>> indefinitely and only to expire a session when the browser is closed.
>> This behaviour can be changed in the php.ini file by altering the
>> line:
>>
>> session.cookie_lifetime = 0
>> If you wanted the session to finish in 5 minutes you would set this to:
>>
>> Listing 23 Keeping a session alive for five minutes (listing-23.txt)
>> session.cookie_lifetime = 300.
>> Remember to restart your web server after making this change.
>> 
>
> That's totally accurate, except that it doesn't touch upon how sessions are 
> cleaned up...
>
>> Now, if this info is correct and it is this simple, why do we have
>> some elaborate posts like this one?
>>
>> http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes
>
> ...which explains that post. The session.cookie_lifetime is simply the expiry 
> time that will be set on the cookie that specifies the visitor's session ID. 
> That ID is used as the unique identifier on the server in the session storage 
> system (defaults to files of serialized data). If you want to have more 
> precise control over the session lifetime (though I can't see any reason why 
> you would need to) then you can write your own session handler and implement 
> the timeout logic yourself. You could also handle it by storing a timestamp 
> in the session and using that to decide whether the session data should be 
> considered valid (as described in the accepted answer on that post).
>
>> What do you do when you write a PHP app that relies on sessions? how
>> do you manage the server memory allocation issues?
>> Say you wanted to keep session vars alive for 20 min ( from the last
>> request from the client ) and you wanted your server to completely
>> empty the session if there no request, no new php page is requested
>> from that client within that next 20 min. And if a client requests a
>> page say on the 19th min, session gets extended another 20 from that
>> time on, just like the ASP works.
>
> The only reason there would be memory allocation issues is if you're storing 
> huge amounts of data in the session. If you are then I'd suggest that you 
> either re-architect your application so you don't need to, or implement a 
> custom storage mechanism for that data that doesn't use the session system.
>
>> My second question on session is abut keeping sessions apart from one
>> another - if such a concept exists...
>>
>> Let's say you have a session var FirstName in app1 and another session
>> variable exactly named as FirstName in app2.
>> how do you keep them seperate?
>>
>> In ASP, I create a virtual app at the IIS server - assigning a

Re: [PHP] sessions and expirations and isolations

[Haluk Karamete]

great exp. now I'm heading towards the
http://www.php.net/manual/en/session.configuration.php#ini.session.cookie_path.

you definitely deserved a good  chocolate cookie!

On Mon, Jan 16, 2012 at 6:38 PM, Stuart Dallas  wrote:
> On 17 Jan 2012, at 02:21, Haluk Karamete wrote:
>
>> Well Stuart,
>>
>> When I said this
>>
>>> In ASP, I create a virtual app at the IIS server - assigning a virtual
>>> dir path to the app, and from that point on, any page being served
>>> under that virtual path is treated as an isolated ASP app and thus the
>>> sessions are kept isolated and not get mixed up by asp pages that do
>>> not live under that virtual app path.
>>
>> I did not mean that aspect of the business which you replied to.  I
>> did not mean that 2 user's session can get being mixed up. Of course,
>> neither PHP nor ASP would allow that and that's all thru the current
>> session cookie ID - which is nearly impossible to guess for somebody
>> else's session cookie ID for that session time.
>>
>> Instead, I was meaning something totally different. Sorry for not
>> being very clear about it. Here is another shot at it.
>>
>> Here, you are developing an app and the app is being developed under say
>> domain.com/app1/. Let's call this app APP_1
>> And this app got say 10 php files and these files use lots of some
>> session vars to pass some data from one another. That's the case for
>> APP_1.
>>
>> now you need a second app... which is totally different that APP_1.
>> And that is to be developed under say the same server as say
>> domain.com/APP_2/ and this one too has its 5 php files too.
>>
>> But there is nothing common between two apps.
>>
>> Now, ASP allows me to treat these apps ( APP_1 and APP_2 ) as two
>> separate apps ( virtual apps they call it ) and once I do that  ( and
>> that's thru the IS settings ), the sessions vars I store in APP_1 does
>> not get overwritten by the APP_2, even though they may or may not
>> share the ame names... With that,  I can set up a session var "Age" as
>> 43 right there in APP_1 and I can have another session variable in the
>> other app, still named as "Age" where I store age value as a string,
>> something like say  "middle-age". If I weren't create these virtual
>> apps at IIS, ASP would have overwritten the value 43 with the value
>> middle-age and vice versa back and forth.
>>
>> I'm trying to understand if the same flexibility is available or not with 
>> PHP.
>> I should be able to go the APP_1 and do a _SESSION dump and I should
>> see 10 session variables in there and then I should be able to go
>> APP_2 and there I should se only 8. That's the case with classic ASP.
>
> Of course. I did touch on this in my reply but I obviously wasn't verbose 
> enough. Sessions are tied to an ID, and that ID is (usually) stored in a 
> cookie. Therefore the cookie is what links a session to a user, and it's the 
> limits on that cookie that determine the level of isolation.
>
> In the case you describe above, the default behaviour would be for both apps 
> to share the session because the cookie would be set on domain.com with the 
> default path of /. You can change the path with the session.cookie_path 
> setting. See here for more details: 
> http://www.php.net/manual/en/session.configuration.php#ini.session.cookie_path
>
> Basically, each app would need to use the ini_set function to set 
> session.cookie_path to /APP_1 or /APP_2 accordingly, before calling 
> session_start. That will effectively isolate the sessions for the two apps in 
> the same way that virtual directories do in ASP.
>
> Hope that makes it clearer.
>
> -Stuart
>
> --
> Stuart Dallas
> 3ft9 Ltd
> http://3ft9.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] sessions and expirations and isolations

[Stuart Dallas]

On 17 Jan 2012, at 02:21, Haluk Karamete wrote:

> Well Stuart,
> 
> When I said this
> 
>> In ASP, I create a virtual app at the IIS server - assigning a virtual
>> dir path to the app, and from that point on, any page being served
>> under that virtual path is treated as an isolated ASP app and thus the
>> sessions are kept isolated and not get mixed up by asp pages that do
>> not live under that virtual app path.
> 
> I did not mean that aspect of the business which you replied to.  I
> did not mean that 2 user's session can get being mixed up. Of course,
> neither PHP nor ASP would allow that and that's all thru the current
> session cookie ID - which is nearly impossible to guess for somebody
> else's session cookie ID for that session time.
> 
> Instead, I was meaning something totally different. Sorry for not
> being very clear about it. Here is another shot at it.
> 
> Here, you are developing an app and the app is being developed under say
> domain.com/app1/. Let's call this app APP_1
> And this app got say 10 php files and these files use lots of some
> session vars to pass some data from one another. That's the case for
> APP_1.
> 
> now you need a second app... which is totally different that APP_1.
> And that is to be developed under say the same server as say
> domain.com/APP_2/ and this one too has its 5 php files too.
> 
> But there is nothing common between two apps.
> 
> Now, ASP allows me to treat these apps ( APP_1 and APP_2 ) as two
> separate apps ( virtual apps they call it ) and once I do that  ( and
> that's thru the IS settings ), the sessions vars I store in APP_1 does
> not get overwritten by the APP_2, even though they may or may not
> share the ame names... With that,  I can set up a session var "Age" as
> 43 right there in APP_1 and I can have another session variable in the
> other app, still named as "Age" where I store age value as a string,
> something like say  "middle-age". If I weren't create these virtual
> apps at IIS, ASP would have overwritten the value 43 with the value
> middle-age and vice versa back and forth.
> 
> I'm trying to understand if the same flexibility is available or not with PHP.
> I should be able to go the APP_1 and do a _SESSION dump and I should
> see 10 session variables in there and then I should be able to go
> APP_2 and there I should se only 8. That's the case with classic ASP.

Of course. I did touch on this in my reply but I obviously wasn't verbose 
enough. Sessions are tied to an ID, and that ID is (usually) stored in a 
cookie. Therefore the cookie is what links a session to a user, and it's the 
limits on that cookie that determine the level of isolation.

In the case you describe above, the default behaviour would be for both apps to 
share the session because the cookie would be set on domain.com with the 
default path of /. You can change the path with the session.cookie_path 
setting. See here for more details: 
http://www.php.net/manual/en/session.configuration.php#ini.session.cookie_path

Basically, each app would need to use the ini_set function to set 
session.cookie_path to /APP_1 or /APP_2 accordingly, before calling 
session_start. That will effectively isolate the sessions for the two apps in 
the same way that virtual directories do in ASP.

Hope that makes it clearer.

-Stuart

-- 
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] sessions and expirations and isolations

[Haluk Karamete]

Well Stuart,

When I said this

> In ASP, I create a virtual app at the IIS server - assigning a virtual
> dir path to the app, and from that point on, any page being served
> under that virtual path is treated as an isolated ASP app and thus the
> sessions are kept isolated and not get mixed up by asp pages that do
> not live under that virtual app path.

I did not mean that aspect of the business which you replied to.  I
did not mean that 2 user's session can get being mixed up. Of course,
neither PHP nor ASP would allow that and that's all thru the current
session cookie ID - which is nearly impossible to guess for somebody
else's session cookie ID for that session time.

Instead, I was meaning something totally different. Sorry for not
being very clear about it. Here is another shot at it.

Here, you are developing an app and the app is being developed under say
domain.com/app1/. Let's call this app APP_1
And this app got say 10 php files and these files use lots of some
session vars to pass some data from one another. That's the case for
APP_1.

now you need a second app... which is totally different that APP_1.
And that is to be developed under say the same server as say
domain.com/APP_2/ and this one too has its 5 php files too.

But there is nothing common between two apps.

Now, ASP allows me to treat these apps ( APP_1 and APP_2 ) as two
separate apps ( virtual apps they call it ) and once I do that  ( and
that's thru the IS settings ), the sessions vars I store in APP_1 does
not get overwritten by the APP_2, even though they may or may not
share the ame names... With that,  I can set up a session var "Age" as
43 right there in APP_1 and I can have another session variable in the
other app, still named as "Age" where I store age value as a string,
something like say  "middle-age". If I weren't create these virtual
apps at IIS, ASP would have overwritten the value 43 with the value
middle-age and vice versa back and forth.

I'm trying to understand if the same flexibility is available or not with PHP.
I should be able to go the APP_1 and do a _SESSION dump and I should
see 10 session variables in there and then I should be able to go
APP_2 and there I should se only 8. That's the case with classic ASP.




On Mon, Jan 16, 2012 at 4:19 PM, Stuart Dallas  wrote:
> On 16 Jan 2012, at 22:51, Haluk Karamete wrote:
>
>> Hi, in ASP, sessions expire when the client does not request an asp
>> page for more than 20 min. (The 20 min thing is a server level setting
>> - which can be changed by IIS settings )  And sessions work out of the
>> box.
>>
>> I use sessions a lot. So, most likely, I would keep that style in my
>> PHP apps too.
>>
>> I read the following about PHP sessions...  I wanted to know how
>> accurate this info is.
>>
>> 
>> The default behaviour for sessions is to keep a session open
>> indefinitely and only to expire a session when the browser is closed.
>> This behaviour can be changed in the php.ini file by altering the
>> line:
>>
>> session.cookie_lifetime = 0
>> If you wanted the session to finish in 5 minutes you would set this to:
>>
>> Listing 23 Keeping a session alive for five minutes (listing-23.txt)
>> session.cookie_lifetime = 300.
>> Remember to restart your web server after making this change.
>> 
>
> That's totally accurate, except that it doesn't touch upon how sessions are 
> cleaned up...
>
>> Now, if this info is correct and it is this simple, why do we have
>> some elaborate posts like this one?
>>
>> http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes
>
> ...which explains that post. The session.cookie_lifetime is simply the expiry 
> time that will be set on the cookie that specifies the visitor's session ID. 
> That ID is used as the unique identifier on the server in the session storage 
> system (defaults to files of serialized data). If you want to have more 
> precise control over the session lifetime (though I can't see any reason why 
> you would need to) then you can write your own session handler and implement 
> the timeout logic yourself. You could also handle it by storing a timestamp 
> in the session and using that to decide whether the session data should be 
> considered valid (as described in the accepted answer on that post).
>
>> What do you do when you write a PHP app that relies on sessions? how
>> do you manage the server memory allocation issues?
>> Say you wanted to keep session vars alive for 20 min ( from the last
>> request from the client ) and you wanted your server to completely
>> empty the session if there no request, no new php page is re

Re: [PHP] sessions and expirations and isolations

[Stuart Dallas]

On 16 Jan 2012, at 22:51, Haluk Karamete wrote:

> Hi, in ASP, sessions expire when the client does not request an asp
> page for more than 20 min. (The 20 min thing is a server level setting
> - which can be changed by IIS settings )  And sessions work out of the
> box.
> 
> I use sessions a lot. So, most likely, I would keep that style in my
> PHP apps too.
> 
> I read the following about PHP sessions...  I wanted to know how
> accurate this info is.
> 
> 
> The default behaviour for sessions is to keep a session open
> indefinitely and only to expire a session when the browser is closed.
> This behaviour can be changed in the php.ini file by altering the
> line:
> 
> session.cookie_lifetime = 0
> If you wanted the session to finish in 5 minutes you would set this to:
> 
> Listing 23 Keeping a session alive for five minutes (listing-23.txt)
> session.cookie_lifetime = 300.
> Remember to restart your web server after making this change.
> 

That's totally accurate, except that it doesn't touch upon how sessions are 
cleaned up...

> Now, if this info is correct and it is this simple, why do we have
> some elaborate posts like this one?
> 
> http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes

...which explains that post. The session.cookie_lifetime is simply the expiry 
time that will be set on the cookie that specifies the visitor's session ID. 
That ID is used as the unique identifier on the server in the session storage 
system (defaults to files of serialized data). If you want to have more precise 
control over the session lifetime (though I can't see any reason why you would 
need to) then you can write your own session handler and implement the timeout 
logic yourself. You could also handle it by storing a timestamp in the session 
and using that to decide whether the session data should be considered valid 
(as described in the accepted answer on that post).

> What do you do when you write a PHP app that relies on sessions? how
> do you manage the server memory allocation issues?
> Say you wanted to keep session vars alive for 20 min ( from the last
> request from the client ) and you wanted your server to completely
> empty the session if there no request, no new php page is requested
> from that client within that next 20 min. And if a client requests a
> page say on the 19th min, session gets extended another 20 from that
> time on, just like the ASP works.

The only reason there would be memory allocation issues is if you're storing 
huge amounts of data in the session. If you are then I'd suggest that you 
either re-architect your application so you don't need to, or implement a 
custom storage mechanism for that data that doesn't use the session system.

> My second question on session is abut keeping sessions apart from one
> another - if such a concept exists...
> 
> Let's say you have a session var FirstName in app1 and another session
> variable exactly named as FirstName in app2.
> how do you keep them seperate?
> 
> In ASP, I create a virtual app at the IIS server - assigning a virtual
> dir path to the app, and from that point on, any page being served
> under that virtual path is treated as an isolated ASP app and thus the
> sessions are kept isolated and not get mixed up by asp pages that do
> not live under that virtual app path.


I don't know much about the way ASP implements sessions but I highly doubt 
there is anything significantly different in there to the way PHP does it. For 
all intents and purposes the isolation of a given user's session is guaranteed 
by the use of cookies. As I mentioned earlier, the session ID is stored in a 
cookie. Cookies are not shared between domain names, so there is no way that 
two sites, or "applications", could use the same session [1].

-Stuart

[1] This is not entirely true, but since it requires some nasty trickery to 
make it happen it's not something you need to worry about unless it sharing 
sessions is required which is incredibly rare and almost certainly another sign 
of poor architecture!

-- 
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] sessions and expirations and isolations

[Haluk Karamete]

Hi, in ASP, sessions expire when the client does not request an asp
page for more than 20 min. (The 20 min thing is a server level setting
- which can be changed by IIS settings )  And sessions work out of the
box.

I use sessions a lot. So, most likely, I would keep that style in my
PHP apps too.

I read the following about PHP sessions...  I wanted to know how
accurate this info is.


The default behaviour for sessions is to keep a session open
indefinitely and only to expire a session when the browser is closed.
This behaviour can be changed in the php.ini file by altering the
line:

session.cookie_lifetime = 0
If you wanted the session to finish in 5 minutes you would set this to:

Listing 23 Keeping a session alive for five minutes (listing-23.txt)
session.cookie_lifetime = 300.
Remember to restart your web server after making this change.



Now, if this info is correct and it is this simple, why do we have
some elaborate posts like this one?

http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes


What do you do when you write a PHP app that relies on sessions? how
do you manage the server memory allocation issues?
Say you wanted to keep session vars alive for 20 min ( from the last
request from the client ) and you wanted your server to completely
empty the session if there no request, no new php page is requested
from that client within that next 20 min. And if a client requests a
page say on the 19th min, session gets extended another 20 from that
time on, just like the ASP works.

My second question on session is abut keeping sessions apart from one
another - if such a concept exists...

Let's say you have a session var FirstName in app1 and another session
variable exactly named as FirstName in app2.
how do you keep them seperate?

In ASP, I create a virtual app at the IIS server - assigning a virtual
dir path to the app, and from that point on, any page being served
under that virtual path is treated as an isolated ASP app and thus the
sessions are kept isolated and not get mixed up by asp pages that do
not live under that virtual app path.

Is this concept even applicable in PHP?

Thanks

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions expiring early

[Paul Waring]

On 07/09/11 13:42, Richard Quadling wrote:

On 7 September 2011 12:32, Paul Waring  wrote:

On 07/09/11 12:16, Richard Quadling wrote:


On 7 September 2011 11:20, Paul Waringwrote:


Can anyone suggest things which I could try? I cannot work out why this
problem is happening for some users but not me.


For browsers/extensions that do automatic read ahead (I load page A
and linked pages B and C are also retrieved).


I hadn't thought of that. However, we audit all user logins and logouts, as
well as all page requests. If the browser was pre-fetching the logout page,
we'd have 'user logout' entries in our logs, but the only notices we have
are for users logging in. If users were being logged out because of
pre-fetching, I'd expect to see each login entry have a corresponding logout
entry.


Is the potential for cached pages to be returned for a user NOT logged in?


Any pages which a user has viewed whilst logged in shouldn't be cached,
assuming the browser is respecting the headers. They are all sent with:

Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0


How is your code determining if they need to be redirected back to the
login page?


The test is whether two $_SESSION elements are set and match ones in the 
database, plus whether the last page view by the user (stored in the 
database, updated on each request) was less than one hour ago.



What changes that information?


A page load changed the 'last page view time'. Nothing changes the other 
session data, except an explicit logout (which sets $_SESSION = array() 
and calls session_destroy).



Can you monitor it externally?


I'm not sure what you mean by 'externally'. Most of the site requires a 
login, so it's not possible for a third-party to monitor it if that's 
what you mean.


--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions expiring early

[Paul Waring]

On 07/09/11 12:16, Richard Quadling wrote:

On 7 September 2011 11:20, Paul Waring  wrote:

Can anyone suggest things which I could try? I cannot work out why this
problem is happening for some users but not me.


For browsers/extensions that do automatic read ahead (I load page A
and linked pages B and C are also retrieved).


I hadn't thought of that. However, we audit all user logins and logouts, 
as well as all page requests. If the browser was pre-fetching the logout 
page, we'd have 'user logout' entries in our logs, but the only notices 
we have are for users logging in. If users were being logged out because 
of pre-fetching, I'd expect to see each login entry have a corresponding 
logout entry.



Is the potential for cached pages to be returned for a user NOT logged in?


Any pages which a user has viewed whilst logged in shouldn't be cached, 
assuming the browser is respecting the headers. They are all sent with:


Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0


--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions expiring early

[Paul Waring]

On 07/09/11 12:20, vikash.i...@gmail.com wrote:

Just confirm once that you are not calling session_destroy somewhere.


The only place session_destroy is called is in the logout function, 
which itself is only called if a user clicks the logout link.


--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions expiring early

[Paul Waring]

On 07/09/11 12:15, Richard Quadling wrote:

How do you handle multiple logins?

If I login using my laptop and get Session A for my account and then I
login using my desktop and get Session B for my account, does Session
A get killed?


Session A is killed, your last login is always the current one.


Do you allow multiple, simultaneous logins per account?


No, but then each user is accessing their account from a single machine 
and browser anyway (i.e. they don't switch from desktop to laptop and 
then back again), so we don't even have people trying to have 
simultaneous logins.


--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions expiring early

[vikash . iitb]

Just confirm once that you are not calling session_destroy somewhere.


Thanks,
Vikash Kumar
--
http://vika.sh


On 7 September 2011 16:46, Richard Quadling  wrote:

> On 7 September 2011 11:20, Paul Waring  wrote:
> > Can anyone suggest things which I could try? I cannot work out why this
> > problem is happening for some users but not me.
>
> For browsers/extensions that do automatic read ahead (I load page A
> and linked pages B and C are also retrieved).
>
> Is the potential for cached pages to be returned for a user NOT logged in?
>
>
>
> --
> Richard Quadling
> Twitter : EE : Zend : PHPDoc
> @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Re: [PHP] PHP sessions expiring early

[Richard Quadling]

On 7 September 2011 11:20, Paul Waring  wrote:
> Can anyone suggest things which I could try? I cannot work out why this
> problem is happening for some users but not me.

For browsers/extensions that do automatic read ahead (I load page A
and linked pages B and C are also retrieved).

Is the potential for cached pages to be returned for a user NOT logged in?



-- 
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions expiring early

[Richard Quadling]

On 7 September 2011 11:20, Paul Waring  wrote:
> I'm having trouble with a PHP website which requires users to be logged in
> to access all content other than the home page and a couple of static pages
> (about us, contact us etc.). Several users have said they are being logged
> out every few minutes whilst using the site - they can login but will be
> shown the login form again after a few minutes. I can't confirm this myself
> as the site seems to work fine for me - even using the same browser as they
> are and under their accounts - but I'm wondering if this could be a problem
> with the session settings?
>
> The current settings I have are:
>
> session.auto_start      Off
> session.bug_compat_42   On
> session.bug_compat_warn On
> session.cache_expire    180
> session.cache_limiter   nocache
> session.cookie_domain   no value
> session.cookie_httponly Off
> session.cookie_lifetime 0
> session.cookie_path     /
> session.cookie_secure   Off
> session.entropy_file    no value
> session.entropy_length  0
> session.gc_divisor      100
> session.gc_maxlifetime  3600
> session.gc_probability  1
> session.hash_bits_per_character 4
> session.hash_function   0
> session.name    PHPSESSID
> session.referer_check   no value
> session.save_handler    files
> session.save_path       /shared/sessions
> session.serialize_handler       php
> session.use_cookies     On
> session.use_only_cookies        Off
> session.use_trans_sid   0
>
> The only options I have changed from the defaults are gc_maxlifetime,
> gc_probability and save_path. There are several sites on the same server,
> some are https, others just plain http. They all use the same session
> options. session_start() is called once on every page.
>
> The PHP version we're running is: PHP 5.2.6-1+lenny13 with Suhosin-Patch
> 0.9.6.2 (cli) (built: Jul  1 2011 16:01:01). I'm aware it's an old version
> before anyone tells me to upgrade (it's the latest stable version in Debian
> Lenny). :)
>
> Potential problems I have already ruled out:
>
> 1. I don't think it's a browser problem as the users have a variety of
> browsers and versions (we log the user agent for each login, they're mostly
> IE7/8 on XP/Vista/7 with a few Chrome users), and I can't reproduce the
> problem using the same browsers on my machine.
>
> 2. The server time is correct.
>
> 3. The sessions aren't stored in a directory which is being regularly
> cleared out, such as /var/lib/php5 or /tmp.
>
> 4. The web server has permission to write to the save_path directory, and I
> can see session files being created.
>
> 5. No output buffering functions are being used.
>
> Can anyone suggest things which I could try? I cannot work out why this
> problem is happening for some users but not me.
>
> Thanks in advance.
>
> Paul

How do you handle multiple logins?

If I login using my laptop and get Session A for my account and then I
login using my desktop and get Session B for my account, does Session
A get killed?

Do you allow multiple, simultaneous logins per account?



-- 
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions expiring early

[Paul Waring]

On 07/09/11 11:47, Nilesh Govindarajan wrote:

On 09/07/2011 03:50 PM, Paul Waring wrote:

I'm having trouble with a PHP website which requires users to be logged
in to access all content other than the home page and a couple of static
pages (about us, contact us etc.). Several users have said they are
being logged out every few minutes whilst using the site - they can
login but will be shown the login form again after a few minutes. I
can't confirm this myself as the site seems to work fine for me - even
using the same browser as they are and under their accounts - but I'm
wondering if this could be a problem with the session settings?



You have set gc_maxlifetime to 3600 seconds. How much expire time have
you set?
Because, every 3600 seconds, session data stored is considered as
garbage and php clears them out itself.


Yes, I'm aware of that. However, users are being logged out after a few 
minutes, not one hour of inactivity (which is what I'd expect with 3600 
seconds).



If your expiration time is more than 3600 seconds, then this will not
work. You need to increase gc_maxlifetime.


If you mean the expiration time of the session cookie, it is set to 0, 
which means it shouldn't be deleted until the browser is closed (or the 
user logs out, at which point it is deleted immediately).


Paul

--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions expiring early

[Nilesh Govindarajan]

On 09/07/2011 03:50 PM, Paul Waring wrote:
> I'm having trouble with a PHP website which requires users to be logged
> in to access all content other than the home page and a couple of static
> pages (about us, contact us etc.). Several users have said they are
> being logged out every few minutes whilst using the site - they can
> login but will be shown the login form again after a few minutes. I
> can't confirm this myself as the site seems to work fine for me - even
> using the same browser as they are and under their accounts - but I'm
> wondering if this could be a problem with the session settings?
> 

You have set gc_maxlifetime to 3600 seconds. How much expire time have
you set?
Because, every 3600 seconds, session data stored is considered as
garbage and php clears them out itself.

If your expiration time is more than 3600 seconds, then this will not
work. You need to increase gc_maxlifetime.

For the other case, I'm clueless.

-- 
Nilesh Govindarajan
http://nileshgr.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] PHP sessions expiring early

[Paul Waring]

I'm having trouble with a PHP website which requires users to be logged 
in to access all content other than the home page and a couple of static 
pages (about us, contact us etc.). Several users have said they are 
being logged out every few minutes whilst using the site - they can 
login but will be shown the login form again after a few minutes. I 
can't confirm this myself as the site seems to work fine for me - even 
using the same browser as they are and under their accounts - but I'm 
wondering if this could be a problem with the session settings?


The current settings I have are:

session.auto_start  Off
session.bug_compat_42   On
session.bug_compat_warn On
session.cache_expire180
session.cache_limiter   nocache
session.cookie_domain   no value
session.cookie_httponly Off
session.cookie_lifetime 0
session.cookie_path /
session.cookie_secure   Off
session.entropy_fileno value
session.entropy_length  0
session.gc_divisor  100
session.gc_maxlifetime  3600
session.gc_probability  1
session.hash_bits_per_character 4
session.hash_function   0
session.namePHPSESSID
session.referer_check   no value
session.save_handlerfiles
session.save_path   /shared/sessions
session.serialize_handler   php
session.use_cookies On
session.use_only_cookiesOff
session.use_trans_sid   0

The only options I have changed from the defaults are gc_maxlifetime, 
gc_probability and save_path. There are several sites on the same 
server, some are https, others just plain http. They all use the same 
session options. session_start() is called once on every page.


The PHP version we're running is: PHP 5.2.6-1+lenny13 with Suhosin-Patch 
0.9.6.2 (cli) (built: Jul  1 2011 16:01:01). I'm aware it's an old 
version before anyone tells me to upgrade (it's the latest stable 
version in Debian Lenny). :)


Potential problems I have already ruled out:

1. I don't think it's a browser problem as the users have a variety of 
browsers and versions (we log the user agent for each login, they're 
mostly IE7/8 on XP/Vista/7 with a few Chrome users), and I can't 
reproduce the problem using the same browsers on my machine.


2. The server time is correct.

3. The sessions aren't stored in a directory which is being regularly 
cleared out, such as /var/lib/php5 or /tmp.


4. The web server has permission to write to the save_path directory, 
and I can see session files being created.


5. No output buffering functions are being used.

Can anyone suggest things which I could try? I cannot work out why this 
problem is happening for some users but not me.


Thanks in advance.

Paul

--
Paul Waring
http://www.phpdeveloper.org.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions - More Info

[Boers Steven]

Dear List -

Thank you for your help in the past.  This an update on my session 
problems.


Here is a simple test program.  It never increments the session counter; 
ie, does not detect that $_SESSION has been set.




"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>

http://www.w3.org/1999/xhtml";>







I have no idea what is wrong.

I need to make my session variables work so that I can finish a project.

Help and advice, please.

Ethan Rosenberg

MySQL 5.1  PHP 5.3.3-6  Linux [Debian (sid)]

I tried your code on my testing computer (PHP 5.2.14) and everything works 
fine. $_SESSION['views'] is counting up correctly. Maybe a problem with your 
configuration?


Beste regards.
Steven


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions - More Info - SOLVED

[Ethan Rosenberg]

At 07:28 PM 3/30/2011, Ashley Sheridan wrote:

On Wed, 2011-03-30 at 19:20 -0400, Ethan Rosenberg wrote:

> Dear List -
>
> Thank you for your help in the past.  This an update on my 
session problems.

>
> Here is a simple test program.  It never increments the session
> counter; ie, does not detect that $_SESSION has been set.
>
> 
>
>  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> http://www.w3.org/1999/xhtml";>
> 
> 
>
> 
>
> if(isset($_SESSION['views']))
> $_SESSION['views']=$_SESSION['views']+1;
> else
> $_SESSION['views']=1;
> echo "Views=". $_SESSION['views'];
> ?>
>  
> 
>
> I have no idea what is wrong.
>
> I need to make my session variables work so that I can finish a project.
>
> Help and advice, please.
>
> Ethan Rosenberg
>
> MySQL 5.1  PHP 5.3.3-6  Linux [Debian (sid)]
>
>
>


That code works perfectly for me, only thing I would change is the

$_SESSION['views']=$_SESSION['views']+1;

line to

$_SESSION['views']++;

for readability. If you're using Firefox, grab the Firebug plugin, which
should show you the headers that are being sent to and from the server
to the browser. From that, you might get an idea why the sessions don't
seem to be working. Just to make sure, turn on display_errors in your
php.ini file and restart Apache. Some whitespace (space or new line, for
example) before that first http://www.ashleysheridan.co.uk


++
Ash -

Thanks.

What did it was to 1] explicitly declare the character set and 2] 
close and restart Apache.


Ethan 




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions - More Info

[Ashley Sheridan]

On Wed, 2011-03-30 at 19:20 -0400, Ethan Rosenberg wrote:

> Dear List -
> 
> Thank you for your help in the past.  This an update on my session problems.
> 
> Here is a simple test program.  It never increments the session 
> counter; ie, does not detect that $_SESSION has been set.
> 
> 
> 
>  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> http://www.w3.org/1999/xhtml";>
> 
> 
> 
>  
> 
> if(isset($_SESSION['views']))
> $_SESSION['views']=$_SESSION['views']+1;
> else
> $_SESSION['views']=1;
> echo "Views=". $_SESSION['views'];
> ?>
>  
> 
> 
> I have no idea what is wrong.
> 
> I need to make my session variables work so that I can finish a project.
> 
> Help and advice, please.
> 
> Ethan Rosenberg
> 
> MySQL 5.1  PHP 5.3.3-6  Linux [Debian (sid)] 
> 
> 
> 


That code works perfectly for me, only thing I would change is the

$_SESSION['views']=$_SESSION['views']+1;

line to

$_SESSION['views']++;

for readability. If you're using Firefox, grab the Firebug plugin, which
should show you the headers that are being sent to and from the server
to the browser. From that, you might get an idea why the sessions don't
seem to be working. Just to make sure, turn on display_errors in your
php.ini file and restart Apache. Some whitespace (space or new line, for
example) before that first http://www.ashleysheridan.co.uk

[PHP] Sessions - More Info

[Ethan Rosenberg]

Dear List -

Thank you for your help in the past.  This an update on my session problems.

Here is a simple test program.  It never increments the session 
counter; ie, does not detect that $_SESSION has been set.




"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>

http://www.w3.org/1999/xhtml";>







I have no idea what is wrong.

I need to make my session variables work so that I can finish a project.

Help and advice, please.

Ethan Rosenberg

MySQL 5.1  PHP 5.3.3-6  Linux [Debian (sid)] 




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions - users being automatically logged out

[Paul Waring]

On 04/11/10 14:56, Alexander Holodny wrote:

Inc session.cache_expire. You have only 3 minutes.
This means browser will drop cookie containing session id in three
minutes, or even less, of clients inactivity.


According to the PHP manual:

"session.cache_expire specifies time-to-live for cached session pages in 
minutes, this has no effect for nocache limiter."


So the value of session.cache_expire should be ignored, as 
session.cache_limiter is set to nocache.


Paul

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions - users being automatically logged out

[Alexander Holodny]

Inc session.cache_expire. You have only 3 minutes.
This means browser will drop cookie containing session id in three
minutes, or even less, of clients inactivity.
I prefer to set expire-time to zero. So, browser will never forget session id.
In other case, if security requires, i usually set it to 24 hours, to
avoid some mystic problems, in case of misconfigured servers and/or
clients TZ; they are rare.

2010/11/4, Paul Waring :
> I'm having trouble with a PHP site whereby some users are being logged
> out on a regular basis. This will usually happen after they have been
> using the site for a few minutes, they can login without any problems
> and access a few pages, but then suddenly they will request a page and
> be sent to the login form, which suggests that their session no longer
> exists. However, this doesn't affect all users - I can login and use the
> application without any problems, as can some other users.
>
> According to phpinfo(), the following session values are set (all are
> what I'd expect - either the default or something I've deliberately
> changed):
>
> session.auto_start = Off
> session.bug_compat_42 = On
> session.bug_compat_warn = On
> session.cache_expire = 180
> session.cache_limiter = nocache
> session.cookie_domain = no value
> session.cookie_httponly = Off
> session.cookie_lifetime = 0
> session.cookie_path = /
> session.cookie_secure = Off
> session.entropy_file = no value
> session.entropy_length = 0
> session.gc_divisor = 100
> session.gc_maxlifetime = 1440
> session.gc_probability = 1
> session.hash_bits_per_character = 4
> session.hash_function = 0
> session.name = PHPSESSID
> session.referer_check = no value
> session.save_handler = files
> session.save_path = /shared/sessions
> session.serialize_handler = php
> session.use_cookies = On
> session.use_only_cookies = Off
> session.use_trans_sid = 0
>
> I've tried checking a few obvious things:
>
> * IP addresses - the site doesn't use the IP address as part of the
> authentication process, and almost all our users (including the ones
> experiencing problems) have static IP addresses anyway.
>
> * Number of sessions - there are between 40-60 session files on disk at
> any one time, so I doubt there's a "maximum number of session files"
> limit being broken, if such a configuration option exists.
>
> * Permissions - the web server user (www-data) has read/write
> permissions to the directory where the sessions are stored and all the
> files within it, and they are all owned by this user.
>
> Is there anything else obvious which could be causing the problem? This
> seemed to occur when we moved hosts, and I haven't changed the site's
> session handling code for some time, so I suspect it might be a
> configuration issue but can't figure out what.
>
> Thanks,
>
> Paul
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] PHP sessions - users being automatically logged out

[Paul Waring]

I'm having trouble with a PHP site whereby some users are being logged 
out on a regular basis. This will usually happen after they have been 
using the site for a few minutes, they can login without any problems 
and access a few pages, but then suddenly they will request a page and 
be sent to the login form, which suggests that their session no longer 
exists. However, this doesn't affect all users - I can login and use the 
application without any problems, as can some other users.


According to phpinfo(), the following session values are set (all are 
what I'd expect - either the default or something I've deliberately 
changed):


session.auto_start = Off
session.bug_compat_42 = On
session.bug_compat_warn = On
session.cache_expire = 180
session.cache_limiter = nocache
session.cookie_domain = no value
session.cookie_httponly = Off
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_secure = Off
session.entropy_file = no value
session.entropy_length = 0
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.gc_probability = 1
session.hash_bits_per_character = 4
session.hash_function = 0
session.name = PHPSESSID
session.referer_check = no value
session.save_handler = files
session.save_path = /shared/sessions
session.serialize_handler = php
session.use_cookies = On
session.use_only_cookies = Off
session.use_trans_sid = 0

I've tried checking a few obvious things:

* IP addresses - the site doesn't use the IP address as part of the 
authentication process, and almost all our users (including the ones 
experiencing problems) have static IP addresses anyway.


* Number of sessions - there are between 40-60 session files on disk at 
any one time, so I doubt there's a "maximum number of session files" 
limit being broken, if such a configuration option exists.


* Permissions - the web server user (www-data) has read/write 
permissions to the directory where the sessions are stored and all the 
files within it, and they are all owned by this user.


Is there anything else obvious which could be causing the problem? This 
seemed to occur when we moved hosts, and I haven't changed the site's 
session handling code for some time, so I suspect it might be a 
configuration issue but can't figure out what.


Thanks,

Paul

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions only work in SSL

[Daniel Houle]

On 10/19/2010 09:41 AM, Andrew Ballard wrote:

On Mon, Oct 18, 2010 at 8:46 PM, Daniel Houle  wrote:

I have a strange issue here.  I am running a CentOS machine, with

apache 2.2.3
php 5.1.6
kernel 2.6.18-194.8.1.el5xen

My sessions will work using https, but not using simple http.  I've compared
my configs with another identical machine which works with both, and I can't
figure out why.  Anyone got an idea?

Here's the simple script I run to test.

' . $_SESSION['name'];
  session_destroy();
} else {
  echo 'No session found';
  $_SESSION['name'] = 'My session';
}

phpinfo();
?>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Are you sure session.cookie_secure is not turned on somewhere?

Andrew

No, it was not set anywhere.  But I did add it in with

session.cookie_secure 0

and it solved my issue.  Thank you very much Andrew!

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions only work in SSL

[Andrew Ballard]

On Mon, Oct 18, 2010 at 8:46 PM, Daniel Houle  wrote:
> I have a strange issue here.  I am running a CentOS machine, with
>
> apache 2.2.3
> php 5.1.6
> kernel 2.6.18-194.8.1.el5xen
>
> My sessions will work using https, but not using simple http.  I've compared
> my configs with another identical machine which works with both, and I can't
> figure out why.  Anyone got an idea?
>
> Here's the simple script I run to test.
>
> 
> session_start();
>
> echo 'session started';
>
> if (isset($_SESSION['name'])) {
>  echo '' . $_SESSION['name'];
>  session_destroy();
> } else {
>  echo 'No session found';
>  $_SESSION['name'] = 'My session';
> }
>
> phpinfo();
> ?>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Are you sure session.cookie_secure is not turned on somewhere?

Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions only work in SSL

[Daniel Houle]

I have a strange issue here.  I am running a CentOS machine, with

apache 2.2.3
php 5.1.6
kernel 2.6.18-194.8.1.el5xen

My sessions will work using https, but not using simple http.  I've 
compared my configs with another identical machine which works with 
both, and I can't figure out why.  Anyone got an idea?


Here's the simple script I run to test.

' . $_SESSION['name'];
  session_destroy();
} else {
  echo 'No session found';
  $_SESSION['name'] = 'My session';
}

phpinfo();
?>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions and Security Concerns

[Nathan Rixham]

Ashley Sheridan wrote:
> On Mon, 2010-03-29 at 12:24 +0100, Ben Stones wrote:
> 
>> Hi,
>>
>> I'm just wondering whether there are any apparent security concerns I should
>> be aware of when using sessions in my PHP scripts. I understand that
>> sessions are tracked with an individual user via a session ID which is
>> stored in a temporary location on the server, as well as a PHPSESSID cookie
>> assigned to the end user's client, but the server my website is hosted on
>> (and which I'll be developing my PHP script on) doesn't allow you to create
>> a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only
>> the server can generate a session ID for the end user when I call the
>> session_start function? So do I still need to call session_regenerate_id for
>> security purposes when an end user has entered the correct login credentials
>> - would this be necessary since you cant set a session ID via the URL?
>>
>> Thanks,
>> Ben.
> 
> 
> Just setting a URL variable won't actually create a session, you have to
> use the PHP session functions to create one.
> 
> Using session_regenerate_id() won't do that much for security. If you
> are really worried, then consider a security certificate. Even a
> self-issued one is better than nothing, and you can generate these for
> free.

worth noting that you can also issue client side ssl certificates to
your users; 100% secure, self-signed thus free, either by creating a
pki12 w/ php or by using the html KEYGEN element - the ssl cert installs
directly in the users browser. You can use the subjectAltName attribute
of the certificate to save a users unique id.

And thus, 0 click login, perfectly secure auth all done through https -
further meaning you can completely negate sessions/cookies and all the
related insecurities.

further still, you can boot this up to foaf+ssl giving users one unique
web id for themselves, and in full control of there own profile / login
etc; (like openid done right and one steriods)

Will be the defacto industry standard in a couple of years, so may as
well adopt early.

Regards!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions and Security Concerns

[Ashley Sheridan]

On Mon, 2010-03-29 at 12:24 +0100, Ben Stones wrote:

> Hi,
> 
> I'm just wondering whether there are any apparent security concerns I should
> be aware of when using sessions in my PHP scripts. I understand that
> sessions are tracked with an individual user via a session ID which is
> stored in a temporary location on the server, as well as a PHPSESSID cookie
> assigned to the end user's client, but the server my website is hosted on
> (and which I'll be developing my PHP script on) doesn't allow you to create
> a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only
> the server can generate a session ID for the end user when I call the
> session_start function? So do I still need to call session_regenerate_id for
> security purposes when an end user has entered the correct login credentials
> - would this be necessary since you cant set a session ID via the URL?
> 
> Thanks,
> Ben.


Just setting a URL variable won't actually create a session, you have to
use the PHP session functions to create one.

Using session_regenerate_id() won't do that much for security. If you
are really worried, then consider a security certificate. Even a
self-issued one is better than nothing, and you can generate these for
free.

Thanks,
Ash
http://www.ashleysheridan.co.uk

[PHP] Sessions and Security Concerns

[Ben Stones]

Hi,

I'm just wondering whether there are any apparent security concerns I should
be aware of when using sessions in my PHP scripts. I understand that
sessions are tracked with an individual user via a session ID which is
stored in a temporary location on the server, as well as a PHPSESSID cookie
assigned to the end user's client, but the server my website is hosted on
(and which I'll be developing my PHP script on) doesn't allow you to create
a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only
the server can generate a session ID for the end user when I call the
session_start function? So do I still need to call session_regenerate_id for
security purposes when an end user has entered the correct login credentials
- would this be necessary since you cant set a session ID via the URL?

Thanks,
Ben.

Re: Re[2]: [PHP] Re: PHP Sessions

[Ashley Sheridan]

On Sat, 2010-03-13 at 12:49 +0200, Andre Polykanine wrote:

> Hello Ashley,
> 
> And if the site is full of that code?)) I think it's worth to learn
> what's really the reason of the fact that it doesn't work. Besides
> that, it's more readable for me.
> And the right thing that was said here is the following: check the
> php.ini settings and change them if possible.
> 


If the site is full of that code I'd make a start on replacing it. A
simple find/replace will work in cases like this.

I try to write my code so that I don't have to make unnecessary changes
to my php.ini. For example, what if I don't have access to my php.ini
and can't set a directive in my .htaccess file? What if I'm sharing my
code with someone? What if I need to work with outputting XML headers?
All of these factors I think outweigh any gains I would get from short
tags.

As for readability, I tend to use a text editor with syntax highlighting
which makes my code readable.

Thanks,
Ash
http://www.ashleysheridan.co.uk

Re[2]: [PHP] Re: PHP Sessions

[Andre Polykanine]

Hello Ashley,

And if the site is full of that code?)) I think it's worth to learn
what's really the reason of the fact that it doesn't work. Besides
that, it's more readable for me.
And the right thing that was said here is the following: check the
php.ini settings and change them if possible.

-- 
With best regards from Ukraine,
Andre
Skype: Francophile; Wlm&MSN: arthaelon @ yandex.ru; Jabber: arthaelon @ 
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule

- Original message -
From: Ashley Sheridan 
To: Andre Polykanine 
Date: Saturday, March 13, 2010, 12:33:46 PM
Subject: [PHP] Re: PHP Sessions

On Sat, 2010-03-13 at 12:22 +0200, Andre Polykanine wrote:

> Hello Martine,
> 
> As you have been already told, the  is not always supported.
> However I'd suggest you to do the following (since I love this form of
> tag):
>  «»
> 
>  Note: I put within the tag only the variable.
> 
> -- 
> With best regards from Ukraine,
> Andre
> Skype: Francophile; Wlm&MSN: arthaelon @ yandex.ru; Jabber: arthaelon @ 
> jabber.org
> Yahoo! messenger: andre.polykanine; ICQ: 191749952
> Twitter: m_elensule
> 
> - Original message -
> From: Martine Osias 
> To: php-general@lists.php.net 
> Date: Saturday, March 13, 2010, 4:33:34 AM
> Subject: [PHP] Re: PHP Sessions
> 
> The sessions variables are OK. They don't print when I put them on the HTML 
> page with this code.
> 
> 
>  
>  
> 
> 
>   align="right">
>  
> 
> Thank you.
> 
> 
> Martine
> 
> ""Martine Osias""  wrote in message 
> news:95.0c.13686.c7cda...@pb1.pair.com...
> > Hi:
> >
> > I need to store variables to send then between pages. I don't need the 
> > variables in a database so I try to send them with sessions. The variables 
> > don't seem to be there when I try to get them. What could be the problem. 
> > Here are the pages where I store and retrieve the variables.
> >
> > Page 1 (variables stored):
> >
> >  >
> > session_start();
> >
> > $_SESSION['scripture_text']  = $row_scripture['ScriptureText'];
> > $_SESSION['scripture_ref']  = $row_scripture['ScriptureRef'];
> >
> > ?>
> >
> > Page 2 (variables retrieved):
> >
> >  > session_start();
> > include("includes/config.php");
> > ?>
> >  > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> > http://www.w3.org/1999/xhtml";>
> > 
> > 
> > 
> >
> > 
> >
> > 
> > 
> > 
> >
> > 
> >  > align="right">
> > 
> >
> > 
> >
> > 
> > 
> >
> > 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 


That's still using short tags. The time you save on typing is nothing
compared to the time you spend trying to figure out why your script
doesn't work since you moved servers, or copied it to your live server,
or why you are having trouble using XML...

Thanks,
Ash
http://www.ashleysheridan.co.uk




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Sessions

[Ashley Sheridan]

On Sat, 2010-03-13 at 12:22 +0200, Andre Polykanine wrote:

> Hello Martine,
> 
> As you have been already told, the  is not always supported.
> However I'd suggest you to do the following (since I love this form of
> tag):
>  «»
> 
>  Note: I put within the tag only the variable.
> 
> -- 
> With best regards from Ukraine,
> Andre
> Skype: Francophile; Wlm&MSN: arthaelon @ yandex.ru; Jabber: arthaelon @ 
> jabber.org
> Yahoo! messenger: andre.polykanine; ICQ: 191749952
> Twitter: m_elensule
> 
> - Original message -
> From: Martine Osias 
> To: php-general@lists.php.net 
> Date: Saturday, March 13, 2010, 4:33:34 AM
> Subject: [PHP] Re: PHP Sessions
> 
> The sessions variables are OK. They don't print when I put them on the HTML 
> page with this code.
> 
> 
>  
>  
> 
> 
>   align="right">
>  
> 
> Thank you.
> 
> 
> Martine
> 
> ""Martine Osias""  wrote in message 
> news:95.0c.13686.c7cda...@pb1.pair.com...
> > Hi:
> >
> > I need to store variables to send then between pages. I don't need the 
> > variables in a database so I try to send them with sessions. The variables 
> > don't seem to be there when I try to get them. What could be the problem. 
> > Here are the pages where I store and retrieve the variables.
> >
> > Page 1 (variables stored):
> >
> >  >
> > session_start();
> >
> > $_SESSION['scripture_text']  = $row_scripture['ScriptureText'];
> > $_SESSION['scripture_ref']  = $row_scripture['ScriptureRef'];
> >
> > ?>
> >
> > Page 2 (variables retrieved):
> >
> >  > session_start();
> > include("includes/config.php");
> > ?>
> >  > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> > http://www.w3.org/1999/xhtml";>
> > 
> > 
> > 
> >
> > 
> >
> > 
> > 
> > 
> >
> > 
> >  > align="right">
> > 
> >
> > 
> >
> > 
> > 
> >
> > 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 


That's still using short tags. The time you save on typing is nothing
compared to the time you spend trying to figure out why your script
doesn't work since you moved servers, or copied it to your live server,
or why you are having trouble using XML...

Thanks,
Ash
http://www.ashleysheridan.co.uk

Re: [PHP] Re: PHP Sessions

[Andre Polykanine]

Hello Martine,

As you have been already told, the  is not always supported.
However I'd suggest you to do the following (since I love this form of
tag):
 «»

 Note: I put within the tag only the variable.

-- 
With best regards from Ukraine,
Andre
Skype: Francophile; Wlm&MSN: arthaelon @ yandex.ru; Jabber: arthaelon @ 
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule

- Original message -
From: Martine Osias 
To: php-general@lists.php.net 
Date: Saturday, March 13, 2010, 4:33:34 AM
Subject: [PHP] Re: PHP Sessions

The sessions variables are OK. They don't print when I put them on the HTML 
page with this code.


 
 


 
 

Thank you.


Martine

""Martine Osias""  wrote in message 
news:95.0c.13686.c7cda...@pb1.pair.com...
> Hi:
>
> I need to store variables to send then between pages. I don't need the 
> variables in a database so I try to send them with sessions. The variables 
> don't seem to be there when I try to get them. What could be the problem. 
> Here are the pages where I store and retrieve the variables.
>
> Page 1 (variables stored):
>
> 
> session_start();
>
> $_SESSION['scripture_text']  = $row_scripture['ScriptureText'];
> $_SESSION['scripture_ref']  = $row_scripture['ScriptureRef'];
>
> ?>
>
> Page 2 (variables retrieved):
>
>  session_start();
> include("includes/config.php");
> ?>
>  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> http://www.w3.org/1999/xhtml";>
> 
> 
> 
>
> 
>
> 
> 
> 
>
> 
>  align="right">
> 
>
> 
>
> 
> 
>
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Sessions

[Ashley Sheridan]

On Fri, 2010-03-12 at 21:33 -0500, Martine Osias wrote:

> The sessions variables are OK. They don't print when I put them on the HTML 
> page with this code.
> 
> 
>  
>  
> 
> 
>   align="right">
>  
> 
> Thank you.
> 
> 
> Martine
> 
> ""Martine Osias""  wrote in message 
> news:95.0c.13686.c7cda...@pb1.pair.com...
> > Hi:
> >
> > I need to store variables to send then between pages. I don't need the 
> > variables in a database so I try to send them with sessions. The variables 
> > don't seem to be there when I try to get them. What could be the problem. 
> > Here are the pages where I store and retrieve the variables.
> >
> > Page 1 (variables stored):
> >
> >  >
> > session_start();
> >
> > $_SESSION['scripture_text']  = $row_scripture['ScriptureText'];
> > $_SESSION['scripture_ref']  = $row_scripture['ScriptureRef'];
> >
> > ?>
> >
> > Page 2 (variables retrieved):
> >
> >  > session_start();
> > include("includes/config.php");
> > ?>
> >  > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> > http://www.w3.org/1999/xhtml";>
> > 
> > 
> > 
> >
> > 
> >
> > 
> > 
> > 
> >
> > 
> >  > align="right">
> > 
> >
> > 
> >
> > 
> > 
> >
> > 
> 
> 


Don't use 

Short tags end up causing more problems than they solve sometimes...

Thanks,
Ash
http://www.ashleysheridan.co.uk

[PHP] Re: PHP Sessions

[Martine Osias]

The sessions variables are OK. They don't print when I put them on the HTML 
page with this code.







align="right">



Thank you.


Martine

""Martine Osias""  wrote in message 
news:95.0c.13686.c7cda...@pb1.pair.com...

Hi:

I need to store variables to send then between pages. I don't need the 
variables in a database so I try to send them with sessions. The variables 
don't seem to be there when I try to get them. What could be the problem. 
Here are the pages where I store and retrieve the variables.


Page 1 (variables stored):



Page 2 (variables retrieved):


"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>

http://www.w3.org/1999/xhtml";>











align="right">












--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP Sessions

[Andre Polykanine]

Hello Martine,

Try to make on the second page a
print_r ($_SESSION);

-- 
With best regards from Ukraine,
Andre
Skype: Francophile; Wlm&MSN: arthaelon @ yandex.ru; Jabber: arthaelon @ 
jabber.org
Yahoo! messenger: andre.polykanine; ICQ: 191749952
Twitter: m_elensule

- Original message -
From: Martine Osias 
To: php-general@lists.php.net 
Date: Saturday, March 13, 2010, 2:29:41 AM
Subject: [PHP] PHP Sessions

Hi:

I need to store variables to send then between pages. I don't need the 
variables in a database so I try to send them with sessions. The variables 
don't seem to be there when I try to get them. What could be the problem. 
Here are the pages where I store and retrieve the variables.

Page 1 (variables stored):



Page 2 (variables retrieved):


http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
http://www.w3.org/1999/xhtml";>







 
 


 
 








-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP Sessions

[Kevin Kinsey]

Forgot to mention, you could check into the privacy
vs. server settings by doing:

   session_start();
   echo session_id();

on both pages.  If they're different, then
this is the problem.

KDK

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP Sessions

[Kevin Kinsey]

Martine Osias wrote:

Hi:

I need to store variables to send then between pages. I don't need the 
variables in a database so I try to send them with sessions. The 
variables don't seem to be there when I try to get them. What could be 
the problem. Here are the pages where I store and retrieve the variables.


Page 1 (variables stored):



Do sessions work at all?  Something simple, like


Click me';
?>


*

 ... would be a good 1st test.

If that works, I'd suspect that $row_scripture['ScriptureText']
and friends are empty.

If it doesn't, I'd suspect a combination of very strict
browser privacy settings (disallow all cookies) with lame server
config (use_only_cookies), or that session support is missing
or disabled.

HTH,

KDK

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP Sessions

[Ashley Sheridan]

On Fri, 2010-03-12 at 19:29 -0500, Martine Osias wrote:

> Hi:
> 
> I need to store variables to send then between pages. I don't need the 
> variables in a database so I try to send them with sessions. The variables 
> don't seem to be there when I try to get them. What could be the problem. 
> Here are the pages where I store and retrieve the variables.
> 
> Page 1 (variables stored):
> 
>  
> session_start();
> 
> $_SESSION['scripture_text']  = $row_scripture['ScriptureText'];
> $_SESSION['scripture_ref']  = $row_scripture['ScriptureRef'];
> 
> ?>
> 
> Page 2 (variables retrieved):
> 
>  session_start();
> include("includes/config.php");
> ?>
>  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> http://www.w3.org/1999/xhtml";>
> 
> 
> 
> 
> 
> 
> 
>  
>  
> 
> 
>   align="right">
>  
> 
> 
> 
> 
> 
> 
> 
> 


Are there any errors, either displayed or in the error log?

Thanks,
Ash
http://www.ashleysheridan.co.uk

[PHP] PHP Sessions

[Martine Osias]

Hi:

I need to store variables to send then between pages. I don't need the 
variables in a database so I try to send them with sessions. The variables 
don't seem to be there when I try to get them. What could be the problem. 
Here are the pages where I store and retrieve the variables.


Page 1 (variables stored):



Page 2 (variables retrieved):


"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>

http://www.w3.org/1999/xhtml";>











align="right">










--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions across subdomains

[Jochem Maas]

Op 1/30/10 2:25 AM, Ben Miller schreef:
> Hi, I've always thought that session data was subdomain specific and would
> not carry over between http://www.mydomain.com and
> https://secure.mydomain.com, but it seems to be working for me now.  Can I
> rely on this and post from http://www.mydomain.com to
> https://secure.mydomain.com and simply pass a hidden input containing
> PHPSESSID, or do I need to pass each key=>value pair that _SESSION contains
> at www.  and reset them as _SESSION vars at secure.
>  ? 
> 

1. cookies are shared automatically on SUB domains, so if you set your cookie 
domain
to example.com it will be available at both www.example.com and 
secure.example.com

2. cookies can have a HTTPS flag set which means they will not be shared with 
non-HTTPS
connections.

3. DONT put the contents of $_SESSION on the wire. (given the question you're 
asking I'd
hazard a guess you don't have the skills to sufficiently

4. google/read/search/learn about the security implications of sharing a cookie 
between
HTTPS and non-HTTPS domains.

5. session_regenerate_id() - I would use this if you intend to pass session ids 
around,
although it will probably give you a stack of problems in terms of usability 
(e.g. back button usage),
actually I'd use it any time you log someone in or out or have a user perform a 
particularly
sensitive action.

6. the $_SESSION will only be available on both sites if they are both on the 
same server
and running with the same session ini settings (i.e. session save path, session 
name) - different
servers could obviously be using a shared filesystem or an alternative session 
storage (e.g.
memcached or database server).

7. consider not sharing the session - instead pass just the data that you need 
(e.g. shopping
basket contents etc) and either including a hash of the data (which uses a 
secret string that
is not included in the form/url/etc but that both servers/sites know about 
AND/OR using 2-way
public key encryption on the data that you pass in between the servers/sites

personally for higher end commercial sites I prefer to just to put everything 
on HTTPS
solving all potential issues with sharing a cookie or data between nonHTTPS and 
HTTPS sites,
and everything directly related ... the cost being extra overhead per request - 
but hardware
is cheap and security is difficult to get exactly right.

the biggest names on the web have [had] security loophopes/problems related to 
these issues, and they
generally have tons of man power and some very clever/knowledgable people on 
their teams - which is to say:
your chance (and mine for that matter) of not making any mistakes on this front 
are slimmer than theirs.

> Thanks in advance,
> 
> Ben
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions across subdomains

[Ben Miller]

Hi, I've always thought that session data was subdomain specific and would
not carry over between http://www.mydomain.com and
https://secure.mydomain.com, but it seems to be working for me now.  Can I
rely on this and post from http://www.mydomain.com to
https://secure.mydomain.com and simply pass a hidden input containing
PHPSESSID, or do I need to pass each key=>value pair that _SESSION contains
at www.  and reset them as _SESSION vars at secure.
 ? 

 

Thanks in advance,

Ben

[PHP] Sessions across subdomains

[Ben Miller]

Hi, I've always thought that session data was subdomain specific and would
not carry over between http://www.mydomain.com and
https://secure.mydomain.com, but it seems to be working for me now.  Can I
rely on this and post from http://www.mydomain.com to
https://secure.mydomain.com and simply pass a hidden input containing
PHPSESSID, or do I need to pass each key=>value pair that _SESSION contains
at www.  and reset them as _SESSION vars at secure.
 ? 

 

Thanks in advance,

Ben

[PHP] SESSIONS & classes

[Allen McCabe]

I am trying to implement a relatively complete login system code for my
website, but the code is a bit dated ($HTTP_POST_VARS for example).

I am not too familiar with classes and I'm having trouble with this one.

I have an include which is the login form if the SESSION is not set, and a
mini control panel when it is.


I will post the code below because it is a bit extensive. My problem: When I
try to log in (POST username/password to same page and validate with the
class, the page simply reloads MINUS THE FORM SUBMIT BUTTON. It's very odd.
I have a working system on another website without using this class, I just
hoping to be more object-oriented with this one.

Like I said, the code is a bit lengthy, and if you are kind enough to take a
look at I can even send you the php files for the sake of readability (ie.
formatted better than here).



Anything you can help with would be greatly appreciated; I'll have my wife
bake you some cookies or something!

The basic page looks like this:



The page definition file looks like this:

logout()){
  echo 'You have been logged
out';
 }
}

. . . // site content-grabbing code excluded ///

// Attempted login url - use for redirect after login.
$redirect = 
"http://mwclans.com/{$_SERVER['REQUEST_URI'
]}";
// Defined in includes/Sentry.php
$sentry = new Sentry();
// If logging in, POST['login'] will be set - check credentials (9 is used
to specify the minimum group level that's allowed to access this resource)
if ($_POST['login'] != ''){
 
$sentry->checkLogin($_POST['username'],$_POST['password'],9,'$redirect',/user/index.php');
}
if ($minlevel < 9)
{
 if (!$sentry->checkLogin($minlevel) ){ header("Location:
/user/");
die(); }
}
?>

Here is the Sentry class:

userdata))
  {
   unset($this->userdata);
   $session_name = session_name();
   return true;
  }
  else
  {
   $message = "Call to non-object by
function: logout()";
  }

 }
 
//==
 // Log in, and either redirect to goodRedirect or badRedirect depending on
success
 function checkLogin($username = '',$password = '',$role_id =
9,$goodRedirect = '',$badRedirect = ''){
  // Include database and validation classes, and create objects
  require_once('DbConnector.php');
  require_once('Validator.php');
  $validate = new Validator();
  $loginConnector = new DbConnector();

  // If user is already logged in then check credentials
  if ($_SESSION['username'] && $_SESSION['password']){
   // Validate session data
   if (!$validate->validateTextOnly($_SESSION['username'])){return false;}
   if (!$validate->validateTextOnly($_SESSION['password'])){return false;}
   $getUser = $loginConnector->query("SELECT * FROM user WHERE username =
'".$_SESSION['username']."' AND password = '".$_SESSION['password']."' AND
role_id <= ".$role_id.' AND verified = 1');
   if ($loginConnector->getNumRows($getUser) > 0){
// Existing user ok, continue
if ($goodRedirect != '') {
 header("Location: ".$goodRedirect."?".strip_tags(session_id())) ;
}
return true;
   }else{
// Existing user not ok, logout
$this->logout();
return false;
   }

  // User isn't logged in, check credentials
  }else{
   // Validate input
   if (!$validate->validateTextOnly($username)){return false;}
   if (!$validate->validateTextOnly($password)){return false;}
   // Look up user in DB
   $getUser = $loginConnector->query("SELECT * FROM user WHERE username =
'$username' AND password = PASSWORD('$password') AND role_id <= $role_id AND
verified = 1");
   $this->userdata = $loginConnector->fetchArray($getUser);
   if ($loginConnector->getNumRows($getUser) > 0){
// Login OK, store session details
// Log in
$_SESSION["username"] = $username;
$_SESSION["password"] = $this->userdata['password'];
$_SESSION["user_id"] = $this->userdata['user_id'];
$_SESSION["role_id"] = $this->userdata['role_id'];

if ($goodRedirect) {
 header("Location: ".$goodRedirect."?".strip_tags(session_id())) ;
}
return true;
   }else{
// Login BAD
unset($this->userdata);
if ($badRedirect) {
 header("Location: ".$badRedirect) ;
}
return false;
   }
  }
 }
}
?>

And here is the login page:

query($loginsettingquery);
$loginsettinginfo = $connector->fetchArray($loginsettingresult);
$currentpage = 
"http://mwclans.com/{$_SERVER['REQUEST_URI'
]}";
if (isset($_SESSION['username']) && isset($_SESSION['password'])) // display
other info, else display login form
{
 // logged-in user tools
}
else
{
if ($loginsettinginfo['value'] == 1 || $directory == "cmsadmin")
{
 $signinform = <<
 
  Login
 
 
  Username:
  
  
  
  
 
 
  Password:
  
  
 
 
  
 

END;
}
else
{
 // login disabled message
}
}
?>

Re: [PHP] Re: PHP sessions, AJAX, authentication and security.

[Angus Mann]

same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..

if( !$_SESSION['is_logged_in'] ) {
 exit();
}
// do stuff




Thanks for that. Sometimes the solution is right there in front of you.
The bit of code below does the job nicely for me :

session_start();
if(!isset($_SESSION['username'])){
echo("Go Away.");
exit();
}
// now work with sensitive data...


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: PHP sessions, AJAX, authentication and security.

[Nathan Rixham]

Angus Mann wrote:
> Hi all.
> 
> A question about PHP sessions and their interaction with AJAX.
> 
> I have a database containing sensitive information and users need to log in 
> to my PHP script and be authenticated before they are granted access.
> 
> For one of the forms I would like to retrieve information using AJAX, and 
> some of that information is sensitive also. The request from AJAX is handled 
> by another, simpler PHP script.
> 
> It occurs to me that the AJAX handler could be used to bypass the user 
> authentication and a crafted request sent directly to the AJAX handler to get 
> information without authentication.
> 
> Can anyone offer some advice about how to piggy-back the 
> session/authentication data that the user originally used to the AJAX so that 
> only an authenticated user will get a valid response from the AJAX handler? I 
> know I could embed authentication information into the web-page and send this 
> with the AJAX request but I'm interested to know if there are other methods 
> also.
> 
> I hope the explanation is clear.
> 
> Thanks in advance. 

same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..

if( !$_SESSION['is_logged_in'] ) {
  exit();
}
// do stuff

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions, AJAX, authentication and security.

[tedd]

At 9:30 PM +1000 11/21/09, Angus Mann wrote:

Hi all.

A question about PHP sessions and their interaction with AJAX.

I have a database containing sensitive information and users need to 
log in to my PHP script and be authenticated before they are granted 
access.


For one of the forms I would like to retrieve information using 
AJAX, and some of that information is sensitive also. The request 
from AJAX is handled by another, simpler PHP script.


It occurs to me that the AJAX handler could be used to bypass the 
user authentication and a crafted request sent directly to the AJAX 
handler to get information without authentication.


Can anyone offer some advice about how to piggy-back the 
session/authentication data that the user originally used to the 
AJAX so that only an authenticated user will get a valid response 
from the AJAX handler? I know I could embed authentication 
information into the web-page and send this with the AJAX request 
but I'm interested to know if there are other methods also.


I hope the explanation is clear.

Thanks in advance.


Angus:

First, don't trust anything that comes from the client -- period.

Second, Ajax is just another way to send stuff to the server. When 
the data gets to the server then authenticate and set a session 
variable to indicate such. This is not rocket science, but if you 
don't do it right you'll leave a crater.


Cheers,

tedd

--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP sessions, AJAX, authentication and security.

[Phpster]

You could use a one time token on each request

Bastien

Sent from my iPod

On Nov 21, 2009, at 6:30 AM, "Angus Mann"  wrote:


Hi all.

A question about PHP sessions and their interaction with AJAX.

I have a database containing sensitive information and users need to  
log in to my PHP script and be authenticated before they are granted  
access.


For one of the forms I would like to retrieve information using  
AJAX, and some of that information is sensitive also. The request  
from AJAX is handled by another, simpler PHP script.


It occurs to me that the AJAX handler could be used to bypass the  
user authentication and a crafted request sent directly to the AJAX  
handler to get information without authentication.


Can anyone offer some advice about how to piggy-back the session/ 
authentication data that the user originally used to the AJAX so  
that only an authenticated user will get a valid response from the  
AJAX handler? I know I could embed authentication information into  
the web-page and send this with the AJAX request but I'm interested  
to know if there are other methods also.


I hope the explanation is clear.

Thanks in advance.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] PHP sessions, AJAX, authentication and security.

[Angus Mann]

Hi all.

A question about PHP sessions and their interaction with AJAX.

I have a database containing sensitive information and users need to log in to 
my PHP script and be authenticated before they are granted access.

For one of the forms I would like to retrieve information using AJAX, and some 
of that information is sensitive also. The request from AJAX is handled by 
another, simpler PHP script.

It occurs to me that the AJAX handler could be used to bypass the user 
authentication and a crafted request sent directly to the AJAX handler to get 
information without authentication.

Can anyone offer some advice about how to piggy-back the session/authentication 
data that the user originally used to the AJAX so that only an authenticated 
user will get a valid response from the AJAX handler? I know I could embed 
authentication information into the web-page and send this with the AJAX 
request but I'm interested to know if there are other methods also.

I hope the explanation is clear.

Thanks in advance. 

Re: [PHP] sessions and email

[Andrew Ballard]

On Thu, Nov 12, 2009 at 1:21 PM, Ashley Sheridan
 wrote:
> On Thu, 2009-11-12 at 13:17 -0500, Dan Shirah wrote:
>
>> All,
>>
>> I am using sessions for my application to verify a user has logged in:
>>
>> // Verify the user is logged in.
>> if (!isset($_SESSION['basic_is_logged_in'])
>>     || $_SESSION['basic_is_logged_in'] !== true) {
>>     // If not logged in, redirect to the login page.
>>     header('Location: login.php');
>>     exit;
>> }
>>
>> If anyone tries to go to any page in the application via the address bar,
>> they are correctly redirected to the login page.
>>
>> However, if someone that is currently logged into the application using I.E.
>> goes to File -> Send -> Page by Email, the person they email the link to can
>> open it and use the application without logging in and the address bar uses
>> a local path like: C:\Documents and Settings\my_name\Local
>> Settings\Temporary Internet Files\OLK18\My Page (2).htm
>>
>> How can I prevent the emailed pages from being able to access the
>> application if it is a local path or the user hasn't logged in?
>
>
> You can't really. When someone is emailing the page, it's the equivalent
> of them saving the page to their local computer, and then sending that
> as an attachment. As this is all client-side, it has no contact with
> PHP. You could have some sort of Javascript to detect the domain the
> page has, and then redirect if it's not your domain, but this fails when
> someone turns Javascript off. Apart from that, I don't know of any other
> way you could stop someone from emailing a page, aside from making the
> site completely Ajax based and pulling in every scrap of content via
> Ajax.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>

And even then, it has become part of the DOM and will be saved with
the rest of the page. The presence of Javascript in the page *might*
remove it/hide it/obscure it/etc., but it will still be there in the
saved document.

Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] sessions and email

[Ashley Sheridan]

On Thu, 2009-11-12 at 13:17 -0500, Dan Shirah wrote:

> All,
> 
> I am using sessions for my application to verify a user has logged in:
> 
> // Verify the user is logged in.
> if (!isset($_SESSION['basic_is_logged_in'])
> || $_SESSION['basic_is_logged_in'] !== true) {
> // If not logged in, redirect to the login page.
> header('Location: login.php');
> exit;
> }
> 
> If anyone tries to go to any page in the application via the address bar,
> they are correctly redirected to the login page.
> 
> However, if someone that is currently logged into the application using I.E.
> goes to File -> Send -> Page by Email, the person they email the link to can
> open it and use the application without logging in and the address bar uses
> a local path like: C:\Documents and Settings\my_name\Local
> Settings\Temporary Internet Files\OLK18\My Page (2).htm
> 
> How can I prevent the emailed pages from being able to access the
> application if it is a local path or the user hasn't logged in?


You can't really. When someone is emailing the page, it's the equivalent
of them saving the page to their local computer, and then sending that
as an attachment. As this is all client-side, it has no contact with
PHP. You could have some sort of Javascript to detect the domain the
page has, and then redirect if it's not your domain, but this fails when
someone turns Javascript off. Apart from that, I don't know of any other
way you could stop someone from emailing a page, aside from making the
site completely Ajax based and pulling in every scrap of content via
Ajax.

Thanks,
Ash
http://www.ashleysheridan.co.uk

[PHP] sessions and email

[Dan Shirah]

All,

I am using sessions for my application to verify a user has logged in:

// Verify the user is logged in.
if (!isset($_SESSION['basic_is_logged_in'])
|| $_SESSION['basic_is_logged_in'] !== true) {
// If not logged in, redirect to the login page.
header('Location: login.php');
exit;
}

If anyone tries to go to any page in the application via the address bar,
they are correctly redirected to the login page.

However, if someone that is currently logged into the application using I.E.
goes to File -> Send -> Page by Email, the person they email the link to can
open it and use the application without logging in and the address bar uses
a local path like: C:\Documents and Settings\my_name\Local
Settings\Temporary Internet Files\OLK18\My Page (2).htm

How can I prevent the emailed pages from being able to access the
application if it is a local path or the user hasn't logged in?

Re: [PHP] Sessions seems to kill db connection

[Kim Madsen]

Hi Kranthi

kranthi wrote on 2009-10-24 07:27:

Db error: Access denied for user 'www-data'@'localhost' (using password: NO)



WTF? I´m not using a user called www-data for MySQL connections, but apache 
runs as this user


in the case where $test is true there is an open mysql connection, but
when $test is false there is no open connection is  available. may be
you have opened a connection when $test is true or used a
mysql_close() when $test is false or when $_SESSION['login']['uid'] is
set.


I think you missed my words about resolving the matter, when you were 
cutting the quoted text :-)



regarding www-data, when mysql_query() fails to find a valid MySql
connection, it tries to open a new connection with mysql.default_user
and mysql.default_password (u can see these values trough phpinfo());
http://php.net/manual/en/function.mysql-connect.php


Thanks, that explained the www-data user

--
Kind regards
Kim Emax - masterminds.dk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions seems to kill db connection

[kranthi]

>> Db error: Access denied for user 'www-data'@'localhost' (using password: NO)

>> WTF? I´m not using a user called www-data for MySQL connections, but apache 
>> runs as this user

in the case where $test is true there is an open mysql connection, but
when $test is false there is no open connection is  available. may be
you have opened a connection when $test is true or used a
mysql_close() when $test is false or when $_SESSION['login']['uid'] is
set.

regarding www-data, when mysql_query() fails to find a valid MySql
connection, it tries to open a new connection with mysql.default_user
and mysql.default_password (u can see these values trough phpinfo());
http://php.net/manual/en/function.mysql-connect.php

this used to be the behavior earlier, seems it was changed from PHP > 5.3.0

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions seems to kill db connection

[Kim Madsen]

Kim Madsen wrote on 2009-10-22 17:51:

Hi PHPeople

I have an odd problem at my new work and wonder if it's some sort of odd 
setup that is causing this problem when using sessions:


Like I said, my new work and odd setup, an include file had a 
mysql_close() in the bottom


Speaking of mysql_close(), I think I've read somewhere that in PHP6 a db 
connection will not be closed, when the script is done. Is this true? 
Cause then it would definetly be best practice to to _always_ have a 
mysql_close() in the end for the main file.


--
Kind regards
Kim Emax - masterminds.dk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions seems to kill db connection

[Kim Madsen]

Hi PHPeople

I have an odd problem at my new work and wonder if it's some sort of odd 
setup that is causing this problem when using sessions:


if($test) {
  $query = "SELECT count(*) FROM articles WHERE group1 = 'fp'";# AND 
group2 = 'login'";
  $r = mysql_query($query) or die('Db error: ' . mysql_error() . 
''.$SQL);

  print "There´s " . mysql_num_rows($r) . " rows"; // 3 rows
  print "session: " . $_SESSION['login']['uid']; // 1234
  exit;
}
else {
  if($_SESSION['login']['uid']) {
$query = "SELECT count(*) FROM articles WHERE group1 = 'fp'";# AND 
group2 = 'login'";
$r = mysql_query($query) or die('Db error: ' . mysql_error() . 
''.$SQL);

print "There´s " . mysql_num_rows($r) . " rows";
  }
}

if $test is true it´s okay, if it´s false, this error occurs:

Db error: Access denied for user 'www-data'@'localhost' (using password: NO)

WTF? I´m not using a user called www-data for MySQL connections, but 
apache runs as this user.


I've outcommented and login = to exclude a collision in variables (if 
register globals is on, haven't checked that yet)


Anyone seen this wierd behaviour and know a solution or someway to 
test/debug this?


--
Kind regards
Kim Emax



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [Fwd: [PHP] Sessions in databases]

[Jay Ess]

Il pinguino volante wrote:

(There were some erroros in the previous email, I'm sorry)

Hi to all.

I have to realize an authentication system for a lot of users.

I heard that someone uses to store session states (?) into a database. 
I'd like to know how and, expecially, WHY to do it and what's would be 
better (considering that I CANNOT -d'oh!- edit the php.ini file).
Considering you cannot edit the php.ini-file i suspect you are on a 
shared host. Using the database for intense work in a shared environment 
is not always popular. I would guess that file based session-files are 
more scalable. And as you are using a shared hosting service you are 
probably not load balanced between physical different boxes and this 
would not gain from using the DB.
So if you have to manage a large number of user sessions i would suggest 
you choose a VPS or deducated/colo box and then use DB with memcached in 
between for fast caching. That is the way i have done it for a couple of 
sites i am working on.




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [Fwd: [PHP] Sessions in databases]

[Kim Madsen]

Sam Stelfox wrote on 2009-10-06 18:09:
If you are distributing your application over multiple servers, using a 
database for session tracking allows a user to continue there session 
regardless of which server their request bounces too. It prevents the 
need for 'sticky' network connections which time out anyways. 


I know Alfio don't have access to the php.ini file, but if you do and 
have the above setup, consider using a tmp dir like /phptmp and have one 
root server and mount the other servers /phptmp to the root servers /phptmp


Kind regards
Kim Emax


Il pinguino volante wrote:

(There were some erroros in the previous email, I'm sorry)

Hi to all.

I have to realize an authentication system for a lot of users.

I heard that someone uses to store session states (?) into a database. 
I'd like to know how and, expecially, WHY to do it and what's would be 
better (considering that I CANNOT -d'oh!- edit the php.ini file).


Thanks in advance,
Alfio.








--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [Fwd: [PHP] Sessions in databases]

[Tom Worster]

On 10/6/09 10:26 AM, "Il pinguino volante"  wrote:

> I have to realize an authentication system for a lot of users.
> 
> I heard that someone uses to store session states (?) into a database. I'd
> like to know how and, expecially, WHY to do it and what's would be better
> (considering that I CANNOT -d'oh!- edit the php.ini file).

i think you can modify the PHP session handler without touching php.ini:
http://www.php.net/manual/en/function.session-set-save-handler.php

i've read a lot on the web about this in recent weeks. different people
offer their own justifications for the various approaches to session
handling: PHP's file handler, user DB methods for the PHP session handler,
PHP's memcache handler, zend session clustering, or do it yourself and don't
use PHP sessions at all.

there's a lot of controversy on the topic because different people have
different requirements and preferences. so your question WHY? is quite
complex.

my motivation for considering user DB back-end to the PHP session handler
was that it would replicate the session data over the DB cluster. retaining
the PHP session front-end means less code rework and you keep its session
locking. but it adds DB load, and the DB is often an app's bottleneck.
whether or not that's ok depends on app specifics.

i looked at memcache but i have two problems with it. one is that it is a
cache system so it's not designed to be reliable: if it runs out of memory,
restarts or crashes, the sessions are gone. the other is that the PHP
session implementation is barely documented. i couldn't figure out how it
implements the clustering (does it?) so i couldn't see how i would implement
failover, recovery and maintenance procedures.
http://phpslacker.com/2009/03/02/php-session-clustering-with-memcache/

one class i saw used memcached combined with DB in case of cache miss. it
speeds up the reads but every write goes to both cache and DB.

one thing that obviously helps is don't write the session to the DB if it
hasn't changed. i'm not sure how best to do that yet. and you can optimize
the writing of the session timestamp to the DB too.

then there's the question of whether or not to use one DB connection for
both session handling and the main app or use two connections. the latter is
easier to code.

row locking in the session table would be preferable to table locking.

maybe we should work together on the code for all this?

there's a webinar on zend platform session clustering that discusses various
issues, bearing in mind it's a technical sales pitch. i don't think it's
entirely fair to the DB methods.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [Fwd: [PHP] Sessions in databases]

[Sam Stelfox]

If you are distributing your application over multiple servers, using a 
database for session tracking allows a user to continue there session 
regardless of which server their request bounces too. It prevents the 
need for 'sticky' network connections which time out anyways. Databases 
can make scaling applications to enterprise size considerably easier. 
There are other file based solutions that are dirty and require you to 
play with file locking and all that nastyness.


You also don't need access to the php.ini file to implement session in a 
database, check out http://php.net/session_set_save_handler


Il pinguino volante wrote:

(There were some erroros in the previous email, I'm sorry)

Hi to all.

I have to realize an authentication system for a lot of users.

I heard that someone uses to store session states (?) into a database. 
I'd like to know how and, expecially, WHY to do it and what's would be 
better (considering that I CANNOT -d'oh!- edit the php.ini file).


Thanks in advance,
Alfio. 







--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions in databases

[Il pinguino volante]

Hi to all.

I have to realize an authentication system for a lot of users.

I heard that someone uses to store session states (?) to a database. I'd 
like to know how by expecially WHY doing that and what's would be better 
(considering that I can -d'oh!- touch the php.ini file).


Thanks in advance,
Alfio.  



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[Fwd: [PHP] Sessions in databases]

[Il pinguino volante]

(There were some erroros in the previous email, I'm sorry)

Hi to all.

I have to realize an authentication system for a lot of users.

I heard that someone uses to store session states (?) into a database. I'd 
like to know how and, expecially, WHY to do it and what's would be better 
(considering that I CANNOT -d'oh!- edit the php.ini file).


Thanks in advance,
Alfio.  





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes - SOLVED

[Angelo Zanetti]

-Original Message-
From: Angelo Zanetti [mailto:ang...@zlogic.co.za] 
Sent: 24 August 2009 04:30 PM
To: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes



-Original Message-
From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
Sent: 20 August 2009 02:58 PM
To: php-general@lists.php.net
Subject: Re: [PHP] SESSIONS lost sometimes

On Thu, Aug 20, 2009 at 02:34:54PM +0200, Angelo Zanetti wrote:
> Hi Leon, 
> 
> No harm intended :) Just thought that people were missing my post now and
> only answering yours.
> 

Angelo, excuse me if I'm bringing up something very basic, but I'm new
to this.  Just trying to help.  

I imagine redirects couldn't be the cause of the problem, right?  

http://www.oscarm.org/news/detail/1877-avoiding_frustration_with_php_session
s

http://www.webmasterworld.com/forum88/8486.htm


Hi thanks for the links it appears that its all in order also I'm not losing
SESSIONS on the redirect but somewhere else.

I have checked the garbage collection, disk space and other settings in the
PHP.ini file. ALL FINE.

So now I am really stuck and confused as to what could sometimes cause the
loss of these variables and other times it just works fine. 

Is there possibly a way that I can call some function that will ensure that
the sessions are saved (I checked the manual - nothing much).

Any other ideas? Anything that you think might be causing issues? 

Thanks
Angelo

Hi all, 

I have solved the issue of lost session variables.

It appeared to be losing the SESSION variables when going from a POST from
HTTP to HTTPS, however it didn't always happen, so the logging allowed me to
narrow down where the losing was occurring.

The solution.

In my form that I post from the HTTP site, I put a hidden variable in there
and with the session variable. 

In HTTPS it sometimes doesn't carry over the hidden variable therefore we
need to start the session with the old SESSION ID from the HTTP site.

So what I did was the following on the https site: 

if (isset($_POST['sessionID']))
{

//http://stackoverflow.com/questions/441496/session-lost-when-switching-from
-http-to-https-in-php
// Retrieve the session ID as passed via the GET method.
$currentSessionID = $_POST['sessionID'];
//echo $currentSessionID;
// Set a cookie for the session ID.
$sessionid2 = session_id($currentSessionID);
}

Therefore setting the session ID with the session_id() function. This must
go before the session_start() function!!! Very NB!.

Hope this helps anyone who has a similar problem.

Regards
Angelo

http://www.elemental.co.za
http://www.wapit.co.za




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Angelo Zanetti]

-Original Message-
From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
Sent: 20 August 2009 02:58 PM
To: php-general@lists.php.net
Subject: Re: [PHP] SESSIONS lost sometimes

On Thu, Aug 20, 2009 at 02:34:54PM +0200, Angelo Zanetti wrote:
> Hi Leon, 
> 
> No harm intended :) Just thought that people were missing my post now and
> only answering yours.
> 

Angelo, excuse me if I'm bringing up something very basic, but I'm new
to this.  Just trying to help.  

I imagine redirects couldn't be the cause of the problem, right?  

http://www.oscarm.org/news/detail/1877-avoiding_frustration_with_php_session
s

http://www.webmasterworld.com/forum88/8486.htm


Hi thanks for the links it appears that its all in order also I'm not losing
SESSIONS on the redirect but somewhere else.

I have checked the garbage collection, disk space and other settings in the
PHP.ini file. ALL FINE.

So now I am really stuck and confused as to what could sometimes cause the
loss of these variables and other times it just works fine. 

Is there possibly a way that I can call some function that will ensure that
the sessions are saved (I checked the manual - nothing much).

Any other ideas? Anything that you think might be causing issues? 

Thanks
Angelo



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSIONS lost sometimes

[kranthi]

>> I imagine redirects couldn't be the cause of the problem, right?
Thanks, this is really a life saver.. I never used
session_write_close() before any redirects...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSIONS lost sometimes

[Ashley Sheridan]

On Thu, 2009-08-20 at 18:38 +0530, kranthi wrote:
> The original problem..
> 
> >> server is losing session variables.
> I dont think PHP is not good at unset() ing variables while the script
> is executing.
> 
> general logger will be of use in this case (especially when cant
> reproduce the problem every time). PEAR, Zend, FirePHP, files... any
> thing will do...
> 
> try to log every thing related to sessions at the start of the page...
> session_id, $_SESSION super global, _SERVER['PHP_SELF']
> do the same thing after the script exists...
> 
> i had a similar problem earlier...
> a page in my app used to change $_SESSION['id']. It took me ages to
> find out the source... even grep was of no use... at last  i was able
> to isolate the page that was causing this, with the help of logging.
> Of course, the main problem was that my production server has
> register_globals on, while my development server has them off.
> 
Register globals is really not a good thing to use for modern setups. It
makes it a little easier for people to exploit holes in weaker PHP
scripts.


Thanks,
Ash
http://www.ashleysheridan.co.uk




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSIONS lost sometimes

[kranthi]

The original problem..

>> server is losing session variables.
I dont think PHP is not good at unset() ing variables while the script
is executing.

general logger will be of use in this case (especially when cant
reproduce the problem every time). PEAR, Zend, FirePHP, files... any
thing will do...

try to log every thing related to sessions at the start of the page...
session_id, $_SESSION super global, _SERVER['PHP_SELF']
do the same thing after the script exists...

i had a similar problem earlier...
a page in my app used to change $_SESSION['id']. It took me ages to
find out the source... even grep was of no use... at last  i was able
to isolate the page that was causing this, with the help of logging.
Of course, the main problem was that my production server has
register_globals on, while my development server has them off.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSIONS lost sometimes

[Nitebirdz]

On Thu, Aug 20, 2009 at 02:34:54PM +0200, Angelo Zanetti wrote:
> Hi Leon, 
> 
> No harm intended :) Just thought that people were missing my post now and
> only answering yours.
> 

Angelo, excuse me if I'm bringing up something very basic, but I'm new
to this.  Just trying to help.  

I imagine redirects couldn't be the cause of the problem, right?  

http://www.oscarm.org/news/detail/1877-avoiding_frustration_with_php_sessions

http://www.webmasterworld.com/forum88/8486.htm



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Leon du Plessis]

No problem! Thx

-Original Message-
From: Angelo Zanetti [mailto:ang...@zlogic.co.za] 
Sent: 20 August 2009 02:35 PM
To: 'Leon du Plessis'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Hi Leon, 

No harm intended :) Just thought that people were missing my post now and
only answering yours.

Anyways hope your issue got resolved.

Angelo


-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com] 
Sent: 20 August 2009 01:46 PM
To: php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Hi Angelo, 

No need to be nasty and touchy. If you have done trouble to read I have
closed the discussion in a prior listing and referred back to your original
thread. thanks

-Original Message-
From: Angelo Zanetti [mailto:ang...@zlogic.co.za] 
Sent: 20 August 2009 01:21 PM
To: 'Leon du Plessis'; a...@ashleysheridan.co.uk
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Hi Leon and all.

LEON you are misunderstanding how the sessions work. Also please start your
own thread and don't hijack mine.

To the rest that replied. Thanks, I am still stuck with the problem I have
asked the hosting company to check the storage capacity and also any other
issues with the SESSIONS on the server.

However if anyone has other things they think I can look at, I'd appreciate
that very much.

Thanks
Angelo
http://www.elemental.co.za


-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com] 
Sent: 20 August 2009 12:04 PM
To: a...@ashleysheridan.co.uk
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Thanks Ashley, 

I just want to iterate again that when a new page is opened by another
existing page in a new browser or Tab, the session_id is already created and
therefore the current way browsers work is in no way compremised. The new
browser/tab would receive the session id along with GET or POST variables.

What I am suggesting/hoping is that when a new browser is opened or a new
tab is opened via the application, the protocols would reckognize that this
is the first time the page is served and is not being called from another
page. That is, a new page is loaded by the user entering it, and NOT by
clicking login or some other link from an existing page.

Yes, I know..that creates other scenarios, so is happy to not meddle with
the way browsers work. It is just a limitation I will live with and can get
by with it.

Regards
Leon

-Original Message-
From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] 
Sent: 20 August 2009 11:39 AM
To: Leon du Plessis
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote:
> ">> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able
to
> edit it."
> 
> Yes. I agree. But in this case the Tab being opened is used with the same
> authentication details either via POST, GET or Cookie variables. The
problem
> comes in when a totally different set of login credentials are being used
> (for the same tab/window).  Other user's login particulars should not
affect
> your login variables.
> 
> -Original Message-
> From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
> Sent: 20 August 2009 10:40 AM
> To: php-general@lists.php.net
> Subject: Re: [PHP] SESSIONS lost sometimes
> 
> On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> > 
> > Since we are on the subject: I have the following similar problem:
> > 
> > When testing page on internet explorer, I find that one tab's variables
> can
> > affect another tab's variables. Thus when having the same web-site open
> and
> > using SESSION variables but for different users, Internet explorer can
> > become "disorientated". This also "sometimes" happen when I have two
> > separate browsing windows open with Internet Explorer for the same site.
> > 
> > I have yet to determine if this is an internet explorer, or PHP or
> > combination of the two that is causing this condition. 
> > 
> > To my understanding _SESSION variables should be maintained per session,
> tab
> > or window. If this has been addressed already, my apologies, but thought
> it
> > worthwhile to mention.  
> > 
> 
> I'm a total newbie when it comes to these issues, but it seems to me
> that Firefox behaves in the very same manner.  It's not limited to PHP
> sessions either.  It's always been my experience on any website that
> requires authentication, including t

RE: [PHP] SESSIONS lost sometimes

[Angelo Zanetti]

Hi Leon, 

No harm intended :) Just thought that people were missing my post now and
only answering yours.

Anyways hope your issue got resolved.

Angelo


-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com] 
Sent: 20 August 2009 01:46 PM
To: php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Hi Angelo, 

No need to be nasty and touchy. If you have done trouble to read I have
closed the discussion in a prior listing and referred back to your original
thread. thanks

-Original Message-
From: Angelo Zanetti [mailto:ang...@zlogic.co.za] 
Sent: 20 August 2009 01:21 PM
To: 'Leon du Plessis'; a...@ashleysheridan.co.uk
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Hi Leon and all.

LEON you are misunderstanding how the sessions work. Also please start your
own thread and don't hijack mine.

To the rest that replied. Thanks, I am still stuck with the problem I have
asked the hosting company to check the storage capacity and also any other
issues with the SESSIONS on the server.

However if anyone has other things they think I can look at, I'd appreciate
that very much.

Thanks
Angelo
http://www.elemental.co.za


-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com] 
Sent: 20 August 2009 12:04 PM
To: a...@ashleysheridan.co.uk
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Thanks Ashley, 

I just want to iterate again that when a new page is opened by another
existing page in a new browser or Tab, the session_id is already created and
therefore the current way browsers work is in no way compremised. The new
browser/tab would receive the session id along with GET or POST variables.

What I am suggesting/hoping is that when a new browser is opened or a new
tab is opened via the application, the protocols would reckognize that this
is the first time the page is served and is not being called from another
page. That is, a new page is loaded by the user entering it, and NOT by
clicking login or some other link from an existing page.

Yes, I know..that creates other scenarios, so is happy to not meddle with
the way browsers work. It is just a limitation I will live with and can get
by with it.

Regards
Leon

-Original Message-
From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] 
Sent: 20 August 2009 11:39 AM
To: Leon du Plessis
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote:
> ">> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able
to
> edit it."
> 
> Yes. I agree. But in this case the Tab being opened is used with the same
> authentication details either via POST, GET or Cookie variables. The
problem
> comes in when a totally different set of login credentials are being used
> (for the same tab/window).  Other user's login particulars should not
affect
> your login variables.
> 
> -Original Message-
> From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
> Sent: 20 August 2009 10:40 AM
> To: php-general@lists.php.net
> Subject: Re: [PHP] SESSIONS lost sometimes
> 
> On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> > 
> > Since we are on the subject: I have the following similar problem:
> > 
> > When testing page on internet explorer, I find that one tab's variables
> can
> > affect another tab's variables. Thus when having the same web-site open
> and
> > using SESSION variables but for different users, Internet explorer can
> > become "disorientated". This also "sometimes" happen when I have two
> > separate browsing windows open with Internet Explorer for the same site.
> > 
> > I have yet to determine if this is an internet explorer, or PHP or
> > combination of the two that is causing this condition. 
> > 
> > To my understanding _SESSION variables should be maintained per session,
> tab
> > or window. If this has been addressed already, my apologies, but thought
> it
> > worthwhile to mention.  
> > 
> 
> I'm a total newbie when it comes to these issues, but it seems to me
> that Firefox behaves in the very same manner.  It's not limited to PHP
> sessions either.  It's always been my experience on any website that
> requires authentication, including the likes of Google Mail, etc.  When
> I want to run multiple sessions for different GMail accounts, for
> example, I just create a different user profile in Firefox. 
> 
> It'd make sense for things to run thi

Re: [PHP] SESSIONS lost sometimes

[Floyd Resler]

Leon,
	Sessions are used on a per-domain basis.  So, no matter how many  
windows or tabs you have open for mydomain.com it will be the same  
session for all.  Having a different session start up for each window  
or tab would be a major pain.  If you needed to keep track of a user  
ID, for example, you wouldn't be able to.  As already mentioned you  
can use different browsers.  You can also set up sub-domains which  
would each have their own sessions.


Take care,
Floyd

On Aug 20, 2009, at 4:26 AM, Leon du Plessis wrote:


">> It's not an issue, it's a feature."

Thanks Arno...but it is a pain also.
If I work with user A in Tab1 (window1), I want to work with user B
separately in Tab2. When user in Tab2 logs off, I still want user A  
to work,
and not suddenly have to re-login. Same with bank. If I work with my  
company
account, then my personal account must not become an issue because I  
am on

the same machine and site.

I have no issue with using FF and IE to do testing as that takes  
care of
browser compatibility testing at the same time :-), but I think when  
you
start a new session with new values, it should be kept under that  
window/tab
alone. Cookies can take care of more details, but my opinion is data  
should
never be affected across windows/tabs unless the same user is logged  
in on
botheven then I would expect PHP to keep data per session. Maybe  
it goes
beyond being an IE or FF issue..the questiojn is...will PHP allow  
variables
from session A become corrupted when session B is in progress when  
they

should actually be handled seperately?

In the end I think it is something I do wrong in PHP with the SESSION
variables and how I clear themif so...I don't think PHP should  
allow

clearing SESSION variables from other sessions.

-Original Message-
From: Arno Kuhl [mailto:ak...@telkomsa.net]
Sent: 20 August 2009 10:03 AM
To: 'Leon du Plessis'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com]
Sent: 20 August 2009 09:44 AM
To: php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Since we are on the subject: I have the following similar problem:

When testing page on internet explorer, I find that one tab's  
variables can
affect another tab's variables. Thus when having the same web-site  
open and

using SESSION variables but for different users, Internet explorer can
become "disorientated". This also "sometimes" happen when I have two
separate browsing windows open with Internet Explorer for the same  
site.


I have yet to determine if this is an internet explorer, or PHP or
combination of the two that is causing this condition.

To my understanding _SESSION variables should be maintained per  
session, tab
or window. If this has been addressed already, my apologies, but  
thought it

worthwhile to mention.

If someone perhaps have a solution or can confirm this as a known  
issue and

maybe is the same or related to Angelo's problem?



If different browser windows/tabs on the same client-side computer  
didn't
share session info then you'd get the effect of being able to log  
onto a
site with one browser window, but find in a second browser window  
that you
were not yet logged on. Experience will tell you that you're logged  
on in
both browser windows (try it with your online bank). It's not an  
issue, it's
a feature. If you want to be able to use different browser windows  
as though
they were different users then use different browsers e.g. IE and FF  
on the

same client-side computer will look like two separate end users to the
server, and they don't share session info or cookies.

Cheers
Arno


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Leon du Plessis]

Hi Angelo, 

No need to be nasty and touchy. If you have done trouble to read I have
closed the discussion in a prior listing and referred back to your original
thread. thanks

-Original Message-
From: Angelo Zanetti [mailto:ang...@zlogic.co.za] 
Sent: 20 August 2009 01:21 PM
To: 'Leon du Plessis'; a...@ashleysheridan.co.uk
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Hi Leon and all.

LEON you are misunderstanding how the sessions work. Also please start your
own thread and don't hijack mine.

To the rest that replied. Thanks, I am still stuck with the problem I have
asked the hosting company to check the storage capacity and also any other
issues with the SESSIONS on the server.

However if anyone has other things they think I can look at, I'd appreciate
that very much.

Thanks
Angelo
http://www.elemental.co.za


-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com] 
Sent: 20 August 2009 12:04 PM
To: a...@ashleysheridan.co.uk
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Thanks Ashley, 

I just want to iterate again that when a new page is opened by another
existing page in a new browser or Tab, the session_id is already created and
therefore the current way browsers work is in no way compremised. The new
browser/tab would receive the session id along with GET or POST variables.

What I am suggesting/hoping is that when a new browser is opened or a new
tab is opened via the application, the protocols would reckognize that this
is the first time the page is served and is not being called from another
page. That is, a new page is loaded by the user entering it, and NOT by
clicking login or some other link from an existing page.

Yes, I know..that creates other scenarios, so is happy to not meddle with
the way browsers work. It is just a limitation I will live with and can get
by with it.

Regards
Leon

-Original Message-
From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] 
Sent: 20 August 2009 11:39 AM
To: Leon du Plessis
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote:
> ">> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able
to
> edit it."
> 
> Yes. I agree. But in this case the Tab being opened is used with the same
> authentication details either via POST, GET or Cookie variables. The
problem
> comes in when a totally different set of login credentials are being used
> (for the same tab/window).  Other user's login particulars should not
affect
> your login variables.
> 
> -Original Message-
> From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
> Sent: 20 August 2009 10:40 AM
> To: php-general@lists.php.net
> Subject: Re: [PHP] SESSIONS lost sometimes
> 
> On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> > 
> > Since we are on the subject: I have the following similar problem:
> > 
> > When testing page on internet explorer, I find that one tab's variables
> can
> > affect another tab's variables. Thus when having the same web-site open
> and
> > using SESSION variables but for different users, Internet explorer can
> > become "disorientated". This also "sometimes" happen when I have two
> > separate browsing windows open with Internet Explorer for the same site.
> > 
> > I have yet to determine if this is an internet explorer, or PHP or
> > combination of the two that is causing this condition. 
> > 
> > To my understanding _SESSION variables should be maintained per session,
> tab
> > or window. If this has been addressed already, my apologies, but thought
> it
> > worthwhile to mention.  
> > 
> 
> I'm a total newbie when it comes to these issues, but it seems to me
> that Firefox behaves in the very same manner.  It's not limited to PHP
> sessions either.  It's always been my experience on any website that
> requires authentication, including the likes of Google Mail, etc.  When
> I want to run multiple sessions for different GMail accounts, for
> example, I just create a different user profile in Firefox. 
> 
> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able
> to edit it.  
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub

Re: [PHP] SESSIONS lost sometimes

[Nitebirdz]

On Thu, Aug 20, 2009 at 12:04:08PM +0200, Leon du Plessis wrote:
> Thanks Ashley, 
> 
> I just want to iterate again that when a new page is opened by another
> existing page in a new browser or Tab, the session_id is already created and
> therefore the current way browsers work is in no way compremised. The new
> browser/tab would receive the session id along with GET or POST variables.
> 
> What I am suggesting/hoping is that when a new browser is opened or a new
> tab is opened via the application, the protocols would reckognize that this
> is the first time the page is served and is not being called from another
> page. That is, a new page is loaded by the user entering it, and NOT by
> clicking login or some other link from an existing page.
> 

Out of curiosity.  Did you test it under Google Chrome?  I believe each
tab is a separate process in the case of that browser.  I wonder how
that might affect something like this.  


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Angelo Zanetti]

Hi Leon and all.

LEON you are misunderstanding how the sessions work. Also please start your
own thread and don't hijack mine.

To the rest that replied. Thanks, I am still stuck with the problem I have
asked the hosting company to check the storage capacity and also any other
issues with the SESSIONS on the server.

However if anyone has other things they think I can look at, I'd appreciate
that very much.

Thanks
Angelo
http://www.elemental.co.za


-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com] 
Sent: 20 August 2009 12:04 PM
To: a...@ashleysheridan.co.uk
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Thanks Ashley, 

I just want to iterate again that when a new page is opened by another
existing page in a new browser or Tab, the session_id is already created and
therefore the current way browsers work is in no way compremised. The new
browser/tab would receive the session id along with GET or POST variables.

What I am suggesting/hoping is that when a new browser is opened or a new
tab is opened via the application, the protocols would reckognize that this
is the first time the page is served and is not being called from another
page. That is, a new page is loaded by the user entering it, and NOT by
clicking login or some other link from an existing page.

Yes, I know..that creates other scenarios, so is happy to not meddle with
the way browsers work. It is just a limitation I will live with and can get
by with it.

Regards
Leon

-Original Message-
From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] 
Sent: 20 August 2009 11:39 AM
To: Leon du Plessis
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote:
> ">> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able
to
> edit it."
> 
> Yes. I agree. But in this case the Tab being opened is used with the same
> authentication details either via POST, GET or Cookie variables. The
problem
> comes in when a totally different set of login credentials are being used
> (for the same tab/window).  Other user's login particulars should not
affect
> your login variables.
> 
> -Original Message-
> From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
> Sent: 20 August 2009 10:40 AM
> To: php-general@lists.php.net
> Subject: Re: [PHP] SESSIONS lost sometimes
> 
> On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> > 
> > Since we are on the subject: I have the following similar problem:
> > 
> > When testing page on internet explorer, I find that one tab's variables
> can
> > affect another tab's variables. Thus when having the same web-site open
> and
> > using SESSION variables but for different users, Internet explorer can
> > become "disorientated". This also "sometimes" happen when I have two
> > separate browsing windows open with Internet Explorer for the same site.
> > 
> > I have yet to determine if this is an internet explorer, or PHP or
> > combination of the two that is causing this condition. 
> > 
> > To my understanding _SESSION variables should be maintained per session,
> tab
> > or window. If this has been addressed already, my apologies, but thought
> it
> > worthwhile to mention.  
> > 
> 
> I'm a total newbie when it comes to these issues, but it seems to me
> that Firefox behaves in the very same manner.  It's not limited to PHP
> sessions either.  It's always been my experience on any website that
> requires authentication, including the likes of Google Mail, etc.  When
> I want to run multiple sessions for different GMail accounts, for
> example, I just create a different user profile in Firefox. 
> 
> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able
> to edit it.  
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 
The point is you are misunderstanding how browsers work. What the server
app is seeing is a new login that replaces the first. This is the way
browsers work, and if it changed to the idea you have for it, then
millions of sites would suddenly fail to work; i.e. any site that
requires a new tab or window to be opened in order to function, like
banks, etc.

Thanks,
Ash
http://www.ashleysheridan.co.uk




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Leon du Plessis]

Thanks Ashley. Will implement if the need arise again..
By limitation I actually meant "annoyance". 
"Limitation" was the wrong word to use.
(I think all browsers has something great and something not so great)

:-)
Greetings

-Original Message-
From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] 
Sent: 20 August 2009 12:05 PM
To: Leon du Plessis
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

On Thu, 2009-08-20 at 12:04 +0200, Leon du Plessis wrote:
> Thanks Ashley, 
> 
> I just want to iterate again that when a new page is opened by another
> existing page in a new browser or Tab, the session_id is already created
and
> therefore the current way browsers work is in no way compremised. The new
> browser/tab would receive the session id along with GET or POST variables.
> 
> What I am suggesting/hoping is that when a new browser is opened or a new
> tab is opened via the application, the protocols would reckognize that
this
> is the first time the page is served and is not being called from another
> page. That is, a new page is loaded by the user entering it, and NOT by
> clicking login or some other link from an existing page.
> 
> Yes, I know..that creates other scenarios, so is happy to not meddle with
> the way browsers work. It is just a limitation I will live with and can
get
> by with it.
> 
> Regards
> Leon
> 
> -Original Message-
> From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] 
> Sent: 20 August 2009 11:39 AM
> To: Leon du Plessis
> Cc: 'Nitebirdz'; php-general@lists.php.net
> Subject: RE: [PHP] SESSIONS lost sometimes
> 
> On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote:
> > ">> It'd make sense for things to run this way, I think.  After all, I'd
> > find it quite confusing if I log into Google Docs, open a document (by
> > default, it opens in a new tab) and I had to log in yet again to be able
> to
> > edit it."
> > 
> > Yes. I agree. But in this case the Tab being opened is used with the
same
> > authentication details either via POST, GET or Cookie variables. The
> problem
> > comes in when a totally different set of login credentials are being
used
> > (for the same tab/window).  Other user's login particulars should not
> affect
> > your login variables.
> > 
> > -Original Message-
> > From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
> > Sent: 20 August 2009 10:40 AM
> > To: php-general@lists.php.net
> > Subject: Re: [PHP] SESSIONS lost sometimes
> > 
> > On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> > > 
> > > Since we are on the subject: I have the following similar problem:
> > > 
> > > When testing page on internet explorer, I find that one tab's
variables
> > can
> > > affect another tab's variables. Thus when having the same web-site
open
> > and
> > > using SESSION variables but for different users, Internet explorer can
> > > become "disorientated". This also "sometimes" happen when I have two
> > > separate browsing windows open with Internet Explorer for the same
site.
> > > 
> > > I have yet to determine if this is an internet explorer, or PHP or
> > > combination of the two that is causing this condition. 
> > > 
> > > To my understanding _SESSION variables should be maintained per
session,
> > tab
> > > or window. If this has been addressed already, my apologies, but
thought
> > it
> > > worthwhile to mention.  
> > > 
> > 
> > I'm a total newbie when it comes to these issues, but it seems to me
> > that Firefox behaves in the very same manner.  It's not limited to PHP
> > sessions either.  It's always been my experience on any website that
> > requires authentication, including the likes of Google Mail, etc.  When
> > I want to run multiple sessions for different GMail accounts, for
> > example, I just create a different user profile in Firefox. 
> > 
> > It'd make sense for things to run this way, I think.  After all, I'd
> > find it quite confusing if I log into Google Docs, open a document (by
> > default, it opens in a new tab) and I had to log in yet again to be able
> > to edit it.  
> > 
> > 
> > -- 
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> > 
> > 
> The point is you are misunderstanding how browsers work. What the server
> app is seeing is a new login that replaces the first. This is t

RE: [PHP] SESSIONS lost sometimes

[Ashley Sheridan]

On Thu, 2009-08-20 at 12:04 +0200, Leon du Plessis wrote:
> Thanks Ashley, 
> 
> I just want to iterate again that when a new page is opened by another
> existing page in a new browser or Tab, the session_id is already created and
> therefore the current way browsers work is in no way compremised. The new
> browser/tab would receive the session id along with GET or POST variables.
> 
> What I am suggesting/hoping is that when a new browser is opened or a new
> tab is opened via the application, the protocols would reckognize that this
> is the first time the page is served and is not being called from another
> page. That is, a new page is loaded by the user entering it, and NOT by
> clicking login or some other link from an existing page.
> 
> Yes, I know..that creates other scenarios, so is happy to not meddle with
> the way browsers work. It is just a limitation I will live with and can get
> by with it.
> 
> Regards
> Leon
> 
> -Original Message-
> From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] 
> Sent: 20 August 2009 11:39 AM
> To: Leon du Plessis
> Cc: 'Nitebirdz'; php-general@lists.php.net
> Subject: RE: [PHP] SESSIONS lost sometimes
> 
> On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote:
> > ">> It'd make sense for things to run this way, I think.  After all, I'd
> > find it quite confusing if I log into Google Docs, open a document (by
> > default, it opens in a new tab) and I had to log in yet again to be able
> to
> > edit it."
> > 
> > Yes. I agree. But in this case the Tab being opened is used with the same
> > authentication details either via POST, GET or Cookie variables. The
> problem
> > comes in when a totally different set of login credentials are being used
> > (for the same tab/window).  Other user's login particulars should not
> affect
> > your login variables.
> > 
> > -Original Message-
> > From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
> > Sent: 20 August 2009 10:40 AM
> > To: php-general@lists.php.net
> > Subject: Re: [PHP] SESSIONS lost sometimes
> > 
> > On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> > > 
> > > Since we are on the subject: I have the following similar problem:
> > > 
> > > When testing page on internet explorer, I find that one tab's variables
> > can
> > > affect another tab's variables. Thus when having the same web-site open
> > and
> > > using SESSION variables but for different users, Internet explorer can
> > > become "disorientated". This also "sometimes" happen when I have two
> > > separate browsing windows open with Internet Explorer for the same site.
> > > 
> > > I have yet to determine if this is an internet explorer, or PHP or
> > > combination of the two that is causing this condition. 
> > > 
> > > To my understanding _SESSION variables should be maintained per session,
> > tab
> > > or window. If this has been addressed already, my apologies, but thought
> > it
> > > worthwhile to mention.  
> > > 
> > 
> > I'm a total newbie when it comes to these issues, but it seems to me
> > that Firefox behaves in the very same manner.  It's not limited to PHP
> > sessions either.  It's always been my experience on any website that
> > requires authentication, including the likes of Google Mail, etc.  When
> > I want to run multiple sessions for different GMail accounts, for
> > example, I just create a different user profile in Firefox. 
> > 
> > It'd make sense for things to run this way, I think.  After all, I'd
> > find it quite confusing if I log into Google Docs, open a document (by
> > default, it opens in a new tab) and I had to log in yet again to be able
> > to edit it.  
> > 
> > 
> > -- 
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> > 
> > 
> The point is you are misunderstanding how browsers work. What the server
> app is seeing is a new login that replaces the first. This is the way
> browsers work, and if it changed to the idea you have for it, then
> millions of sites would suddenly fail to work; i.e. any site that
> requires a new tab or window to be opened in order to function, like
> banks, etc.
> 
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
> 
> 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
There is one way to get around it, and that is to use arrays within your
session variables. So for example, it might look something like this:

$_SESSION['your_app_name']['username']['some_value']

This way, if the username doesn't exist, you know there is no session
for them. It's ugly, but it will get around what you see as a
limitation.

Thanks,
Ash
http://www.ashleysheridan.co.uk




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Leon du Plessis]

Thanks Ashley, 

I just want to iterate again that when a new page is opened by another
existing page in a new browser or Tab, the session_id is already created and
therefore the current way browsers work is in no way compremised. The new
browser/tab would receive the session id along with GET or POST variables.

What I am suggesting/hoping is that when a new browser is opened or a new
tab is opened via the application, the protocols would reckognize that this
is the first time the page is served and is not being called from another
page. That is, a new page is loaded by the user entering it, and NOT by
clicking login or some other link from an existing page.

Yes, I know..that creates other scenarios, so is happy to not meddle with
the way browsers work. It is just a limitation I will live with and can get
by with it.

Regards
Leon

-Original Message-
From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] 
Sent: 20 August 2009 11:39 AM
To: Leon du Plessis
Cc: 'Nitebirdz'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote:
> ">> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able
to
> edit it."
> 
> Yes. I agree. But in this case the Tab being opened is used with the same
> authentication details either via POST, GET or Cookie variables. The
problem
> comes in when a totally different set of login credentials are being used
> (for the same tab/window).  Other user's login particulars should not
affect
> your login variables.
> 
> -Original Message-
> From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
> Sent: 20 August 2009 10:40 AM
> To: php-general@lists.php.net
> Subject: Re: [PHP] SESSIONS lost sometimes
> 
> On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> > 
> > Since we are on the subject: I have the following similar problem:
> > 
> > When testing page on internet explorer, I find that one tab's variables
> can
> > affect another tab's variables. Thus when having the same web-site open
> and
> > using SESSION variables but for different users, Internet explorer can
> > become "disorientated". This also "sometimes" happen when I have two
> > separate browsing windows open with Internet Explorer for the same site.
> > 
> > I have yet to determine if this is an internet explorer, or PHP or
> > combination of the two that is causing this condition. 
> > 
> > To my understanding _SESSION variables should be maintained per session,
> tab
> > or window. If this has been addressed already, my apologies, but thought
> it
> > worthwhile to mention.  
> > 
> 
> I'm a total newbie when it comes to these issues, but it seems to me
> that Firefox behaves in the very same manner.  It's not limited to PHP
> sessions either.  It's always been my experience on any website that
> requires authentication, including the likes of Google Mail, etc.  When
> I want to run multiple sessions for different GMail accounts, for
> example, I just create a different user profile in Firefox. 
> 
> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able
> to edit it.  
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 
The point is you are misunderstanding how browsers work. What the server
app is seeing is a new login that replaces the first. This is the way
browsers work, and if it changed to the idea you have for it, then
millions of sites would suddenly fail to work; i.e. any site that
requires a new tab or window to be opened in order to function, like
banks, etc.

Thanks,
Ash
http://www.ashleysheridan.co.uk




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Ashley Sheridan]

On Thu, 2009-08-20 at 10:50 +0200, Leon du Plessis wrote:
> ">> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able to
> edit it."
> 
> Yes. I agree. But in this case the Tab being opened is used with the same
> authentication details either via POST, GET or Cookie variables. The problem
> comes in when a totally different set of login credentials are being used
> (for the same tab/window).  Other user's login particulars should not affect
> your login variables.
> 
> -Original Message-
> From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
> Sent: 20 August 2009 10:40 AM
> To: php-general@lists.php.net
> Subject: Re: [PHP] SESSIONS lost sometimes
> 
> On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> > 
> > Since we are on the subject: I have the following similar problem:
> > 
> > When testing page on internet explorer, I find that one tab's variables
> can
> > affect another tab's variables. Thus when having the same web-site open
> and
> > using SESSION variables but for different users, Internet explorer can
> > become "disorientated". This also "sometimes" happen when I have two
> > separate browsing windows open with Internet Explorer for the same site.
> > 
> > I have yet to determine if this is an internet explorer, or PHP or
> > combination of the two that is causing this condition. 
> > 
> > To my understanding _SESSION variables should be maintained per session,
> tab
> > or window. If this has been addressed already, my apologies, but thought
> it
> > worthwhile to mention.  
> > 
> 
> I'm a total newbie when it comes to these issues, but it seems to me
> that Firefox behaves in the very same manner.  It's not limited to PHP
> sessions either.  It's always been my experience on any website that
> requires authentication, including the likes of Google Mail, etc.  When
> I want to run multiple sessions for different GMail accounts, for
> example, I just create a different user profile in Firefox. 
> 
> It'd make sense for things to run this way, I think.  After all, I'd
> find it quite confusing if I log into Google Docs, open a document (by
> default, it opens in a new tab) and I had to log in yet again to be able
> to edit it.  
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 
The point is you are misunderstanding how browsers work. What the server
app is seeing is a new login that replaces the first. This is the way
browsers work, and if it changed to the idea you have for it, then
millions of sites would suddenly fail to work; i.e. any site that
requires a new tab or window to be opened in order to function, like
banks, etc.

Thanks,
Ash
http://www.ashleysheridan.co.uk




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Leon du Plessis]

Hi, 

Just a re-iteration on the problem:

Browser 1 has user A details 

Browser 2 has user B details

User B logs off, then user A is suddenly in logged of status also.

The method used to destroy the session is:
// Unset all of the session variables.
$_SESSION = array();

// Finally, destroy the session.
session_destroy();

Problem. User's A session is also destroyed. The concern is, that this
should not be the case. User A must happily continue to work.

So, should PHP destroy the whole browser's session id's variables? My answer
is "No".

User A and user B should have different session ids, if not, then it is
wrong. A new window should have PHP to spawn a new session id (that is, the
request does not come from an existing page where an id has been created
already. If the ids are different, then session_destroy should only clear
variables for relevant session_id, ie only User B's details In this example.


The problem then probably lies in the session_ids being either the same for
the two different logins (although they are on different browser) or
session_destroy clearing data across sessions. (I will test that later). It
would then seem that session ids is setup per location/machine by MS Windows
as per Peter's explanation. Setting up profiles is the the resolution as
suggested. Otherwise, it would be nice if Windows/IE/FF/PHP could identify
when a BRAND NEW page is being opened and then create a brand new session id
for that window/tab.

It is not a huge issue, I was just wondering if someone else had the same
annoying condition. I am happy with the responses and the functionality
somewhere on a wish-list. 

Now Back to Angelo's SESSION problem which sounded like it could be related.

Greetings!
Leon

-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com] 
Sent: 20 August 2009 10:57 AM
To: 'Peter Ford'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes



That is how I know browsers to work, yet for a while the bahaviour has
changed. The question in light of this then is, should a new browser or tab
not open a new PHP SESSION ID. Session ID's should be kept if called from
existing pages or ID's? But new pages has no parent? Just wondering.

-Original Message-
From: Peter Ford [mailto:p...@justcroft.com] 
Sent: 20 August 2009 10:47 AM
To: php-general@lists.php.net
Subject: Re: [PHP] SESSIONS lost sometimes

Leon du Plessis wrote:
> ">> It's not an issue, it's a feature."
> 
> Thanks Arno...but it is a pain also.
> If I work with user A in Tab1 (window1), I want to work with user B
> separately in Tab2. When user in Tab2 logs off, I still want user A to
work,
> and not suddenly have to re-login. Same with bank. If I work with my
company
> account, then my personal account must not become an issue because I am on
> the same machine and site. 
> 
> I have no issue with using FF and IE to do testing as that takes care of
> browser compatibility testing at the same time :-), but I think when you
> start a new session with new values, it should be kept under that
window/tab
> alone. Cookies can take care of more details, but my opinion is data
should
> never be affected across windows/tabs unless the same user is logged in on
> botheven then I would expect PHP to keep data per session. Maybe it
goes
> beyond being an IE or FF issue..the questiojn is...will PHP allow
variables
> from session A become corrupted when session B is in progress when they
> should actually be handled seperately?
> 
> In the end I think it is something I do wrong in PHP with the SESSION
> variables and how I clear themif so...I don't think PHP should allow
> clearing SESSION variables from other sessions.
>  
> -Original Message-----
> From: Arno Kuhl [mailto:ak...@telkomsa.net] 
> Sent: 20 August 2009 10:03 AM
> To: 'Leon du Plessis'; php-general@lists.php.net
> Subject: RE: [PHP] SESSIONS lost sometimes
> 
> -Original Message-
> From: Leon du Plessis [mailto:l...@dsgnit.com] 
> Sent: 20 August 2009 09:44 AM
> To: php-general@lists.php.net
> Subject: RE: [PHP] SESSIONS lost sometimes
> 
> Since we are on the subject: I have the following similar problem:
> 
> When testing page on internet explorer, I find that one tab's variables
can
> affect another tab's variables. Thus when having the same web-site open
and
> using SESSION variables but for different users, Internet explorer can
> become "disorientated". This also "sometimes" happen when I have two
> separate browsing windows open with Internet Explorer for the same site.
> 
> I have yet to determine if this is an internet explorer, or PHP or
> combination of the two that is causing this condition. 
> 
> To my understanding _SESSION vari

RE: [PHP] SESSIONS lost sometimes

[Leon du Plessis]

That is how I know browsers to work, yet for a while the bahaviour has
changed. The question in light of this then is, should a new browser or tab
not open a new PHP SESSION ID. Session ID's should be kept if called from
existing pages or ID's? But new pages has no parent? Just wondering.

-Original Message-
From: Peter Ford [mailto:p...@justcroft.com] 
Sent: 20 August 2009 10:47 AM
To: php-general@lists.php.net
Subject: Re: [PHP] SESSIONS lost sometimes

Leon du Plessis wrote:
> ">> It's not an issue, it's a feature."
> 
> Thanks Arno...but it is a pain also.
> If I work with user A in Tab1 (window1), I want to work with user B
> separately in Tab2. When user in Tab2 logs off, I still want user A to
work,
> and not suddenly have to re-login. Same with bank. If I work with my
company
> account, then my personal account must not become an issue because I am on
> the same machine and site. 
> 
> I have no issue with using FF and IE to do testing as that takes care of
> browser compatibility testing at the same time :-), but I think when you
> start a new session with new values, it should be kept under that
window/tab
> alone. Cookies can take care of more details, but my opinion is data
should
> never be affected across windows/tabs unless the same user is logged in on
> botheven then I would expect PHP to keep data per session. Maybe it
goes
> beyond being an IE or FF issue..the questiojn is...will PHP allow
variables
> from session A become corrupted when session B is in progress when they
> should actually be handled seperately?
> 
> In the end I think it is something I do wrong in PHP with the SESSION
> variables and how I clear themif so...I don't think PHP should allow
> clearing SESSION variables from other sessions.
>  
> -Original Message-
> From: Arno Kuhl [mailto:ak...@telkomsa.net] 
> Sent: 20 August 2009 10:03 AM
> To: 'Leon du Plessis'; php-general@lists.php.net
> Subject: RE: [PHP] SESSIONS lost sometimes
> 
> -Original Message-
> From: Leon du Plessis [mailto:l...@dsgnit.com] 
> Sent: 20 August 2009 09:44 AM
> To: php-general@lists.php.net
> Subject: RE: [PHP] SESSIONS lost sometimes
> 
> Since we are on the subject: I have the following similar problem:
> 
> When testing page on internet explorer, I find that one tab's variables
can
> affect another tab's variables. Thus when having the same web-site open
and
> using SESSION variables but for different users, Internet explorer can
> become "disorientated". This also "sometimes" happen when I have two
> separate browsing windows open with Internet Explorer for the same site.
> 
> I have yet to determine if this is an internet explorer, or PHP or
> combination of the two that is causing this condition. 
> 
> To my understanding _SESSION variables should be maintained per session,
tab
> or window. If this has been addressed already, my apologies, but thought
it
> worthwhile to mention.  
> 
> If someone perhaps have a solution or can confirm this as a known issue
and
> maybe is the same or related to Angelo's problem?
> 
> 
> 
> If different browser windows/tabs on the same client-side computer didn't
> share session info then you'd get the effect of being able to log onto a
> site with one browser window, but find in a second browser window that you
> were not yet logged on. Experience will tell you that you're logged on in
> both browser windows (try it with your online bank). It's not an issue,
it's
> a feature. If you want to be able to use different browser windows as
though
> they were different users then use different browsers e.g. IE and FF on
the
> same client-side computer will look like two separate end users to the
> server, and they don't share session info or cookies.
> 
> Cheers
> Arno
> 
> 

The key thing is that both tabs (or windows) from the same browser are in
the
*same* session - they send the *same* PHPID cookie. PHP is essentially
stateless
- it doesn't care where the request comes from, and ties a session to the
PHPID
cookie if it gets one. As far as PHP knows, requests from different tabs
with
the same PHPID cookie are requests from the same place in the same session.

To get a different session you need a different instance of the browser -
that's
the way browsers have been coded to work. It's not too hard with Firefox,
since
you can set up multiple profiles to have independent Firefox windows on the
same
screen.

-- 
Peter Ford  phone: 01580 89
Developer   fax:   01580 893399
Justcroft International Ltd., Staplehurst, Kent

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Leon du Plessis]

">> It'd make sense for things to run this way, I think.  After all, I'd
find it quite confusing if I log into Google Docs, open a document (by
default, it opens in a new tab) and I had to log in yet again to be able to
edit it."

Yes. I agree. But in this case the Tab being opened is used with the same
authentication details either via POST, GET or Cookie variables. The problem
comes in when a totally different set of login credentials are being used
(for the same tab/window).  Other user's login particulars should not affect
your login variables.

-Original Message-
From: Nitebirdz [mailto:nitebi...@sacredchaos.com] 
Sent: 20 August 2009 10:40 AM
To: php-general@lists.php.net
Subject: Re: [PHP] SESSIONS lost sometimes

On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> 
> Since we are on the subject: I have the following similar problem:
> 
> When testing page on internet explorer, I find that one tab's variables
can
> affect another tab's variables. Thus when having the same web-site open
and
> using SESSION variables but for different users, Internet explorer can
> become "disorientated". This also "sometimes" happen when I have two
> separate browsing windows open with Internet Explorer for the same site.
> 
> I have yet to determine if this is an internet explorer, or PHP or
> combination of the two that is causing this condition. 
> 
> To my understanding _SESSION variables should be maintained per session,
tab
> or window. If this has been addressed already, my apologies, but thought
it
> worthwhile to mention.  
> 

I'm a total newbie when it comes to these issues, but it seems to me
that Firefox behaves in the very same manner.  It's not limited to PHP
sessions either.  It's always been my experience on any website that
requires authentication, including the likes of Google Mail, etc.  When
I want to run multiple sessions for different GMail accounts, for
example, I just create a different user profile in Firefox. 

It'd make sense for things to run this way, I think.  After all, I'd
find it quite confusing if I log into Google Docs, open a document (by
default, it opens in a new tab) and I had to log in yet again to be able
to edit it.  


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSIONS lost sometimes

[Nitebirdz]

On Thu, Aug 20, 2009 at 10:26:35AM +0200, Leon du Plessis wrote:
> ">> It's not an issue, it's a feature."
> 
> Thanks Arno...but it is a pain also.
> If I work with user A in Tab1 (window1), I want to work with user B
> separately in Tab2. When user in Tab2 logs off, I still want user A to work,
> and not suddenly have to re-login. Same with bank. If I work with my company
> account, then my personal account must not become an issue because I am on
> the same machine and site. 
> 

As mentioned in my other email, I've only been able to get this to work
by using different user profiles under Firefox.  If you need to run them
both at the same time, the following document helps explaining how to
accomplish it:

http://lifehacker.com/software/firefox/geek-to-live--manage-multiple-firefox-profiles-231646.php


I never tested it because I don't run Windows, but a similar setup works
just fine for Linux. 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSIONS lost sometimes

[Peter Ford]

Leon du Plessis wrote:
> ">> It's not an issue, it's a feature."
> 
> Thanks Arno...but it is a pain also.
> If I work with user A in Tab1 (window1), I want to work with user B
> separately in Tab2. When user in Tab2 logs off, I still want user A to work,
> and not suddenly have to re-login. Same with bank. If I work with my company
> account, then my personal account must not become an issue because I am on
> the same machine and site. 
> 
> I have no issue with using FF and IE to do testing as that takes care of
> browser compatibility testing at the same time :-), but I think when you
> start a new session with new values, it should be kept under that window/tab
> alone. Cookies can take care of more details, but my opinion is data should
> never be affected across windows/tabs unless the same user is logged in on
> botheven then I would expect PHP to keep data per session. Maybe it goes
> beyond being an IE or FF issue..the questiojn is...will PHP allow variables
> from session A become corrupted when session B is in progress when they
> should actually be handled seperately?
> 
> In the end I think it is something I do wrong in PHP with the SESSION
> variables and how I clear themif so...I don't think PHP should allow
> clearing SESSION variables from other sessions.
>  
> -Original Message-
> From: Arno Kuhl [mailto:ak...@telkomsa.net] 
> Sent: 20 August 2009 10:03 AM
> To: 'Leon du Plessis'; php-general@lists.php.net
> Subject: RE: [PHP] SESSIONS lost sometimes
> 
> -Original Message-
> From: Leon du Plessis [mailto:l...@dsgnit.com] 
> Sent: 20 August 2009 09:44 AM
> To: php-general@lists.php.net
> Subject: RE: [PHP] SESSIONS lost sometimes
> 
> Since we are on the subject: I have the following similar problem:
> 
> When testing page on internet explorer, I find that one tab's variables can
> affect another tab's variables. Thus when having the same web-site open and
> using SESSION variables but for different users, Internet explorer can
> become "disorientated". This also "sometimes" happen when I have two
> separate browsing windows open with Internet Explorer for the same site.
> 
> I have yet to determine if this is an internet explorer, or PHP or
> combination of the two that is causing this condition. 
> 
> To my understanding _SESSION variables should be maintained per session, tab
> or window. If this has been addressed already, my apologies, but thought it
> worthwhile to mention.  
> 
> If someone perhaps have a solution or can confirm this as a known issue and
> maybe is the same or related to Angelo's problem?
> 
> 
> 
> If different browser windows/tabs on the same client-side computer didn't
> share session info then you'd get the effect of being able to log onto a
> site with one browser window, but find in a second browser window that you
> were not yet logged on. Experience will tell you that you're logged on in
> both browser windows (try it with your online bank). It's not an issue, it's
> a feature. If you want to be able to use different browser windows as though
> they were different users then use different browsers e.g. IE and FF on the
> same client-side computer will look like two separate end users to the
> server, and they don't share session info or cookies.
> 
> Cheers
> Arno
> 
> 

The key thing is that both tabs (or windows) from the same browser are in the
*same* session - they send the *same* PHPID cookie. PHP is essentially stateless
- it doesn't care where the request comes from, and ties a session to the PHPID
cookie if it gets one. As far as PHP knows, requests from different tabs with
the same PHPID cookie are requests from the same place in the same session.

To get a different session you need a different instance of the browser - that's
the way browsers have been coded to work. It's not too hard with Firefox, since
you can set up multiple profiles to have independent Firefox windows on the same
screen.

-- 
Peter Ford  phone: 01580 89
Developer   fax:   01580 893399
Justcroft International Ltd., Staplehurst, Kent

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSIONS lost sometimes

[Nitebirdz]

On Thu, Aug 20, 2009 at 09:44:02AM +0200, Leon du Plessis wrote:
> 
> Since we are on the subject: I have the following similar problem:
> 
> When testing page on internet explorer, I find that one tab's variables can
> affect another tab's variables. Thus when having the same web-site open and
> using SESSION variables but for different users, Internet explorer can
> become "disorientated". This also "sometimes" happen when I have two
> separate browsing windows open with Internet Explorer for the same site.
> 
> I have yet to determine if this is an internet explorer, or PHP or
> combination of the two that is causing this condition. 
> 
> To my understanding _SESSION variables should be maintained per session, tab
> or window. If this has been addressed already, my apologies, but thought it
> worthwhile to mention.  
> 

I'm a total newbie when it comes to these issues, but it seems to me
that Firefox behaves in the very same manner.  It's not limited to PHP
sessions either.  It's always been my experience on any website that
requires authentication, including the likes of Google Mail, etc.  When
I want to run multiple sessions for different GMail accounts, for
example, I just create a different user profile in Firefox. 

It'd make sense for things to run this way, I think.  After all, I'd
find it quite confusing if I log into Google Docs, open a document (by
default, it opens in a new tab) and I had to log in yet again to be able
to edit it.  


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Leon du Plessis]

">> It's not an issue, it's a feature."

Thanks Arno...but it is a pain also.
If I work with user A in Tab1 (window1), I want to work with user B
separately in Tab2. When user in Tab2 logs off, I still want user A to work,
and not suddenly have to re-login. Same with bank. If I work with my company
account, then my personal account must not become an issue because I am on
the same machine and site. 

I have no issue with using FF and IE to do testing as that takes care of
browser compatibility testing at the same time :-), but I think when you
start a new session with new values, it should be kept under that window/tab
alone. Cookies can take care of more details, but my opinion is data should
never be affected across windows/tabs unless the same user is logged in on
botheven then I would expect PHP to keep data per session. Maybe it goes
beyond being an IE or FF issue..the questiojn is...will PHP allow variables
from session A become corrupted when session B is in progress when they
should actually be handled seperately?

In the end I think it is something I do wrong in PHP with the SESSION
variables and how I clear themif so...I don't think PHP should allow
clearing SESSION variables from other sessions.
 
-Original Message-
From: Arno Kuhl [mailto:ak...@telkomsa.net] 
Sent: 20 August 2009 10:03 AM
To: 'Leon du Plessis'; php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com] 
Sent: 20 August 2009 09:44 AM
To: php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Since we are on the subject: I have the following similar problem:

When testing page on internet explorer, I find that one tab's variables can
affect another tab's variables. Thus when having the same web-site open and
using SESSION variables but for different users, Internet explorer can
become "disorientated". This also "sometimes" happen when I have two
separate browsing windows open with Internet Explorer for the same site.

I have yet to determine if this is an internet explorer, or PHP or
combination of the two that is causing this condition. 

To my understanding _SESSION variables should be maintained per session, tab
or window. If this has been addressed already, my apologies, but thought it
worthwhile to mention.  

If someone perhaps have a solution or can confirm this as a known issue and
maybe is the same or related to Angelo's problem?



If different browser windows/tabs on the same client-side computer didn't
share session info then you'd get the effect of being able to log onto a
site with one browser window, but find in a second browser window that you
were not yet logged on. Experience will tell you that you're logged on in
both browser windows (try it with your online bank). It's not an issue, it's
a feature. If you want to be able to use different browser windows as though
they were different users then use different browsers e.g. IE and FF on the
same client-side computer will look like two separate end users to the
server, and they don't share session info or cookies.

Cheers
Arno


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Arno Kuhl]

-Original Message-
From: Leon du Plessis [mailto:l...@dsgnit.com] 
Sent: 20 August 2009 09:44 AM
To: php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes

Since we are on the subject: I have the following similar problem:

When testing page on internet explorer, I find that one tab's variables can
affect another tab's variables. Thus when having the same web-site open and
using SESSION variables but for different users, Internet explorer can
become "disorientated". This also "sometimes" happen when I have two
separate browsing windows open with Internet Explorer for the same site.

I have yet to determine if this is an internet explorer, or PHP or
combination of the two that is causing this condition. 

To my understanding _SESSION variables should be maintained per session, tab
or window. If this has been addressed already, my apologies, but thought it
worthwhile to mention.  

If someone perhaps have a solution or can confirm this as a known issue and
maybe is the same or related to Angelo's problem?



If different browser windows/tabs on the same client-side computer didn't
share session info then you'd get the effect of being able to log onto a
site with one browser window, but find in a second browser window that you
were not yet logged on. Experience will tell you that you're logged on in
both browser windows (try it with your online bank). It's not an issue, it's
a feature. If you want to be able to use different browser windows as though
they were different users then use different browsers e.g. IE and FF on the
same client-side computer will look like two separate end users to the
server, and they don't share session info or cookies.

Cheers
Arno


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Leon du Plessis]

Since we are on the subject: I have the following similar problem:

When testing page on internet explorer, I find that one tab's variables can
affect another tab's variables. Thus when having the same web-site open and
using SESSION variables but for different users, Internet explorer can
become "disorientated". This also "sometimes" happen when I have two
separate browsing windows open with Internet Explorer for the same site.

I have yet to determine if this is an internet explorer, or PHP or
combination of the two that is causing this condition. 

To my understanding _SESSION variables should be maintained per session, tab
or window. If this has been addressed already, my apologies, but thought it
worthwhile to mention.  

If someone perhaps have a solution or can confirm this as a known issue and
maybe is the same or related to Angelo's problem?


-Original Message-
From: Angelo Zanetti [mailto:ang...@zlogic.co.za] 
Sent: 20 August 2009 08:53 AM
To: 'Ben Dunlap'
Cc: php-general@lists.php.net
Subject: RE: [PHP] SESSIONS lost sometimes



-Original Message-
From: Ben Dunlap [mailto:bdun...@agentintellect.com] 
Sent: 19 August 2009 08:18 PM
To: Angelo Zanetti
Cc: php-general@lists.php.net
Subject: Re: [PHP] SESSIONS lost sometimes

> We have a server with a site that does some XML calls. After lots of
testing
> I have found that the server is losing session variables.
[8<]
> Also the site goes from HTTP to HTTPS at some point but this isn't the
issue
> as it loses the sessions as soon as they are set sometimes.
>
> Therefore I would like to know what I could check. I have read in other

Can you clarify what you mean by "losing sessions"? Have you taken a
network trace to see whether the client is consistently sending the
session ID with every request?

When the problem happens, is $_SESSION completely empty or is it only
missing some variables? Does it seem to happen on any page, or only
certain ones?

Thanks,

Ben


Hi Ben, 

When the problem happens the $_SESSION is partially empty. It only has the
some of the variables set.

It happens on a certain page only, but the strange thing is that it never
happened before its only happening now. But the code hasn't changed so is it
safe to assume that it's a server issue?

Thanks
Angelo

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SESSIONS lost sometimes

[Angelo Zanetti]

-Original Message-
From: Ben Dunlap [mailto:bdun...@agentintellect.com] 
Sent: 19 August 2009 08:18 PM
To: Angelo Zanetti
Cc: php-general@lists.php.net
Subject: Re: [PHP] SESSIONS lost sometimes

> We have a server with a site that does some XML calls. After lots of
testing
> I have found that the server is losing session variables.
[8<]
> Also the site goes from HTTP to HTTPS at some point but this isn't the
issue
> as it loses the sessions as soon as they are set sometimes.
>
> Therefore I would like to know what I could check. I have read in other

Can you clarify what you mean by "losing sessions"? Have you taken a
network trace to see whether the client is consistently sending the
session ID with every request?

When the problem happens, is $_SESSION completely empty or is it only
missing some variables? Does it seem to happen on any page, or only
certain ones?

Thanks,

Ben


Hi Ben, 

When the problem happens the $_SESSION is partially empty. It only has the
some of the variables set.

It happens on a certain page only, but the strange thing is that it never
happened before its only happening now. But the code hasn't changed so is it
safe to assume that it's a server issue?

Thanks
Angelo

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SESSIONS lost sometimes

[Ben Dunlap]

> We have a server with a site that does some XML calls. After lots of testing
> I have found that the server is losing session variables.
[8<]
> Also the site goes from HTTP to HTTPS at some point but this isn't the issue
> as it loses the sessions as soon as they are set sometimes.
>
> Therefore I would like to know what I could check. I have read in other

Can you clarify what you mean by "losing sessions"? Have you taken a
network trace to see whether the client is consistently sending the
session ID with every request?

When the problem happens, is $_SESSION completely empty or is it only
missing some variables? Does it seem to happen on any page, or only
certain ones?

Thanks,

Ben

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] SESSIONS lost sometimes

[Angelo Zanetti]

Dear all, 

We have a server with a site that does some XML calls. After lots of testing
I have found that the server is losing session variables.

However sometimes it isn't losing them so I don't think it's a code thing
rather a server issue. The strange thing is that its not consistent.
Things to note: 

The session array is really big, quite a few variables.

Also the site goes from HTTP to HTTPS at some point but this isn't the issue
as it loses the sessions as soon as they are set sometimes.

Therefore I would like to know what I could check. I have read in other
posts that I should check:

-Disk space

-Garbage collection running too frequently and reducing session lifetime in
an ini_set and it might be possible that my live sessions are being
erronously treated as garbage.

-Is there any other settings that I can check or should the above be all I
should check


Please any advise, comments, help is appreciated.

Thanks in advance.

Angelo
http://www.elemental.co.za


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] SESSIONS lost sometimes

[Angelo Zanetti]

Dear all, 

We have a server with a site that does some XML calls. After lots of testing
I have found that the server is losing session variables.

However sometimes it isn't losing them so I don't think it's a code thing
rather a server issue. The strange thing is that its not consistent.
Things to note: 

The session array is really big, quite a few variables.

Also the site goes from HTTP to HTTPS at some point but this isn't the issue
as it loses the sessions as soon as they are set sometimes.

Therefore I would like to know what I could check. I have read in other
posts that I should check:

-Disk space

-Garbage collection running too frequently and reducing  
session lifetime in an ini_set and it might be possible that my live
sessions are being  
erronously treated as garbage.

-Is there any other settings that I can check or should the above be all I
should check


Please any advise, comments, help is appreciated.

Thanks in advance.

Angelo
http://www.elemental.co.za


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions

[Richard Heyes]

Hi,

> ..

This is precisely what I do, albeit my file is called config.php, and
not init.php. Not that it makes a jot of difference. This file is used
to setup the environment, so that way everything I commonly need is
available simply by including one file. One thing to note though is
that a database connection is not established by default. I used to
get a lot of comment spam on my blog and because it was needlessly
connecting to the database, it was bringing down the server. So now I
simply use something like this to quickly and easily get a reference
to a database object:

$db = getDatabase();

Wunderbar.

-- 
Richard Heyes
HTML5 graphing: RGraph (www.rgraph.net - updated 3rd July)

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions

[Stuart]

2009/7/3 Ashley Sheridan :
> On Friday 03 July 2009 09:41:40 Tom Chubb wrote:
>> 2009/7/3 Luke 
>>
>> > 2009/7/3 Daniel Brown 
>> >
>> > > On Thu, Jul 2, 2009 at 23:27, Jason Carson wrote:
>> > > > Hello all,
>> > > >
>> > > > Do I have to add session_start() at the beginning of every page so
>> > > > that the $_SESSION variables work on all pages or do I use
>> > > > session_start()
>> >
>> > on
>> >
>> > > > the first page and something else on other pages?
>> > >
>> > >     Yes, unless you're using session autoloading.  Also, in most
>> > > cases, you will only need to call session_start() once (before
>> > > referencing $_SESSION), even if $_SESSION is accessed in an included
>> > > file.
>> > >
>> > > --
>> > > 
>> > > daniel.br...@parasane.net || danbr...@php.net
>> > > http://www.parasane.net/ || http://www.pilotpig.net/
>> > > Check out our hosting and dedicated server deals at
>> > > http://twitter.com/pilotpig
>> > >
>> > > --
>> > > PHP General Mailing List (http://www.php.net/)
>> > > To unsubscribe, visit: http://www.php.net/unsub.php
>> >
>> > Some people have a file called init.php, which would contain
>> > session_start(); as well as other things that need to be done every page
>> > load (connect to the database perhaps?) and they just 'require' that at
>> > the top of every page.
>> >
>> > --
>> > Luke Slater
>> > http://dinosaur-os.com/
>> >
>> > :O)
>>
>> Never thought of that. Sounds like quite a good idea.
>> Can anyone tell me if there's any reason for not doing that, even on pages
>> that do not require session data?
>> Or perhaps use an htaccess file to server side include a file file to all
>> files under an admin folder or something and another to destroy the
>> session. I'm thinking of smaller, low-traffic sites.
>> I know people are going to say, if they're small sites, why can't you only
>> start sessions on the relevant pages but it sounds like it could work well
>> for me.
>
>
> It's easier to maintain if you use one include file like Luke said. You won't
> get much overhead from a call to session_start() on a page that doesn't use
> sessions.

It's also worth noting that every call to session_start() will result
in the expiry time of the session being updated. Not calling it for
pages that don't use the session could lead to the session expiring if
the user doesn't hit a page that uses it for a while.

-Stuart

-- 
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions

[Tom Chubb]

2009/7/3 Ashley Sheridan 

> On Friday 03 July 2009 09:41:40 Tom Chubb wrote:
> > 2009/7/3 Luke 
> >
> > > 2009/7/3 Daniel Brown 
> > >
> > > > On Thu, Jul 2, 2009 at 23:27, Jason Carson
> wrote:
> > > > > Hello all,
> > > > >
> > > > > Do I have to add session_start() at the beginning of every page so
> > > > > that the $_SESSION variables work on all pages or do I use
> > > > > session_start()
> > >
> > > on
> > >
> > > > > the first page and something else on other pages?
> > > >
> > > > Yes, unless you're using session autoloading.  Also, in most
> > > > cases, you will only need to call session_start() once (before
> > > > referencing $_SESSION), even if $_SESSION is accessed in an included
> > > > file.
> > > >
> > > > --
> > > > 
> > > > daniel.br...@parasane.net || danbr...@php.net
> > > > http://www.parasane.net/ || http://www.pilotpig.net/
> > > > Check out our hosting and dedicated server deals at
> > > > http://twitter.com/pilotpig
> > > >
> > > > --
> > > > PHP General Mailing List (http://www.php.net/)
> > > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > > Some people have a file called init.php, which would contain
> > > session_start(); as well as other things that need to be done every
> page
> > > load (connect to the database perhaps?) and they just 'require' that at
> > > the top of every page.
> > >
> > > --
> > > Luke Slater
> > > http://dinosaur-os.com/
> > >
> > > :O)
> >
> > Never thought of that. Sounds like quite a good idea.
> > Can anyone tell me if there's any reason for not doing that, even on
> pages
> > that do not require session data?
> > Or perhaps use an htaccess file to server side include a file file to all
> > files under an admin folder or something and another to destroy the
> > session. I'm thinking of smaller, low-traffic sites.
> > I know people are going to say, if they're small sites, why can't you
> only
> > start sessions on the relevant pages but it sounds like it could work
> well
> > for me.
>
>
> It's easier to maintain if you use one include file like Luke said. You
> won't
> get much overhead from a call to session_start() on a page that doesn't use
> sessions.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>

Great,
Cheers Ash,

T

-- 
Tom Chubb
t...@tomchubb.com | tomch...@gmail.com

Re: [PHP] Sessions

[Ashley Sheridan]

On Friday 03 July 2009 09:41:40 Tom Chubb wrote:
> 2009/7/3 Luke 
>
> > 2009/7/3 Daniel Brown 
> >
> > > On Thu, Jul 2, 2009 at 23:27, Jason Carson wrote:
> > > > Hello all,
> > > >
> > > > Do I have to add session_start() at the beginning of every page so
> > > > that the $_SESSION variables work on all pages or do I use
> > > > session_start()
> >
> > on
> >
> > > > the first page and something else on other pages?
> > >
> > > Yes, unless you're using session autoloading.  Also, in most
> > > cases, you will only need to call session_start() once (before
> > > referencing $_SESSION), even if $_SESSION is accessed in an included
> > > file.
> > >
> > > --
> > > 
> > > daniel.br...@parasane.net || danbr...@php.net
> > > http://www.parasane.net/ || http://www.pilotpig.net/
> > > Check out our hosting and dedicated server deals at
> > > http://twitter.com/pilotpig
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> > Some people have a file called init.php, which would contain
> > session_start(); as well as other things that need to be done every page
> > load (connect to the database perhaps?) and they just 'require' that at
> > the top of every page.
> >
> > --
> > Luke Slater
> > http://dinosaur-os.com/
> >
> > :O)
>
> Never thought of that. Sounds like quite a good idea.
> Can anyone tell me if there's any reason for not doing that, even on pages
> that do not require session data?
> Or perhaps use an htaccess file to server side include a file file to all
> files under an admin folder or something and another to destroy the
> session. I'm thinking of smaller, low-traffic sites.
> I know people are going to say, if they're small sites, why can't you only
> start sessions on the relevant pages but it sounds like it could work well
> for me.


It's easier to maintain if you use one include file like Luke said. You won't 
get much overhead from a call to session_start() on a page that doesn't use 
sessions.

Thanks,
Ash
http://www.ashleysheridan.co.uk

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php