Re: [PHP] SESSIONS QUESTION
At 9:59 AM -0700 7/18/08, R.C. wrote: What's the sequence here. I was able to get the password going, protect the main.php page, sent the email etc. but can't get that password to remain on the main.php when they user tries to get back to that page. Really appreciate some input and coding. I am totally stumped! Thanks much REF REF: Try this: http://www.webbytedd.com/b1/simple-session The code is there. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions question
I do not think this causes the problem.
It's just redundant.
Thx anyway
-Original Message-
From: Curt Zirzow [mailto:[EMAIL PROTECTED]
Sent: donderdag 21 oktober 2004 22:11
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions question
* Thus wrote Reinhart Viane:
PHP Code
// Register some session variables!
session_register('userid');
$_SESSION['userid'] = $userid;
Do not use session_register with $_SESSION.
http://php.net/session-register
Curt
--
Quoth the Raven, Nevermore.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions question
Owkee here goes:
* Removing the foreach loop only supplied me with not being able to log
in.
But again I dunnot think this is the problem.
The variables are stored correctly.
At certain times the user_id sessions were just swapped...
* Now I've seen that
session_register('email');
$_SESSION['email'] = $email;
Did not supply any output when listing my session variables with
echo pre\n;
print_r($_SESSION);
echo /pre\n;
When I removed this line (and I am testing 2 hours already now) I have
not ecountered any problems so far.
Could this be logical?
Could a session variable with no value at all cause the earlier
mentioned problems?
* Also when a file was uploaded and it's parameters were inputed in the
database I used this code to do it:
//get the id of the current logged in user
$submit_user_id=$_SESSION['user_id'];
//set the file url
$url= (documents/.$file_name);
$sql4 = insert into documents (document_name,
document_description, document_submit_date,
document_submitter_user_id, document_folder_id, document_url,
document_ext, document_author) values ('$_POST [documentname]',
'$_POST[documentdescription]', '$inputdate', '$submit_user_id',
'$_POST[folderid]', '$url', '$ext', '$_POST[documentauthor]' );
Which I now changed into:
//get the id of the current logged in user
//$submit_user_id=$_SESSION['user_id'];
//set the file url
$url= (documents/.$file_name);
$sql4 = insert into documents (document_name,
document_description, document_submit_date,
document_submitter_user_id, document_folder_id, document_url,
document_ext, document_author) values ('$_POST [documentname]',
'$_POST[documentdescription]', '$inputdate', $_SESSION['user_id'],
'$_POST[folderid]', '$url', '$ext', '$_POST[documentauthor]' );
Maybe for some bizarre reason sometimes the value of the last
$submit_user_id was given to $_SESSION[user_id].
As you can see I'm getting very suspecious about everything hehe.
* Secondly I now use this:
$sql = mysql_query(SELECT * FROM users WHERE
username='$username' AND password='$password' AND activated='1');
$login_check = mysql_num_rows($sql);
if($login_check 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key = $val ){
$$key = stripslashes( $val );
}
// Register some session variables!
session_register('user_id');
$_SESSION['user_id'] = $user_id;
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
//session_register('email');
//$_SESSION['email'] = $email;
session_register('user_level');
$_SESSION['user_level'] = $user_level;
}
should it be better when I use this??
$sql = mysql_query(SELECT * FROM users WHERE
username='$username' AND password='$password' AND activated='1');
$login_check = mysql_num_rows($sql);
if($login_check 0){
while($row = mysql_fetch_array($sql)){
// Register some session variables!
session_register('user_id');
$_SESSION['user_id'] = $row-user_id;
session_register('first_name');
$_SESSION['first_name'] = $row-first_name;
session_register('last_name');
$_SESSION['last_name'] = $row-last_name;
//session_register('email');
//$_SESSION['email'] = $email;
session_register('user_level');
$_SESSION['user_level'] = $row-user_level;
}
* last question.
Very soon I will need a good and secure usersystem preferabbly with no
cookies. So I think sessions are the way to go.
Maybe you can supply me with some good tutorials or scripts which can
help me create a well closed usersystem.
After these encounters with security problems, I'm not really sure no
more what to use or to do.
Thx again for all the efforts you are doing to help me out.
It's highly appreciated (if I would be a girl I would give you a kiss).
Greetings,
Reinhart Viane
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
On Thu, 21 Oct 2004 11:39:23 +0200, Reinhart Viane [EMAIL PROTECTED] wrote:
Hey all, i'm new to this list so forgive me if i make any huge
mistakes.
I'm in a beginning stage of learning php and i hope you guys can help me
out with this question:
in a file named checkuser i do this when a users logs in:
PHP Code
// Register some session variables!
session_register('userid');
$_SESSION['userid'] = $userid;
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('user_level');
$_SESSION['user_level'] = $user_level;
Now let's say user 1 logs in, his session is registered (with userid
from database is 5 and first_name is XXX)
Then another user logs in, again his session is registered (with userid
from database is 1 and first_name is YYY)
Now user 1 leaves the pages (closes the browser) and user 2 uploads a
document (with my own script).
When the document is succesfully uploaded i display this:
PHP Code
echo ($_SESSION['first_name'])., the document has been succesfully
added;
echo ($_SESSION['userid']);
This results in the folowing output:
YYY, the document has been succesfully added
5
Meaning the $_SESSION['first_name'] is correct, but the
$_SESSION['userid'] is the one of the user who logged out...
Now when using user_id in all places it seems to work correctly...
Is userid something that is defined by the server when making sessions?
If not, i don't have any clue what is going wrong...
Can someone help me on this? So i know what is wrong?
Thx in advance
Reinhart Viane
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Where does the value $userid come from is it the result of a query
i.e.
SELECT userid FROM users WHERE username='$_POST['username']' AND
passwd='$_POST['password']'
or do you have a form (text/hidden) with that value?
You mention userid and user_id maybe a typo, but those would be different.
You can see all session variables (for testing) by adding:
echo pre\n;
print_r($_SESSION);
echo /pre\n;
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions question
Hey Mike,
After some intensive testing it seemed that $user_id did not solve the
isue
I hereby give the script to get the $user_id:
// check if the user info validates the db
($username and $password are the POST values of username and password
given in on a form)
$sql = mysql_query(SELECT * FROM users WHERE username='$username' AND
password='$password' AND activated='1');
$login_check = mysql_num_rows($sql);
if($login_check 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key = $val ){
$$key = stripslashes( $val );
}
// Register some session variables!
session_register('user_id');
$_SESSION['user_id'] = $user_id;
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('user_level');
$_SESSION['user_level'] = $user_level;
mysql_query(UPDATE users SET last_login=now() WHERE
user_id='$user_id');
header(Location: main.php);
}
Now this is my conclusion till now:
All other session items are correctly displayed, except the
$_SESSION['user_id']
I'm trying to find the way when this happens since it does not seem to
happen in a strict order
The method mentioned b4:
'Now let's say user 1 logs in, his session is registered (with userid
from database is 5 and first_name is XXX) Then another user logs in,
again his session is registered (with userid from database is 1 and
first_name is YYY)'
is not always faulty.
I've checked everything I know and the last thing I've done is putted:
session_start();
On the first line instead of after this:
?
require('xx.inc.php');
connect_db();
Untill now all seems to be ok, but I'm not certain at all it is ok.
There can be hundreds of methods how several users log in, upload, log
out etc. so I can not test them all... :(
It seems that sometimes the $_SESSION['user_id'] of the several users
get mixed and this may not happen.
I don't know if this is a known bug or if there are cases which can
cause this...
If im not certain if this can be solved I will have to use another
method to keep the logged in users info (but what one? Don't want to use
cookies)
Thx in advance for any help.
Greetings,
Reinhart
-Original Message-
From: Mike Smith [mailto:[EMAIL PROTECTED]
Sent: donderdag 21 oktober 2004 13:28
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions question
On Thu, 21 Oct 2004 11:39:23 +0200, Reinhart Viane [EMAIL PROTECTED] wrote:
Hey all, i'm new to this list so forgive me if i make any huge
mistakes. I'm in a beginning stage of learning php and i hope you guys
can help me out with this question:
in a file named checkuser i do this when a users logs in:
PHP Code
// Register some session variables!
session_register('userid');
$_SESSION['userid'] = $userid;
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('user_level');
$_SESSION['user_level'] = $user_level;
Now let's say user 1 logs in, his session is registered (with userid
from database is 5 and first_name is XXX) Then another user logs in,
again his session is registered (with userid from database is 1 and
first_name is YYY)
Now user 1 leaves the pages (closes the browser) and user 2 uploads a
document (with my own script).
When the document is succesfully uploaded i display this:
PHP Code
echo ($_SESSION['first_name'])., the document has been succesfully
added; echo ($_SESSION['userid']);
This results in the folowing output:
YYY, the document has been succesfully added
5
Meaning the $_SESSION['first_name'] is correct, but the
$_SESSION['userid'] is the one of the user who logged out...
Now when using user_id in all places it seems to work correctly...
Is userid something that is defined by the server when making
sessions?
If not, i don't have any clue what is going wrong...
Can someone help me on this? So i know what is wrong?
Thx in advance
Reinhart Viane
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Where does the value $userid come from is it the result of a query i.e.
SELECT userid FROM users WHERE username='$_POST['username']' AND
passwd='$_POST['password']'
or do you have a form (text/hidden) with that value?
You mention userid and user_id maybe a typo, but those would be
different. You can see
Re: [PHP] Sessions question
On Thu, 21 Oct 2004 14:43:45 +0200, Reinhart Viane [EMAIL PROTECTED] wrote:
Hey Mike,
After some intensive testing it seemed that $user_id did not solve the
isue
I hereby give the script to get the $user_id:
// check if the user info validates the db
($username and $password are the POST values of username and password
given in on a form)
$sql = mysql_query(SELECT * FROM users WHERE username='$username' AND
password='$password' AND activated='1');
$login_check = mysql_num_rows($sql);
if($login_check 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key = $val ){
Your select * query above is probably pulling more than two fields, so
a $key and $val in the foreach() will only work with two of those
fields, the other fields will be unhandled. You might want to ditch
the foreach() loop and just use the while() loop by itself since you
can easily access all the fields from your query in the $row array.
--
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions question
Thanks Greg,
I'll try this, but I do not think this will solve the issue since at
first hand the session variables are correctly made.
The problem arrises (I think) whenever two or more users are logged in
and one closes the pages (so his session is killed I suppose).
Sometimes after that, the other users seem to get other values for the
user_id session variable.
Strange thing is the other session (like first_name or last_name)
variables of the user stay correct. Only the user_id session variable is
changed.
I don't know if this can be caused by the fact register_globals seem to
be 'on' on the server (btw PHP Version 4.2.3)
Thx for the advice, I hope I can sort it out soon
Greetz
Reinhart
-Original Message-
From: Greg Donald [mailto:[EMAIL PROTECTED]
Sent: donderdag 21 oktober 2004 15:47
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions question
On Thu, 21 Oct 2004 14:43:45 +0200, Reinhart Viane [EMAIL PROTECTED] wrote:
Hey Mike,
After some intensive testing it seemed that $user_id did not solve the
isue
I hereby give the script to get the $user_id:
// check if the user info validates the db
($username and $password are the POST values of username and password
given in on a form) $sql = mysql_query(SELECT * FROM users WHERE
username='$username' AND password='$password' AND activated='1');
$login_check = mysql_num_rows($sql);
if($login_check 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key = $val ){
Your select * query above is probably pulling more than two fields, so a
$key and $val in the foreach() will only work with two of those fields,
the other fields will be unhandled. You might want to ditch the
foreach() loop and just use the while() loop by itself since you can
easily access all the fields from your query in the $row array.
--
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
On Thu, 21 Oct 2004 16:06:37 +0200, Reinhart Viane [EMAIL PROTECTED] wrote: I don't know if this can be caused by the fact register_globals seem to be 'on' on the server (btw PHP Version 4.2.3) You can override that setting if the web server is running apache and AllowOverrides is set for your directory. You can make an .htaccess file with this in it: php_flag register_globals Off -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
On Thu, 21 Oct 2004 14:43:45 +0200, Reinhart Viane [EMAIL PROTECTED] wrote:
Hey Mike,
After some intensive testing it seemed that $user_id did not solve the
isue
I hereby give the script to get the $user_id:
// check if the user info validates the db
($username and $password are the POST values of username and password
given in on a form)
$sql = mysql_query(SELECT * FROM users WHERE username='$username' AND
password='$password' AND activated='1');
$login_check = mysql_num_rows($sql);
if($login_check 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key = $val ){
$$key = stripslashes( $val );
}
// Register some session variables!
session_register('user_id');
$_SESSION['user_id'] = $user_id;
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('user_level');
$_SESSION['user_level'] = $user_level;
mysql_query(UPDATE users SET last_login=now() WHERE
user_id='$user_id');
header(Location: main.php);
}
Now this is my conclusion till now:
All other session items are correctly displayed, except the
$_SESSION['user_id']
I'm trying to find the way when this happens since it does not seem to
happen in a strict order
The method mentioned b4:
'Now let's say user 1 logs in, his session is registered (with userid
from database is 5 and first_name is XXX) Then another user logs in,
again his session is registered (with userid from database is 1 and
first_name is YYY)'
is not always faulty.
I've checked everything I know and the last thing I've done is putted:
session_start();
On the first line instead of after this:
?
require('xx.inc.php');
connect_db();
Untill now all seems to be ok, but I'm not certain at all it is ok.
There can be hundreds of methods how several users log in, upload, log
out etc. so I can not test them all... :(
It seems that sometimes the $_SESSION['user_id'] of the several users
get mixed and this may not happen.
I don't know if this is a known bug or if there are cases which can
cause this...
If im not certain if this can be solved I will have to use another
method to keep the logged in users info (but what one? Don't want to use
cookies)
Thx in advance for any help.
Greetings,
Reinhart
-Original Message-
From: Mike Smith [mailto:[EMAIL PROTECTED]
Sent: donderdag 21 oktober 2004 13:28
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions question
On Thu, 21 Oct 2004 11:39:23 +0200, Reinhart Viane [EMAIL PROTECTED] wrote:
Hey all, i'm new to this list so forgive me if i make any huge
mistakes. I'm in a beginning stage of learning php and i hope you guys
can help me out with this question:
in a file named checkuser i do this when a users logs in:
PHP Code
// Register some session variables!
session_register('userid');
$_SESSION['userid'] = $userid;
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('user_level');
$_SESSION['user_level'] = $user_level;
Now let's say user 1 logs in, his session is registered (with userid
from database is 5 and first_name is XXX) Then another user logs in,
again his session is registered (with userid from database is 1 and
first_name is YYY)
Now user 1 leaves the pages (closes the browser) and user 2 uploads a
document (with my own script).
When the document is succesfully uploaded i display this:
PHP Code
echo ($_SESSION['first_name'])., the document has been succesfully
added; echo ($_SESSION['userid']);
This results in the folowing output:
YYY, the document has been succesfully added
5
Meaning the $_SESSION['first_name'] is correct, but the
$_SESSION['userid'] is the one of the user who logged out...
Now when using user_id in all places it seems to work correctly...
Is userid something that is defined by the server when making
sessions?
If not, i don't have any clue what is going wrong...
Can someone help me on this? So i know what is wrong?
Thx in advance
Reinhart Viane
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Where does the value $userid come from is it the result of a query i.e.
SELECT userid FROM users WHERE username='$_POST
Re: [PHP] Sessions question
hi, Please don't send multiple posts, I just replied to your previous message thinking that it had not been answered, a little further down I come across this. It's very confusing to everyone. thanks -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 128 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
On Thu, 21 Oct 2004 10:14:47 -0400, Mike Smith [EMAIL PROTECTED] wrote: How about changing How about learning to trim your posts? Thanks. :) -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
* Thus wrote Reinhart Viane:
PHP Code
// Register some session variables!
session_register('userid');
$_SESSION['userid'] = $userid;
Do not use session_register with $_SESSION.
http://php.net/session-register
Curt
--
Quoth the Raven, Nevermore.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: PHP Sessions Question
Thanks Jason, I'll keep the information handy for creating my own session handler in case other options I'm exploring right now don't work. On garbage collection, it happens sometimes within seconds and sometimes within minutes. It tends to occur in batches with lulls of 20 to 30 minutes. So, for example, I can login, navigate through 11 different pages to generate the problem, navigate 2 pages to generate the problem, and then not see the problem again for another 5 minutes. Does that fall in line with what you're thinking? -Ed -Original Message- To try logging this, you probably need to make your own session handler. Most importantly you would want to write to the log during the open and destroy functions. http://www.php.net/session_set_save_handler Most recent updates were made last week and everything has been working fine until this afternoon. Session data is somehow being lost. It seems random. As the other guy said, load balancing seems likely. It might also be that php.ini settings for garbage collection and session/cookie lifetimes have changed. Garbage collection can seem random. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Sessions Question
On garbage collection, it happens sometimes within seconds and sometimes within minutes. It tends to occur in batches with lulls of 20 to 30 minutes. So, for example, I can login, navigate through 11 different pages to generate the problem, navigate 2 pages to generate the problem, and then not see the problem again for another 5 minutes. Does that fall in line with what you're thinking? Actually, no. Garbage collection would destroy the sessions, so if they're only temporarily disappearing then load balancing seems even more likely. I'm going to assume not, but are you using a non-default session handler? If for instance you were storing sessions in another database, or simply on a different machine then connections can fail. This would most likely only be set up through the set_session_handler directive I mentioned before... but you should also check your php.ini values for session.save_handler and session.save_path -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Sessions Question
* Thus wrote Jason Barnett: On garbage collection, it happens sometimes within seconds and sometimes within minutes. It tends to occur in batches with lulls of 20 to 30 minutes. So, for example, I can login, navigate through 11 different pages to generate the problem, navigate 2 pages to generate the problem, and then not see the problem again for another 5 minutes. Does that fall in line with what you're thinking? Actually, no. Garbage collection would destroy the sessions, so if they're only temporarily disappearing then load balancing seems even more likely. I'm going to assume not, but are you using a non-default session handler? If for instance you were storing sessions in another database, or using the default handler, and the /tmp dir is full. Garabage Collection cleans up things so it works for a while until it fills up again, then breaks again (possibly saving a session or two with the minimal disk) till GC decides to kick in again. df -ih /tmp/ Check Avail and ifree. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP Sessions Question
* Thus wrote My Self: or using the default handler, and the /tmp dir is full. where /tmp being the local value for your session.save_path ini setting. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: PHP Sessions Question
I have a suggestion that would allow you to take charge of what is going on with your sessions. Install your own session handler routines, storing your own session data in your own database table. These functions would need to be loaded on each page before you execute the session_start() function on each page. http://www.php.net/manual/en/function.session-set-save-handler.php Since the Garbage Cleanup and session read function is now under your control, you can establish the session expiration that is appropriate for your application, independent from the PHP default for the site. Be careful, however for the parameters that control the life of the cookie in the browser, they can also cause the session to be lost if not set properly. http://www.php.net/manual/en/function.session-set-cookie-params.php This may sometimes seem intermittent, since the cookie will expire from the time first established in the browser, and if you are only aware of the time from the last page, and the cookie goes away, the session will appear to have been destroyed. good luck, Warren Vail [EMAIL PROTECTED] -Original Message- From: Jason Barnett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 08, 2004 11:23 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Re: PHP Sessions Question On garbage collection, it happens sometimes within seconds and sometimes within minutes. It tends to occur in batches with lulls of 20 to 30 minutes. So, for example, I can login, navigate through 11 different pages to generate the problem, navigate 2 pages to generate the problem, and then not see the problem again for another 5 minutes. Does that fall in line with what you're thinking? Actually, no. Garbage collection would destroy the sessions, so if they're only temporarily disappearing then load balancing seems even more likely. I'm going to assume not, but are you using a non-default session handler? If for instance you were storing sessions in another database, or simply on a different machine then connections can fail. This would most likely only be set up through the set_session_handler directive I mentioned before... but you should also check your php.ini values for session.save_handler and session.save_path -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Sessions Question
Ed Lazor wrote: What kind of problems could be happening server-side that would result in PHP sessions randomly disappearing? And, is there a way to log or track this information? Oh, and best of all, any recommendations on solutions? To try logging this, you probably need to make your own session handler. Most importantly you would want to write to the log during the open and destroy functions. http://www.php.net/session_set_save_handler Most recent updates were made last week and everything has been working fine until this afternoon. Session data is somehow being lost. It seems random. As the other guy said, load balancing seems likely. It might also be that php.ini settings for garbage collection and session/cookie lifetimes have changed. Garbage collection can seem random. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Question
On Tue, Oct 14, 2003 at 05:23:54PM -0800, Chris Hubbard wrote: to use php sessions: you will need some place where you set up/create the sessions. typically this is the login page. let's assume you'll use the login page. The logic for the login page goes something like this: 1. present a form for logging in (usually username/password) 2. on post, clean the posted data (remove html, special characters, etc) 3. check the cleaned username/password against the data in the database 4. if the username/password is valid, create your session and assign variables to it like this: session_start(); //create the session $id = session_id(); // create a unique session id session_register(id); // register id as a session variable session_register(name); // register name as a session variable session_register(email); // register email as a session variable $_SESSION[id] = $id; // assign the unique session id to session array $_SESSION[name] = $data[name]; // assign the username to session array $_SESSION[email] = $data[email]; // assign additional values (after regisering them) to session array Hope this is helpful. Chris There is no need to register variables as a session variable if register_globals is foff. The manual states: If you want your script to work regardless of register_globals, you need to instead use the $_SESSION array as $_SESSION entries are automatically registered. If your script uses session_register(), it will not work in environments where the PHP directive register_globals is disabled. So the three 'session_register' statements above should be removed. -- Jim Kaufman mailto:[EMAIL PROTECTED] Linux Evangelistcell: 612-481-9778 public key 0x6D802619 fax: 952-937-9832 http://www.linuxforbusiness.net --- Any smoothly functioning technology will have the appearance of magic. -- Arthur C. Clarke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
On 15 October 2003 01:31, Mike Brum contributed these pearls of wisdom: One quick note - if you're starting a session then you can't user the header() function afterwards. You'll get the lovel headers already sent error. Actually, so long as you do both *before* outputting any actual page content, it shouldn't matter which order you do them in. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
On 15 October 2003 05:25, Jake McHenry contributed these pearls of wisdom: Yes, submit, inout, username and password all come from the index.php form submission, but username changes throughout the different pages, that was one of my problems. I'm not sure what I did wrong before, but once I set a variable using $_SESSION, I couldn't change it unless I close the browser and start over. Just to make sure, register_globals should be set to off for best security reasons, correct? I guess that should have been my first question. And will sessions still work if it's turned off? Right now it's turned on for all my stuff to work. Yes, and Yes. But, from the code you've posted, it looks like you're still trying to use global variables, which just plain won't work with register_globals=Off. Just to be clear, if submit, inout, username and password come from a form, then you can't just refer to $submit, $inout etc., which your code appears to do (at least, I can't find any initializations of them). You must use $_POST['submit'] etc. if your form method='post', or $_GET['submit'] etc. if your form action='get'. And *all* your session variable handling should likewise be done with $_SESSION[], without using session_register(), session_unregister(). I know I may be telling you stuff you're probably already aware of, but I just want to be clear that we're all starting from the same baseline. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
Mike Brum mailto:[EMAIL PROTECTED] on Tuesday, October 14, 2003 5:31 PM said: One quick note - if you're starting a session then you can't user the header() function afterwards. You'll get the lovel headers already sent error. Be sure to use an alternate method of redirection if you're starting a session before your redirect logic takes place. That's not true. Your session_start() is not what's causing the headers already sent error. The problem is that you have already sent data to the client somewhere. You've done some echo's or print's somewhere before the header() and that's what's causing it to fail. Alternatively you can use ob_start() to buffer the output of your script until after the very last command in your script. Since header() comes somewhere before the script is done executing you will still be able to use it. Chris. -- Don't like reformatting your Outlook replies? Now there's relief! http://home.in.tum.de/~jain/software/outlook-quotefix/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
Jake McHenry mailto:[EMAIL PROTECTED] on Tuesday, October 14, 2003 7:00 PM said: Mainly what my problem is, is that when I turn Register_Globals = Off, then my scripts stop working. I can't even get past the page I showed you, the login page. No errors, it's just like I didn't enter any data. Doesn't that just mean that instead of retrieving form variables by their name you need to grab them from $_POST or $_GET? Here is an example of what you should be doing to retrieve the values sent from a form: form method=post action=nextpage.php input type=text name=name/ input type=submit value=Submit/ /form nextpage.php: ?php $name = $_POST['name']; ? HTH, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
-Original Message- From: Chris W. Parker [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 12:01 PM To: Jake McHenry; [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Question Jake McHenry mailto:[EMAIL PROTECTED] on Tuesday, October 14, 2003 7:00 PM said: Mainly what my problem is, is that when I turn Register_Globals = Off, then my scripts stop working. I can't even get past the page I showed you, the login page. No errors, it's just like I didn't enter any data. Doesn't that just mean that instead of retrieving form variables by their name you need to grab them from $_POST or $_GET? Here is an example of what you should be doing to retrieve the values sent from a form: form method=post action=nextpage.php input type=text name=name/ input type=submit value=Submit/ /form nextpage.php: ?php $name = $_POST['name']; ? HTH, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Do I need to add the start_session() function to my config.php and time.php? Do I need to change any variables in those files? Thanks, Jake McHenry Nittany Travel MIS Coordinator http://www.nittanytravel.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
-Original Message- From: Chris W. Parker [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 12:01 PM To: Jake McHenry; [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Question Jake McHenry mailto:[EMAIL PROTECTED] on Tuesday, October 14, 2003 7:00 PM said: Mainly what my problem is, is that when I turn Register_Globals = Off, then my scripts stop working. I can't even get past the page I showed you, the login page. No errors, it's just like I didn't enter any data. Doesn't that just mean that instead of retrieving form variables by their name you need to grab them from $_POST or $_GET? Here is an example of what you should be doing to retrieve the values sent from a form: form method=post action=nextpage.php input type=text name=name/ input type=submit value=Submit/ /form nextpage.php: ?php $name = $_POST['name']; ? HTH, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Also, say on a separate page, how do I call the variabes stored in $_SESSION? Like this? $name = $_SESSION[name]; Thanks, Jake McHenry Nittany Travel MIS Coordinator http://www.nittanytravel.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
Chris W. Parker wrote: Jake McHenry mailto:[EMAIL PROTECTED] on Wednesday, October 15, 2003 12:39 PM said: Also, say on a separate page, how do I call the variabes stored in $_SESSION? Like this? $name = $_SESSION[name]; Yes. But whenever you plan to access $_SESSION you must always use 'session_start();' first. In my scripts it's always the very first line on each page that I use session's (which happens to be just about every page). Chris. Ok, I got my index and userpage working... Geez.. This is going to be a lg process! What I did for right now is just add a new section to the top of my files, $var = $_SESSION[var]; Once I get a complete list, I can just copy and paste that to all my files, correct? What happens if I try to call a variable in $_SESSION that hasn't been created yet? This might not let me copy and paste Thank you to everyone who has replied to this thread...! Jake McHenry Nittany Travel MIS Coordinator http://www.nittanytravel.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
Jake McHenry mailto:[EMAIL PROTECTED] on Wednesday, October 15, 2003 12:55 PM said: Once I get a complete list, I can just copy and paste that to all my files, correct? Yes you can just copy and paste the code. What happens if I try to call a variable in $_SESSION that hasn't been created yet? This might not let me copy and paste Nothing will happen except that you'll have an empty string (I think). Give it a shot and find out. ?php session_start(); $myval = $_SESSION['myval']; ? Put that into a new page and see what happens. Chris. -- Don't like reformatting your Outlook replies? Now there's relief! http://home.in.tum.de/~jain/software/outlook-quotefix/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
Jake,
it would be helpful if we could see your code.
That said...
first you need to identify what information you need to track in the
sessions, and whether you're going to use php sessions (the $_SESSIONS
array) or build your own mysql based session tracker.
to use php sessions:
you will need some place where you set up/create the sessions. typically
this is the login page. let's assume you'll use the login page. The logic
for the login page goes something like this:
1. present a form for logging in (usually username/password)
2. on post, clean the posted data (remove html, special characters, etc)
3. check the cleaned username/password against the data in the database
4. if the username/password is valid, create your session and assign
variables to it like this:
session_start(); //create the session
$id = session_id(); // create a unique session id
session_register(id); // register id as a session variable
session_register(name); // register name as a session variable
session_register(email); // register email as a session variable
$_SESSION[id] = $id; // assign the unique session id to session array
$_SESSION[name] = $data[name]; // assign the username to session array
$_SESSION[email] = $data[email]; // assign additional values (after
regisering them) to session array
5. now either redirect to your main application page, or create another
page with links to that main applicaiton page. In either case every page
where you want to use sessions has to start with:
session_start();
for example:
?php
session_start();
the rest of your code.
6. I recommend that you add a check to your pages to make sure that the
session is still the right one and it's intact, something like this:
if (!$_SESSION[id]) // if no session id, return to the login page
{
header (Refresh: 0; url=login.php); //or
// header (location:http://www.mydomain.com/login.php;);
}else{
// the body of your code goes here.
}
7. so with all that the pages you want to access session in should have a
structure similar to:
?php
session_start();
if (!$_SESSION[id])
{
header (Refresh: 0; url=login.php);
}else{
// do all kinds of nifty time card things here
}
?
Hope this is helpful.
Chris
-Original Message-
From: Jake McHenry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:00 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Sessions Question
Hi everyone,
I've been trying to set up sessions, but have been having problems. I
created an online time clock for my company using php and a mysql
database. It's everything that my boss wanted. The only problem is, he
told me today that he is planning on selling it to our partners. The
actual software and database will reside on my server, but I will give
them their own database.
I started designing it about 2 years ago, and the machine that I was
working on at the time had register_globals=on, so I built my
scripting around that. I didn't know much about php at the time, but
have learned an immense amount since then.
Since a people are now going to be accessing the time clock from
outside my company, I need to turn register_globals off, and turn
sessions on. My problem is that all my variables are declared locally
in the individual files, and are being passed by forms to $PHP_SELF,
and all of the variables and their values can be seen in the address
bar.
This never concerned me while being inside my firewall, since it was
only my employees and I. I knew what was going on.
I've read a lot of documents on the net concerning sessions, but still
can't get it to work right. Whenever I try to go to another page, or
submit a time, it either doesn't work at all, or it works, but the
value that's in the variable is stuck there, and I can't change it
without closing the browser and starting over.
Can someone point me in the right direction here?
Thanks,
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
Jake McHenry mailto:[EMAIL PROTECTED] on Tuesday, October 14, 2003 5:00 PM said: [snip] Can someone point me in the right direction here? I'd love to help you but you did not provide enough information. What exactly are you trying to do and what is it failing? Try showing us the code in question. Are you receiving any errors messages? Are you making sure to start the session with 'session_start();' on each page the session needs to be accessed? HTH, Chris. -- Don't like reformatting your Outlook replies? Now there's relief! http://home.in.tum.de/~jain/software/outlook-quotefix/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
One quick note - if you're starting a session then you can't user the
header() function afterwards. You'll get the lovel headers already sent
error.
Be sure to use an alternate method of redirection if you're starting a
session before your redirect logic takes place.
-M
-Original Message-
From: Chris Hubbard [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 9:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question
Jake,
it would be helpful if we could see your code.
That said...
first you need to identify what information you need to track in the
sessions, and whether you're going to use php sessions (the $_SESSIONS
array) or build your own mysql based session tracker.
to use php sessions:
you will need some place where you set up/create the sessions. typically
this is the login page. let's assume you'll use the login page. The logic
for the login page goes something like this: 1. present a form for logging
in (usually username/password) 2. on post, clean the posted data (remove
html, special characters, etc) 3. check the cleaned username/password
against the data in the database 4. if the username/password is valid,
create your session and assign variables to it like this:
session_start(); //create the session
$id = session_id(); // create a unique session id
session_register(id); // register id as a session variable
session_register(name); // register name as a session variable
session_register(email); // register email as a session variable
$_SESSION[id] = $id; // assign the unique session id to session
array
$_SESSION[name] = $data[name]; // assign the username to
session array
$_SESSION[email] = $data[email]; // assign additional values
(after regisering them) to session array
5. now either redirect to your main application page, or create another
page with links to that main applicaiton page. In either case every page
where you want to use sessions has to start with: session_start();
for example:
?php
session_start();
the rest of your code.
6. I recommend that you add a check to your pages to make sure that the
session is still the right one and it's intact, something like this: if
(!$_SESSION[id]) // if no session id, return to the login page {
header (Refresh: 0; url=login.php); //or
// header (location:http://www.mydomain.com/login.php;);
}else{
// the body of your code goes here.
}
7. so with all that the pages you want to access session in should have a
structure similar to: ?php session_start(); if (!$_SESSION[id]) {
header (Refresh: 0; url=login.php);
}else{
// do all kinds of nifty time card things here
}
?
Hope this is helpful.
Chris
-Original Message-
From: Jake McHenry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:00 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Sessions Question
Hi everyone,
I've been trying to set up sessions, but have been having problems. I
created an online time clock for my company using php and a mysql database.
It's everything that my boss wanted. The only problem is, he told me today
that he is planning on selling it to our partners. The actual software and
database will reside on my server, but I will give them their own database.
I started designing it about 2 years ago, and the machine that I was working
on at the time had register_globals=on, so I built my scripting around that.
I didn't know much about php at the time, but have learned an immense amount
since then.
Since a people are now going to be accessing the time clock from outside my
company, I need to turn register_globals off, and turn sessions on. My
problem is that all my variables are declared locally in the individual
files, and are being passed by forms to $PHP_SELF, and all of the variables
and their values can be seen in the address bar.
This never concerned me while being inside my firewall, since it was only my
employees and I. I knew what was going on.
I've read a lot of documents on the net concerning sessions, but still can't
get it to work right. Whenever I try to go to another page, or submit a
time, it either doesn't work at all, or it works, but the value that's in
the variable is stuck there, and I can't change it without closing the
browser and starting over.
Can someone point me in the right direction here?
Thanks,
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
Sorry, I sent that last email directly to someone... Here it is again.
Here is my index file, it's the smallest of the set. This would be a
huge post if I would submit one of those. Config.php has config
options, time.php is basically getting the system time and then
manipulating it, instead of in each file.
I tried what you mentioned, almost exactly, missing the register id,
but I was using the $_SESSION for all my variables, and that's where I
ran into not being able to change them unless I would close the
browser and start over. And yes, I was using session_start() at the
beginning of all my files.
If the person puts in username: admin, then it basically dumps the
entire database onto the screen, with some manipulation of course,
otherwise, it only shows the individual employees data.
I also know I have to change the way people log in, I need to hash the
password and compare the two instead of all plain text.
Thanks,
Jake
?
include(config.php);
include(time.php);
if (($SuBmIt) ($inout) ($username) ($password))
{
$result = mysql_query(SELECT * FROM `users` WHERE `uname` LIKE
'$username');
$row = mysql_fetch_array($result);
$id = $row[0];
$funame = $row[1];
$fpasswd = $row[2];
$fullname = $row[3];
// $ip = GetHostByName($REMOTE_ADDR);
if (getenv(HTTP_X_FORWARDED_FOR))
{
$ip = getenv(HTTP_X_FORWARDED_FOR);
}
else
{
$ip = getenv(REMOTE_ADDR);
}
mysql_query(UPDATE `users` SET `lastip`='$ip' WHERE `uname` LIKE
'$username' LIMIT 1);
if ($password == $fpasswd)
{
$error = 0;
$result = mysql_query(SELECT * FROM $username);
while ($row = mysql_fetch_array($result))
{
$cotime = $row[cotime];
if ($cotime == 00:00:00)
{
$error = $error + 1;
}
}
if ($inout == in)
{
if ($error == 0)
{
$sql = INSERT INTO $username (ymd,citime,ciampm) VALUES
('.addslashes($Year-$MonthNumber-$DayNumber).','.addslashes($Log
InOutTime).','.addslashes($LogInOutAmPm).');
$result = mysql_query($sql);
if ($result == 1)
{
Header(Location:
userpage.php?uname=$usernamefullname=$fullnameinout=$inout\n\n);
}
else
{
echo p align=\center\font face=\$fontface\
size=\$fontsize\Database Error: Not Logged In, please try
again/font/p;
}
}
else
{
echo p align=\center\font face=\$fontface\
size=\$fontsize\Error: You are already clocked in!/font/p;
}
}
else if ($inout == out)
{
if ($error != 0)
{
$sql = UPDATE $username SET `cotime`='$LogInOutTime',
`coampm`='$LogInOutAmPm' WHERE `ymd` LIKE
'$Year-$MonthNumber-$DayNumber' AND `cotime` LIKE '00:00:00' LIMIT 1;
$result = mysql_query($sql);
if ($result == 1)
{
Header(Location:
userpage.php?uname=$usernamefullname=$fullnameinout=$inout\n\n);
}
else
{
echo p align=\center\font face=\$fontface\
size=\$fontsize\Database Error: Not Logged Out, please try
again/font/p;
}
}
else
{
echo p align=\center\font face=\$fontface\
size=\$fontsize\Error: You are not clocked in!/font/p;
}
}
else if ($inout == timeoff)
{
Header(Location:
timeoff.php?uname=$usernamefullname=$fullnameinout=$inout\n\n);
}
else
{
Header(Location:
userpage.php?uname=$usernamefullname=$fullnameinout=$inout\n\n);
}
}
else
{
echo p align=\center\font face=\$fontface\
size=\$fontsize\Error: invalid password!/font/p;
}
}
echo EndHTML
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
-Original Message-
From: Chris Hubbard [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 9:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question
Jake,
it would be helpful if we could see your code.
That said...
first you need to identify what information you need to track
in the sessions, and whether you're going to use php sessions
(the $_SESSIONS
array) or build your own mysql based session tracker.
to use php sessions:
you will need some place where you set up/create the
sessions. typically this is the login page. let's assume
you'll use the login page. The logic for the login page goes
something like this: 1. present a form for logging in
(usually username/password) 2. on post, clean the posted
data (remove html, special characters, etc) 3. check the
cleaned username/password against the data in the database 4.
if the username/password is valid, create your session and
assign variables to it like this:
session_start(); //create the session
$id = session_id(); // create a unique session id
session_register(id); // register id as a session variable
session_register(name); // register name as a
session variable
session_register(email); // register email as a
session variable
$_SESSION[id
RE: [PHP] Sessions Question
Mike,
I don't get the headers already sent error. here's the code I'm using:
if ($_POST)
{
$result = cleanData($_POST);
$sql = SELECT `id`,`username`,`password`,`email` FROM `users` WHERE
(`username` = '. $result[username] .') AND (`password` = '.
md5($result[password]) .');
if ($conn-query($sql))
{
// if name and password match
while (!$conn-movenext())
{
$data[id] = $conn-value(id);
$data[name] = $conn-value(username);
$data[email] = $conn-value(email);
}
// Now create the session
session_start();
$id = session_id();
session_register(id);
session_register(name);
session_register(email);
session_register(sections);
$_SESSION[id] = $id;
$_SESSION[name] = $data[name];
$_SESSION[email] = $data[email];
header(Location:
http://ubb.atlantic-records.com/gallery/admin/index.php;);
}else{
// if name and password don't match
header (Refresh: 0; url=login.php);
}
}
-Original Message-
From: Mike Brum [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:31 PM
To: 'Chris Hubbard'; [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question
One quick note - if you're starting a session then you can't user the
header() function afterwards. You'll get the lovel headers already sent
error.
Be sure to use an alternate method of redirection if you're starting a
session before your redirect logic takes place.
-M
-Original Message-
From: Chris Hubbard [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 9:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question
Jake,
it would be helpful if we could see your code.
That said...
first you need to identify what information you need to track in the
sessions, and whether you're going to use php sessions (the $_SESSIONS
array) or build your own mysql based session tracker.
to use php sessions:
you will need some place where you set up/create the sessions. typically
this is the login page. let's assume you'll use the login page. The logic
for the login page goes something like this: 1. present a form for logging
in (usually username/password) 2. on post, clean the posted data (remove
html, special characters, etc) 3. check the cleaned username/password
against the data in the database 4. if the username/password is valid,
create your session and assign variables to it like this:
session_start(); //create the session
$id = session_id(); // create a unique session id
session_register(id); // register id as a session variable
session_register(name); // register name as a session variable
session_register(email); // register email as a session variable
$_SESSION[id] = $id; // assign the unique session id to session
array
$_SESSION[name] = $data[name]; // assign the username to
session array
$_SESSION[email] = $data[email]; // assign additional values
(after regisering them) to session array
5. now either redirect to your main application page, or create another
page with links to that main applicaiton page. In either case every page
where you want to use sessions has to start with: session_start();
for example:
?php
session_start();
the rest of your code.
6. I recommend that you add a check to your pages to make sure that the
session is still the right one and it's intact, something like this: if
(!$_SESSION[id]) // if no session id, return to the login page {
header (Refresh: 0; url=login.php); //or
// header (location:http://www.mydomain.com/login.php;);
}else{
// the body of your code goes here.
}
7. so with all that the pages you want to access session in should have a
structure similar to: ?php session_start(); if (!$_SESSION[id]) {
header (Refresh: 0; url=login.php);
}else{
// do all kinds of nifty time card things here
}
?
Hope this is helpful.
Chris
-Original Message-
From: Jake McHenry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:00 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Sessions Question
Hi everyone,
I've been trying to set up sessions, but have been having problems. I
created an online time clock for my company using php and a mysql database.
It's everything that my boss wanted. The only problem is, he told me today
that he is planning on selling it to our partners. The actual software and
database will reside on my server, but I will give them their own database.
I started designing it about 2 years ago, and the machine that I was working
on at the time had register_globals=on, so I built my scripting around that.
I didn't know much about php at the time, but have learned an immense amount
RE: [PHP] Sessions Question
Mainly what my problem is, is that when I turn Register_Globals = Off,
then my scripts stop working. I can't even get past the page I showed
you, the login page. No errors, it's just like I didn't enter any
data.
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
-Original Message-
From: Chris Hubbard [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 9:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question
Jake,
it would be helpful if we could see your code.
That said...
first you need to identify what information you need to track
in the sessions, and whether you're going to use php sessions
(the $_SESSIONS
array) or build your own mysql based session tracker.
to use php sessions:
you will need some place where you set up/create the
sessions. typically this is the login page. let's assume
you'll use the login page. The logic for the login page goes
something like this: 1. present a form for logging in
(usually username/password) 2. on post, clean the posted
data (remove html, special characters, etc) 3. check the
cleaned username/password against the data in the database 4.
if the username/password is valid, create your session and
assign variables to it like this:
session_start(); //create the session
$id = session_id(); // create a unique session id
session_register(id); // register id as a session variable
session_register(name); // register name as a
session variable
session_register(email); // register email as a
session variable
$_SESSION[id] = $id; // assign the unique session id
to session array
$_SESSION[name] = $data[name]; // assign the
username to session array
$_SESSION[email] = $data[email]; // assign
additional values (after regisering them) to session array
5. now either redirect to your main application page, or
create another page with links to that main applicaiton page.
In either case every page where you want to use sessions has
to start with: session_start();
for example:
?php
session_start();
the rest of your code.
6. I recommend that you add a check to your pages to make
sure that the session is still the right one and it's intact,
something like this: if (!$_SESSION[id]) // if no session
id, return to the login page {
header (Refresh: 0; url=login.php); //or
// header (location:http://www.mydomain.com/login.php;);
}else{
// the body of your code goes here.
}
7. so with all that the pages you want to access session in
should have a structure similar to: ?php session_start(); if
(!$_SESSION[id]) {
header (Refresh: 0; url=login.php);
}else{
// do all kinds of nifty time card things here
}
?
Hope this is helpful.
Chris
-Original Message-
From: Jake McHenry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:00 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Sessions Question
Hi everyone,
I've been trying to set up sessions, but have been having
problems. I created an online time clock for my company using
php and a mysql database. It's everything that my boss
wanted. The only problem is, he told me today that he is
planning on selling it to our partners. The actual software
and database will reside on my server, but I will give them
their own database.
I started designing it about 2 years ago, and the machine
that I was working on at the time had register_globals=on, so
I built my scripting around that. I didn't know much about
php at the time, but have learned an immense amount since then.
Since a people are now going to be accessing the time clock
from outside my company, I need to turn register_globals off,
and turn sessions on. My problem is that all my variables are
declared locally in the individual files, and are being
passed by forms to $PHP_SELF, and all of the variables and
their values can be seen in the address bar.
This never concerned me while being inside my firewall, since
it was only my employees and I. I knew what was going on.
I've read a lot of documents on the net concerning sessions,
but still can't get it to work right. Whenever I try to go to
another page, or submit a time, it either doesn't work at
all, or it works, but the value that's in the variable is
stuck there, and I can't change it without closing the
browser and starting over.
Can someone point me in the right direction here?
Thanks,
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
Jake,
given that I can't see what is in config.php time.php, I'll focus on your
index.php. I assume that the issues I point out will be applicable to
config and time also.
this:
?
should be:
?php
include(config.php);
include(time.php);
assuming that $SuBmIt and inout and username and password all come from your
log in form it should read something like:
START
if ($_POST[SuBmIT])
{
// make sure posted variables are clean and are the kind you expect
if ($_POST[inout] != )
{
// add other validation here
}else{
$error[] = inout not set;
}
if ($_POST[username] != )
{
// add other validation here
}else{
$error[] = username not entered;
}
if ($_POST[password] != )
{
// add other validation here
}else{
$error[] = password not entered;
}
if (count($error) == 0)
{
$sql = SELECT * FROM `users` WHERE `uname` LIKE '%.
$_POST[username]
.%';
// insert code to strip out and signs and ;
// like this:
$sql = str_replace(,,$sql);
$sql = str_replace(,,$sql);
$sql = str_replace(;,,$sql);
// when we know that $sql is clean do the query
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
/END
The preceding should do roughly the same as your following code. Note the
sql query should not use LIKE (which you're using) and you should use both
the username and the password, so something like this would be better
$sql = SELECT * FROM `users` WHERE (`uname` = '. $_POST[username] .')
AND (`password` = '. md5($_POST[password]) .');
You are encrypting your password correct?
START
if (($SuBmIt) ($inout) ($username) ($password))
{
$result = mysql_query(SELECT * FROM `users` WHERE `uname` LIKE
'$username');
$row = mysql_fetch_array($result);
/END
This should get you firmly on the road. NOTE: I have not run the above
code, so might work, and it might not. Either way it's on you to sort out.
Hope this is helpful,
chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
As I said in one of my posts, I'm not encrypting my passwords as of
yet, because it was all internal, all employees use their own
computers. My company is very relaxed. But since my boss want's to
start selling a time clock database to our partners, I have to fix
everything. I started this when I was just learning php, and have been
changing things as I go.
I'll mess around with what you gave me so far, as I've been doing.
Last week I had sessions in place and from what I read on phpbuilder,
everything was right. But as soon as I turn register_globals=off, then
nothing works.
All of the variables in the index.php and all other script files are
passed from either forms or in the url.
I'm doing pretty much a complete overhaul of my app, I know this is
going to take some time, but it needs to be done.
Thanks,
Jake
Config.php:
?
$companyname = Nittany Travel;
$adminpass = x;
$dbhost = localhost;
$dbuser = nittany;
$dbpass = xxx;
$dbname = timesheet;
$updated = Sept 25, 2003;
$version = v4.8;
$avginterval = 365;
mysql_connect($dbhost,$dbuser,$dbpass) OR die(Can't connect to
database);
mysql_select_db($dbname) or die(Unable to select database);
$fontface = Verdana,Arial,Helvetica;
$fontsize = 2;
$creditfontface = Verdana,Arial,Helvetica;
$creditfontsize = 1;
$examplesize = 1;
$bgcolor = #99;
$linkcolor = #FF;
$vlinkcolor = #FF;
$tablebgcolor = #AAA999;
$titlebarbgcolor = #555999;
$titlebarfontcolor = #FF;
$bodybarfontcolor = #00;
$availabletimeoffbgcolor = #AAA777; $availabletimeofffontcolor =
#00; $week1bgcolor = #CCC777; $week2bgcolor = #CCC777;
$twoweekbgcolor = #FFF777; $inputfieldbgcolor = #BBB999;
$inputfontface = Verdana,Arial,Helvetica; $inputfontsize = 10pt;
$inputfontcolor = #FF; $style = background:$inputfieldbgcolor;
font-family:$inputfontface; font-size:$inputfontsize;
color:$inputfontcolor; border:none;;
$maincredit = table border=\1\ cellpadding=\3\ cellspacing=\0\
bordercolor=\$bgcolor\ bordercolorlight=\$inputfieldbgcolor\
bordercolordark=\$bgcolor\ style=\right:5px; bottom:5px;
position:absolute;\\n tr\ntdfont face=\$creditfontface\
size=\$creditfontsize\a href=\admin.php\JMTimeSheet $version
copy 2002-2003 JMM/a - a
href=\mailto:[EMAIL PROTECTED]mchenry@
nittanytravel.com/a - Last revision: $updated/font/td\n
/tr\n/table;
$topcredit = !-- The following source code is owned and copyrighted
by Jake McHenry, 2002-2003 $updated --; $credit = !-- JMTimeSheet
$version Copyright 2002-2003 JMM - [EMAIL PROTECTED] $updated
--;
?
Time.php
?
$CurDate = getdate();
$LogInOutHour = $CurDate['hours'];
$LogInOutMinute = $CurDate['minutes'];
$LogInOutAmPm = AM;
$LogInOutSecond = $CurDate['seconds'];
$LogInOutHourShow = $LogInOutHour;
if ($LogInOutHour 12)
{
$LogInOutHourShow = $LogInOutHour - 12;
}
if ($LogInOutHour == 0)
{
$LogInOutHourShow = $LogInOutHour + 12;
}
if ($LogInOutHour = 12)
{
$LogInOutAmPm = PM;
}
if ($LogInOutMinute 10)
{
$Temp = $LogInOutMinute;
$LogInOutMinute = 0;
$LogInOutMinute .= $Temp;
}
if ($LogInOutSecond 10)
{
$Temp = $LogInOutSecond;
$LogInOutSecond = 0;
$LogInOutSecond .= $Temp;
}
$YearToShow = $CurDate['year'];
$MonthToShow = $CurDate['mon'];
$DayToShow = $CurDate['mday'];
$NumberOfDays = date(t,$CurDate);
$DayOfWeek = $CurDate['weekday'];
$MonthNumber = $MonthToShow;
if ($MonthToShow 10)
{
$MonthNumber = 0;
$MonthNumber .= $MonthToShow;
}
$DayNumber = $DayToShow;
if ($DayToShow 10)
{
$DayNumber = 0;
$DayNumber .= $DayToShow;
}
$MonthNames =
array(1='January','February','March','April','May','June','July','Aug
ust','September','October','November','December');
$MonthID =
array(1='01','02','03','04','05','06','07','08','09','10','11','12');
$Years =
array($YearToShow-5,$YearToShow-4,$YearToShow-3,$YearToShow-2,$YearToS
how-1,$YearToShow,$YearToShow+1,$YearToShow+2,$YearToShow+3,$YearToSho
w+4,$YearToShow+5);
?
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
-Original Message-
From: Chris Hubbard [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 11:37 PM
To: Jake McHenry; [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question
Jake,
given that I can't see what is in config.php time.php, I'll
focus on your index.php. I assume that the issues I point
out will be applicable to config and time also.
this:
?
should be:
?php
include(config.php);
include(time.php);
assuming that $SuBmIt and inout and username and password all
come from your log in form it should read something like:
START if ($_POST[SuBmIT]) {
// make sure posted variables are clean and are the
kind you expect
if ($_POST[inout] != )
{
// add other validation here
}else{
$error[] = inout not set;
}
if ($_POST[username] != )
{
// add other validation here
}else{
$error[] = username not entered;
}
if ($_POST[password
RE: [PHP] Sessions Question
Yes, submit, inout, username and password all come from the index.php
form submission, but username changes throughout the different pages,
that was one of my problems. I'm not sure what I did wrong before, but
once I set a variable using $_SESSION, I couldn't change it unless I
close the browser and start over.
Just to make sure, register_globals should be set to off for best
security reasons, correct? I guess that should have been my first
question. And will sessions still work if it's turned off? Right now
it's turned on for all my stuff to work.
Thanks,
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
-Original Message-
From: Chris Hubbard [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 11:37 PM
To: Jake McHenry; [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question
Jake,
given that I can't see what is in config.php time.php, I'll
focus on your index.php. I assume that the issues I point
out will be applicable to config and time also.
this:
?
should be:
?php
include(config.php);
include(time.php);
assuming that $SuBmIt and inout and username and password all
come from your log in form it should read something like:
START if ($_POST[SuBmIT]) {
// make sure posted variables are clean and are the
kind you expect
if ($_POST[inout] != )
{
// add other validation here
}else{
$error[] = inout not set;
}
if ($_POST[username] != )
{
// add other validation here
}else{
$error[] = username not entered;
}
if ($_POST[password] != )
{
// add other validation here
}else{
$error[] = password not entered;
}
if (count($error) == 0)
{
$sql = SELECT * FROM `users` WHERE `uname`
LIKE '%. $_POST[username] .%';
// insert code to strip out and signs and ;
// like this:
$sql = str_replace(,,$sql);
$sql = str_replace(,,$sql);
$sql = str_replace(;,,$sql);
// when we know that $sql is clean do the query
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
/END
The preceding should do roughly the same as your following
code. Note the sql query should not use LIKE (which you're
using) and you should use both the username and the password,
so something like this would be better $sql = SELECT * FROM
`users` WHERE (`uname` = '. $_POST[username] .') AND
(`password` = '. md5($_POST[password]) .'); You are
encrypting your password correct?
START
if (($SuBmIt) ($inout) ($username) ($password))
{
$result = mysql_query(SELECT * FROM `users` WHERE `uname`
LIKE '$username');
$row = mysql_fetch_array($result);
/END
This should get you firmly on the road. NOTE: I have not run
the above code, so might work, and it might not. Either way
it's on you to sort out.
Hope this is helpful,
chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Question
Oops. Forgot to remove the Re: - it was a new thread - I just replied to an old message to get the php list email address then managed to stuff the subject up. Thanks for the help though! Best Regards Bob Irwin *** Email [EMAIL PROTECTED] for speedy email response *** - Original Message - From: - Edwin - [EMAIL PROTECTED] To: Bob Irwin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, June 27, 2003 2:39 PM Subject: Re: [PHP] Sessions Question Bob Irwin [EMAIL PROTECTED] wrote: Aside from the fact that bad code can obviously make sessions hackable, what does everyone think about the security of sessions? I rely on them fairly heavily for low-mid range security on some of my scripts, but if I was to do something that involved more sensitive info, are sessions bullet proof? Can someone forge them somehow? I think you'll find related info if you try Google or the archives for hijack sessions And, talking about hijacking, you just hijacked this thread which is not good. http://marc.theaimsgroup.com/?l=php-generalm=105337989306112w=2 - E - __ Do You Yahoo!? Yahoo! BB is Broadband by Yahoo! http://bb.yahoo.co.jp/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Scanned by PeNiCillin http://safe-t-net.pnc.com.au/ Scanned by PeNiCillin http://safe-t-net.pnc.com.au/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Question
-Original Message- From: Bob Irwin [mailto:[EMAIL PROTECTED] Sent: 27 June 2003 08:01 Oops. Forgot to remove the Re: - it was a new thread - I just replied to an old message to get the php list email address That's exactly what you shouldn't do. Most newsreaders, and some email clients, are capable of tracking the thread no matter what you change the subject to -- by replying to an existing thread with a new topic, people usaing those clients see your new message in the middle of the old topic thread. If you're posting a new topic, do it with a completely new message. (Why not use your client's address book or nickname facility to give yourself an easily-remembered alias for this list?) Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Question
Bob Irwin [EMAIL PROTECTED] wrote: Aside from the fact that bad code can obviously make sessions hackable, what does everyone think about the security of sessions? I rely on them fairly heavily for low-mid range security on some of my scripts, but if I was to do something that involved more sensitive info, are sessions bullet proof? Can someone forge them somehow? I think you'll find related info if you try Google or the archives for hijack sessions And, talking about hijacking, you just hijacked this thread which is not good. http://marc.theaimsgroup.com/?l=php-generalm=105337989306112w=2 - E - __ Do You Yahoo!? Yahoo! BB is Broadband by Yahoo! http://bb.yahoo.co.jp/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
Why? You wouldn't even know it happened - nor would the site. This is just a security precaution. - Original Message - From: Jason Wong [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 22, 2003 2:25 AM Subject: Re: [PHP] Sessions question On Saturday 22 March 2003 08:09, Beauford.2002 wrote: I don't quite understand this. If a user is on my site and then decides to go into his favourites and go to yahoo.com - this won't work. I think you are assuming the user is going to click on something I have set up - I want this to be invisible - however this user decides to leave my site. It appears though from the answers I have received - that this is not possible You're right it is not possible and quite rightly so. I wouldn't want a site to know when I have 'left' their site. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Lee's Law: Mother said there would be days like this, but she never said that there'd be so many! */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
What about cookies - someone said if you put no time limit on a cookie it
dies when you leave the site - I'm not sure about this, but any help is
appreciated.
- Original Message -
From: Justin French [EMAIL PROTECTED]
To: Beauford.2002 [EMAIL PROTECTED]; PHP General
[EMAIL PROTECTED]
Sent: Friday, March 21, 2003 2:46 AM
Subject: Re: [PHP] Sessions question
on 21/03/03 4:57 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
I have read some posts to this list on sessions and have read as much as
I
can find on them, but one problem still exists which I can't figure out.
How
do I kill the session when the user leaves my site. So if a user is on
www.mine.com and logs in successfully, then goes to www.hers.com - the
user
should have to log in again once coming back to www.mine.com, but at
present
the user is still logged in - and all variables are still set.
How can PHP possibly tell when the user closes a window, or manually
enters
a new URL into the browser?
It can't because PHP is only server side.
Set the appropriate session max lifetime and garbage clean out
probability,
and sessions should die within a reasonable time of not being used (see
php.ini for more info).
Or, present the user with a logout link, to be sure the session is killed
instantly.
You can also do some *extra* insurance by creating a javascript pop-up
triggered on a window close event which forces a log out, but this will
only
help in some cases, and more to the point, client-side scripting cannot be
relied upon.
If you want to kill sessions as people click on external links within your
site, you can do so by creating a middle-man script between your page and
the external site:
Instead of
a href='http://newsite.com'click/a you would do this:
a href='out.php?url=?=urlencode('http://newsite.com')?'click/a
out.php would be responsible for killing the session before doing a
header()
redirect to the target url.
But, end of the day, all these are work-arounds. Offer a logout link on
every page of your site. If the user chooses not to logout, then they are
consciously making this decision -- they may want to come back shortly, or
they may not care about the security implications -- either way, it's
their
call.
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
I think it's defined as when the browser is closed, not when the browser
is no longer in your domain -- but you'd have to ask an expert or read the
specs to be sure.
Justin
on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
What about cookies - someone said if you put no time limit on a cookie it
dies when you leave the site - I'm not sure about this, but any help is
appreciated.
- Original Message -
From: Justin French [EMAIL PROTECTED]
To: Beauford.2002 [EMAIL PROTECTED]; PHP General
[EMAIL PROTECTED]
Sent: Friday, March 21, 2003 2:46 AM
Subject: Re: [PHP] Sessions question
on 21/03/03 4:57 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
I have read some posts to this list on sessions and have read as much as
I
can find on them, but one problem still exists which I can't figure out.
How
do I kill the session when the user leaves my site. So if a user is on
www.mine.com and logs in successfully, then goes to www.hers.com - the
user
should have to log in again once coming back to www.mine.com, but at
present
the user is still logged in - and all variables are still set.
How can PHP possibly tell when the user closes a window, or manually
enters
a new URL into the browser?
It can't because PHP is only server side.
Set the appropriate session max lifetime and garbage clean out
probability,
and sessions should die within a reasonable time of not being used (see
php.ini for more info).
Or, present the user with a logout link, to be sure the session is killed
instantly.
You can also do some *extra* insurance by creating a javascript pop-up
triggered on a window close event which forces a log out, but this will
only
help in some cases, and more to the point, client-side scripting cannot be
relied upon.
If you want to kill sessions as people click on external links within your
site, you can do so by creating a middle-man script between your page and
the external site:
Instead of
a href='http://newsite.com'click/a you would do this:
a href='out.php?url=?=urlencode('http://newsite.com')?'click/a
out.php would be responsible for killing the session before doing a
header()
redirect to the target url.
But, end of the day, all these are work-arounds. Offer a logout link on
every page of your site. If the user chooses not to logout, then they are
consciously making this decision -- they may want to come back shortly, or
they may not care about the security implications -- either way, it's
their
call.
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
---
[This E-mail scanned for viruses]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions question
-Original Message- From: Justin French [mailto:[EMAIL PROTECTED] Sent: 21 March 2003 15:59 on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote: What about cookies - someone said if you put no time limit on a cookie it dies when you leave the site - I'm not sure about this, but any help is appreciated. I think it's defined as when the browser is closed, not when the browser is no longer in your domain That is correct. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions question
It's a session cookie, the browser clears it when it's closed. IIRC
you set the time to 0 to turn the cookie into a session one. Not sure
how it'll work with sessions though.
-Original Message-
From: Justin French [mailto:[EMAIL PROTECTED]
Sent: Friday, March 21, 2003 9:59 AM
To: Beauford.2002; PHP General
Subject: Re: [PHP] Sessions question
I think it's defined as when the browser is closed, not
when the browser is no longer in your domain -- but you'd
have to ask an expert or read the specs to be sure.
Justin
on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
What about cookies - someone said if you put no time limit
on a cookie
it dies when you leave the site - I'm not sure about this, but any
help is appreciated.
- Original Message -
From: Justin French [EMAIL PROTECTED]
To: Beauford.2002 [EMAIL PROTECTED]; PHP General
[EMAIL PROTECTED]
Sent: Friday, March 21, 2003 2:46 AM
Subject: Re: [PHP] Sessions question
on 21/03/03 4:57 PM, Beauford.2002
([EMAIL PROTECTED]) wrote:
I have read some posts to this list on sessions and have read as
much as
I
can find on them, but one problem still exists which I
can't figure
out.
How
do I kill the session when the user leaves my site. So if
a user is
on www.mine.com and logs in successfully, then goes to
www.hers.com
- the
user
should have to log in again once coming back to
www.mine.com, but at
present
the user is still logged in - and all variables are still set.
How can PHP possibly tell when the user closes a window,
or manually
enters
a new URL into the browser?
It can't because PHP is only server side.
Set the appropriate session max lifetime and garbage clean out
probability,
and sessions should die within a reasonable time of not being used
(see php.ini for more info).
Or, present the user with a logout link, to be sure the session is
killed instantly.
You can also do some *extra* insurance by creating a javascript
pop-up triggered on a window close event which forces a
log out, but
this will
only
help in some cases, and more to the point, client-side scripting
cannot be relied upon.
If you want to kill sessions as people click on external
links within
your site, you can do so by creating a middle-man script
between your
page and the external site:
Instead of
a href='http://newsite.com'click/a you would do this:
a
href='out.php?url=?=urlencode('http://newsite.com')?'click/a
out.php would be responsible for killing the session before doing a
header()
redirect to the target url.
But, end of the day, all these are work-arounds. Offer a
logout link
on every page of your site. If the user chooses not to
logout, then
they are consciously making this decision -- they may want to come
back shortly, or they may not care about the security
implications --
either way, it's
their
call.
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
---
[This E-mail scanned for viruses]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
So is there anyway to do this - perl, javascript, voodo? - Original Message - From: Ford, Mike [LSS] [EMAIL PROTECTED] To: 'Justin French' [EMAIL PROTECTED]; Beauford.2002 [EMAIL PROTECTED]; PHP General [EMAIL PROTECTED] Sent: Friday, March 21, 2003 11:04 AM Subject: RE: [PHP] Sessions question -Original Message- From: Justin French [mailto:[EMAIL PROTECTED] Sent: 21 March 2003 15:59 on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote: What about cookies - someone said if you put no time limit on a cookie it dies when you leave the site - I'm not sure about this, but any help is appreciated. I think it's defined as when the browser is closed, not when the browser is no longer in your domain That is correct. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
This is one of those rare things in programming that can only be done one way. Absolutely the only way to kill the session when a user leaves your site is to go through a script and then redirect after the session has been destroyed. For this to work every outgoing link on your website will have to point to a script. Then you'll pass the redirect url or url id (that referse to a url in your database) through the link and redirect after session_destroy() has killed the session. The link can look like this: a href=exit.php?url=http://www.thiersite.com;www.theirsite.com/a The script will look something like this: ? // exit.php session_start(); session_destroy(); header(Location: .$_POST['url']); ? Keep in mind if you want to do this then the user will not be able to use his/her back button in order to return to your website unless you define an additional redirect in a conditional that states if the session is not active then go here. Voodoo. *LOL* - Kevin - Original Message - From: Beauford.2002 [EMAIL PROTECTED] To: Ford, Mike [LSS] [EMAIL PROTECTED]; 'Justin French' [EMAIL PROTECTED]; PHP General [EMAIL PROTECTED] Sent: Friday, March 21, 2003 12:56 PM Subject: Re: [PHP] Sessions question So is there anyway to do this - perl, javascript, voodo? - Original Message - From: Ford, Mike [LSS] [EMAIL PROTECTED] To: 'Justin French' [EMAIL PROTECTED]; Beauford.2002 [EMAIL PROTECTED]; PHP General [EMAIL PROTECTED] Sent: Friday, March 21, 2003 11:04 AM Subject: RE: [PHP] Sessions question -Original Message- From: Justin French [mailto:[EMAIL PROTECTED] Sent: 21 March 2003 15:59 on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote: What about cookies - someone said if you put no time limit on a cookie it dies when you leave the site - I'm not sure about this, but any help is appreciated. I think it's defined as when the browser is closed, not when the browser is no longer in your domain That is correct. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
I don't quite understand this. If a user is on my site and then decides to go into his favourites and go to yahoo.com - this won't work. I think you are assuming the user is going to click on something I have set up - I want this to be invisible - however this user decides to leave my site. It appears though from the answers I have received - that this is not possible B. - Original Message - From: Kevin Stone [EMAIL PROTECTED] To: PHP General [EMAIL PROTECTED] Sent: Friday, March 21, 2003 4:21 PM Subject: Re: [PHP] Sessions question This is one of those rare things in programming that can only be done one way. Absolutely the only way to kill the session when a user leaves your site is to go through a script and then redirect after the session has been destroyed. For this to work every outgoing link on your website will have to point to a script. Then you'll pass the redirect url or url id (that referse to a url in your database) through the link and redirect after session_destroy() has killed the session. The link can look like this: a href=exit.php?url=http://www.thiersite.com;www.theirsite.com/a The script will look something like this: ? // exit.php session_start(); session_destroy(); header(Location: .$_POST['url']); ? Keep in mind if you want to do this then the user will not be able to use his/her back button in order to return to your website unless you define an additional redirect in a conditional that states if the session is not active then go here. Voodoo. *LOL* - Kevin - Original Message - From: Beauford.2002 [EMAIL PROTECTED] To: Ford, Mike [LSS] [EMAIL PROTECTED]; 'Justin French' [EMAIL PROTECTED]; PHP General [EMAIL PROTECTED] Sent: Friday, March 21, 2003 12:56 PM Subject: Re: [PHP] Sessions question So is there anyway to do this - perl, javascript, voodo? - Original Message - From: Ford, Mike [LSS] [EMAIL PROTECTED] To: 'Justin French' [EMAIL PROTECTED]; Beauford.2002 [EMAIL PROTECTED]; PHP General [EMAIL PROTECTED] Sent: Friday, March 21, 2003 11:04 AM Subject: RE: [PHP] Sessions question -Original Message- From: Justin French [mailto:[EMAIL PROTECTED] Sent: 21 March 2003 15:59 on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote: What about cookies - someone said if you put no time limit on a cookie it dies when you leave the site - I'm not sure about this, but any help is appreciated. I think it's defined as when the browser is closed, not when the browser is no longer in your domain That is correct. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
On Saturday 22 March 2003 08:09, Beauford.2002 wrote: I don't quite understand this. If a user is on my site and then decides to go into his favourites and go to yahoo.com - this won't work. I think you are assuming the user is going to click on something I have set up - I want this to be invisible - however this user decides to leave my site. It appears though from the answers I have received - that this is not possible You're right it is not possible and quite rightly so. I wouldn't want a site to know when I have 'left' their site. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Lee's Law: Mother said there would be days like this, but she never said that there'd be so many! */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
On Friday 21 March 2003 13:57, Beauford.2002 wrote: I have read some posts to this list on sessions and have read as much as I can find on them, but one problem still exists which I can't figure out. How do I kill the session when the user leaves my site. There is simply no way to tell when a user 'leaves' your site. PHP automatically cleans up sessions that have been idle for some time (see php.ini). So if a user is on www.mine.com and logs in successfully, then goes to www.hers.com - the user should have to log in again once coming back to www.mine.com, but at present the user is still logged in - and all variables are still set. The only way to be sure someone has logged out is to present them with a logout link which when clicked will clear the session. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* I would much rather have men ask why I have no statue, than why I have one. -- Marcus Procius Cato */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
What about HTTP_REFERER - is there someway I could incorporate it to so if the user didn't come from xxx (a page on my site) then kill the session and redirect him to the login page... - Original Message - From: Jason Wong [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 21, 2003 1:34 AM Subject: Re: [PHP] Sessions question On Friday 21 March 2003 13:57, Beauford.2002 wrote: I have read some posts to this list on sessions and have read as much as I can find on them, but one problem still exists which I can't figure out. How do I kill the session when the user leaves my site. There is simply no way to tell when a user 'leaves' your site. PHP automatically cleans up sessions that have been idle for some time (see php.ini). So if a user is on www.mine.com and logs in successfully, then goes to www.hers.com - the user should have to log in again once coming back to www.mine.com, but at present the user is still logged in - and all variables are still set. The only way to be sure someone has logged out is to present them with a logout link which when clicked will clear the session. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* I would much rather have men ask why I have no statue, than why I have one. -- Marcus Procius Cato */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question
on 21/03/03 4:57 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
I have read some posts to this list on sessions and have read as much as I
can find on them, but one problem still exists which I can't figure out. How
do I kill the session when the user leaves my site. So if a user is on
www.mine.com and logs in successfully, then goes to www.hers.com - the user
should have to log in again once coming back to www.mine.com, but at present
the user is still logged in - and all variables are still set.
How can PHP possibly tell when the user closes a window, or manually enters
a new URL into the browser?
It can't because PHP is only server side.
Set the appropriate session max lifetime and garbage clean out probability,
and sessions should die within a reasonable time of not being used (see
php.ini for more info).
Or, present the user with a logout link, to be sure the session is killed
instantly.
You can also do some *extra* insurance by creating a javascript pop-up
triggered on a window close event which forces a log out, but this will only
help in some cases, and more to the point, client-side scripting cannot be
relied upon.
If you want to kill sessions as people click on external links within your
site, you can do so by creating a middle-man script between your page and
the external site:
Instead of
a href='http://newsite.com'click/a you would do this:
a href='out.php?url=?=urlencode('http://newsite.com')?'click/a
out.php would be responsible for killing the session before doing a header()
redirect to the target url.
But, end of the day, all these are work-arounds. Offer a logout link on
every page of your site. If the user chooses not to logout, then they are
consciously making this decision -- they may want to come back shortly, or
they may not care about the security implications -- either way, it's their
call.
Justin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: SPAM: Re: [PHP] Sessions question
on 21/03/03 6:20 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote: What about HTTP_REFERER - is there someway I could incorporate it to so if the user didn't come from xxx (a page on my site) then kill the session and redirect him to the login page... The referrer can maybe *help* (not sure how though!), but can't be relied upon, because it's not always set by the client (browser usually). Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions question (-enable-trans-sid)
Thanks to all for their help on this. As a follow-up, and after a bunch of playing around with this yesterday, here's what I've come to learn. Perhaps it will be helpful to others: With enable-trans-id compiled into PHP and the following directives in php.ini: session.use_cookies = 0(PHP uses cookies for sessions - off) session.use_trans_sid = 1 (PHP uses enable-trans-id for sessions - on) PHP will automatically append the SID to the end of relative links 100% of the time and will not use cookies no matter whether the user has cookies enabled for their browser or not. In the following case (and I presume the more normal way of doing things): session.use_cookies = 1(PHP uses cookies for sessions - on) session.use_trans_sid = 1 (PHP uses enable-trans-id for sessions - on) PHP will behave the same way for those users that do *not* have cookies enabled for their browser as in the first example, i.e. append links 100% of the time. However, for those users that have cookies enabled for their browser, PHP will append the SID to the links only on the first hit to a page. Then, when a user requests the next page, the auto-rewriting of the URI's stops and cookies are used from that point forward. Actually, that all makes sense, as the first time a user requests a page, there's no way for PHP to know if the browser will accept cookies or not. But, on the second request, the browser will send the cookie back to PHP (along with the appended URI), and PHP from that point on knows that the browser accepts cookies and PHP will then drop the rewriting of the URI's. I hope I've got this all correct. The one observation I'd make in regards to using cookies vs. URI's to maintain the session is this (and please someone correct me if I'm wrong): If a user does *not* have cookies enabled for their browser, you can lose the session if the user hits an html page at your site (because PHP will not be involved and will not rewrite the URI's for the .html page). Not good. If a user *does* have cookies enabled, they can hit non-PHP pages all they want and when they get back to a PHP page, the session is still intact. So, it would seem, while the SID being appended to all URI's should work for all users, non-PHP pages will break the session (not good). And, as for the cookie method, not all users have cookies enabled for their browser (also, not good). Therefore, IMO, neither the cookie method or appending the URI method will work as you'd like 100% of the time. I suppose one thing you could do so that non-PHP pages won't break the session for those users that don't have cookies enabled would be to just run every page in your site through PHP. That way, the URI's for every page will be appended with the SID, and maybe that's the way to go. Anyway, I hope I've got this all right and I hope it helps someone. Jeff -Original Message- From: Jeff Field [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 05, 2002 11:56 AM To: [EMAIL PROTECTED] Subject: [PHP] Sessions question (-enable-trans-sid) Hi, I'm confused about one thing regarding sessions and haven't been able to find the definitive answer anywhere. Hopefully, I can here. There are two ways to enable sessions: 1) Session ID is passed through cookies 2) Session ID is passed through the URL, either done manually or by automatic URL rewriting All the books, tutorials, etc. basically say that cookies are the way to go but when users don't have cookies enabled, you have to use the URL method. Since I have an e-commerce site that is available to the world, I'm assuming *some* are not going to have cookies enabled. Duh! So, from what I've read, you can implement the URL method of sessions by either manually attaching the session ID to the URLs, or, by compiling PHP with enable-trans-sid, which will add the session ID to the URL's automatically. The answer that I haven't been able to find is this: Is this a one or the other proposition? IOW, if I implement sessions with cookies, then I can't use the URL method? Or, if I implement the URL method (with enable-trans-sid), I can't use the cookie method? Or, do they work in combination. IOW, does PHP automatically know that if a user has cookies enabled, PHP will use the cookie method and, when cookies are *not* enabled, PHP automatically implements the URL method? Thanks for the help! Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question (-enable-trans-sid)
I'm sure this is not a definitive answer, but I would assume that since you would be passing the information through both the URI and Cookies, it will work regardless of cookies enabled or disabled. On the other hand, if you are passing the session id through the URI in the first place, you don't have to worry about cookies being on at all. Just some idle speculation, I've never tried to use both at the same time. Martin Jeff Field [EMAIL PROTECTED] 06/05/02 12:56PM Hi, I'm confused about one thing regarding sessions and haven't been able to find the definitive answer anywhere. Hopefully, I can here. There are two ways to enable sessions: 1) Session ID is passed through cookies 2) Session ID is passed through the URL, either done manually or by automatic URL rewriting All the books, tutorials, etc. basically say that cookies are the way to go but when users don't have cookies enabled, you have to use the URL method. Since I have an e-commerce site that is available to the world, I'm assuming *some* are not going to have cookies enabled. Duh! So, from what I've read, you can implement the URL method of sessions by either manually attaching the session ID to the URLs, or, by compiling PHP with enable-trans-sid, which will add the session ID to the URL's automatically. The answer that I haven't been able to find is this: Is this a one or the other proposition? IOW, if I implement sessions with cookies, then I can't use the URL method? Or, if I implement the URL method (with enable-trans-sid), I can't use the cookie method? Or, do they work in combination. IOW, does PHP automatically know that if a user has cookies enabled, PHP will use the cookie method and, when cookies are *not* enabled, PHP automatically implements the URL method? Thanks for the help! Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question (-enable-trans-sid)
If you compile it with --enable-trans-sid, then PHP will use cookies when they are available and if they are not, it'll append the SID to links and forms. Basically, it's automatic. ---John Holmes... - Original Message - From: Jeff Field [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 05, 2002 12:56 PM Subject: [PHP] Sessions question (-enable-trans-sid) Hi, I'm confused about one thing regarding sessions and haven't been able to find the definitive answer anywhere. Hopefully, I can here. There are two ways to enable sessions: 1) Session ID is passed through cookies 2) Session ID is passed through the URL, either done manually or by automatic URL rewriting All the books, tutorials, etc. basically say that cookies are the way to go but when users don't have cookies enabled, you have to use the URL method. Since I have an e-commerce site that is available to the world, I'm assuming *some* are not going to have cookies enabled. Duh! So, from what I've read, you can implement the URL method of sessions by either manually attaching the session ID to the URLs, or, by compiling PHP with enable-trans-sid, which will add the session ID to the URL's automatically. The answer that I haven't been able to find is this: Is this a one or the other proposition? IOW, if I implement sessions with cookies, then I can't use the URL method? Or, if I implement the URL method (with enable-trans-sid), I can't use the cookie method? Or, do they work in combination. IOW, does PHP automatically know that if a user has cookies enabled, PHP will use the cookie method and, when cookies are *not* enabled, PHP automatically implements the URL method? Thanks for the help! Jeff -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question (-enable-trans-sid)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * and then 1LT John W. Holmes declared If you compile it with --enable-trans-sid, then PHP will use cookies when they are available and if they are not, it'll append the SID to links and forms. Basically, it's automatic. Hmmm I've had a problem with this: I have --enable-trans-sid but I see url appends on my browser when I *know* cookies are working. Any reason for that? - -- Nick Wilson // www.explodingnet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE8/nnOHpvrrTa6L5oRAgaQAJ9V6HNkSyI4QnADFhOg+dJ/q71UHwCfYmCE X8M7cSVafv4ThCSH5zhmxKU= =dEox -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question (-enable-trans-sid)
Hmmm I've had a problem with this: I have --enable-trans-sid but I see url appends on my browser when I *know* cookies are working. Personally I cant say this is a bad thing... not all browsers enable cookies and they can be messy and insecure at times (eg: cross domain issues). Placing in the URL may make it look a bit messier (the URL that is) but its much more compatable. Just my 2 cents. -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software Systems Engineer First Creative Ltd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question (-enable-trans-sid)
I guess PHP just can't tell that cookies are enabled. I'm sure the method isn't full proof. Your sessions get through either way, so what's the big deal? ---John Holmes... - Original Message - From: Dan Hardiker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 05, 2002 4:50 PM Subject: Re: [PHP] Sessions question (-enable-trans-sid) Hmmm I've had a problem with this: I have --enable-trans-sid but I see url appends on my browser when I *know* cookies are working. Personally I cant say this is a bad thing... not all browsers enable cookies and they can be messy and insecure at times (eg: cross domain issues). Placing in the URL may make it look a bit messier (the URL that is) but its much more compatable. Just my 2 cents. -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software Systems Engineer First Creative Ltd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions question (-enable-trans-sid)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * and then 1LT John W. Holmes declared I guess PHP just can't tell that cookies are enabled. I'm sure the method isn't full proof. Your sessions get through either way, so what's the big deal? Mainly in SEO stuff. If an SE like google as a good example picks up the PHPSESSID=slkfjdsjfsdlkf and then comes back and gets a different id next time you can lose page rank for duplicate content. Big deal indeed i'd say. - -- Nick Wilson // www.explodingnet.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE8/o7FHpvrrTa6L5oRAkYuAKCD/9s4L2X7DK9oVsWZmI0Hq6mk2QCgnIZk 4uJyIEUuzPEnPdwmIFWDqLk= =fm70 -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Question
session_register($refresh); session_register($seconds); session_register($title); You probably want to remove the $ signs in the above. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Sessions question.
Is there a way to get the name of each variable in a session? Just walk through $HTTP_SESSION_VARS -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Sessions question
You probably need to "unset" the cookie PHP is using to store the session ID
when you destroy the session.
Change your cookie handling in your browser to the "warn me before every
cookie" and play around a bit maybe.
--
Visit the Zend Store at http://www.zend.com/store/
Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
- Original Message -
From: Evelio Martinez [EMAIL PROTECTED]
Newsgroups: php.general
Sent: Monday, February 26, 2001 11:58 AM
Subject: [PHP] Sessions question
How can I have an new session id without closing the browser?
session.inc contains basically the postgresql session functions (user
handler) in http://www.php.net/manual/en/ref.session.php
I have change pg_pconnect for pg_connect and I have added
pg_destroy_session.
1. There is a login/password page
2. Afterwards all pages that access the DB have the following include
file:
?
include('sesion.inc');
if (!isset($g_login)) {// flag that indicates that validation was
succesful
echo "script language='javascript'
!--
var lugar = window.location.href;
if ( lugar != \"http://www.my_web.com/login.php\" ) {
window.location.assign('http://www.my_web.com/login.php');
}
file://--
/script";
}
if (isset($g_hora)) {
$timeout = 3600 ;
$lapso = time() - $g_hora;
if ( $lapso = $timeout ) {
session_destroy();// delete session from database
session_unset(); // suppose to delete session
variable from memory
$sesion = md5(uniqid("prueba"));
session_id($sesion); // new session
echo "script language='javascript'
!--
var lugar = window.location.href;
var lugars;
window.alert('La sesin ha expirado');
var lugar = window.location.href;
if ( lugar != \"http://www.my_web.com/login.php\" ) {
window.location.assign('http://www.my_web.com/login.php');
}
file://--
/script";
}
}
?
3. How am I supposed to create a new session identificator ?
session_unset is suppose to "free" (delete?) all session variables
currently registered, isn't it?
After timeout, it goes to login page but I have still the old
session id instead of the new one.
What am I missing?
TIA
--
Evelio Martnez
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
