Thread: Couch Sessions

    #16
  1. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    session-security


    per default all sessionfiles are stored into one directory read-/writeable by the webserver. so if anyone is able to place a script at your server she or he could read all your sessionfiles.
    isn't is possible to encrypt them with a key only readable by root (or the initial webserver user).
  2. #17
  3. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Re: cookie


    Inherent (but perhaps not explicit) in Sam's post is the fact that browsers either accept or reject "cookies" and in that key sense "session cookies" are the same as generic "cookies."

    The authors suggest a back-up approach to the dieting browser problem:

    ===[begin clip from article]===
    Finally, before we get to PHPLIB, there's one technical issue you should be aware of - all the examples above use cookies to store the session id on the client. But what happens if the client browser is set to reject cookies?

    In such an eventuality, it becomes necessary to pass the session id from one page to another by embedding it in the URL. For example,
    --------------------------------------------------------------------------------<a href="http://www.someserver.com/admin/preferences.php3?PHPSESSID=<? echo
    "$PHPSESSID"; ?>">Edit Your Portfolio!</a>--------------------------------------------------------------------------------
    This helps to ensure that session variables are available on subsequent pages.

    ===[END clip from article]===

  4. #18
  5. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Problems with phplib and php4


    I'm using the phplibs for accessing the login script. The problems that I have are the following:
    <br>

    <br>
    PHP3 works fine when using the libs and .htaccess file to point to the prepend and include directory.
    <br>

    <br>
    PHP4 (using the same setup and configuration) does not work when trying this. After contacting the admin. We were told that the files are set to a php3 directive and to modify them to php4. Has anyone done this or is there a different config that I need to make to the scripts?
    <br>

    <br>
    TIA,
    <br>

    <br>
    Pete Robie
  6. #19
  7. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Session Varibles


    To this code

    "
    $my_session_variable = "some value";

    session_register("my_session_variable");


    "


    the result is this...


    Warning
    open(/tmp/sess_710bca421ecd851554ef5fff0a379158, O_RDWR) failed: m (2) in E:\WEB_PR~1\php73.php on line <b>4</b><br>


    Warning:
    open(/tmp/sess_710bca421ecd851554ef5fff0a379158, O_RDWR) failed: m (2) in
    Unknown on line 0

    Warning:

    Some can tell me anything about this??
  8. #20
  9. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Re: cookie


    I understand the idea behind passing the
    session id to another page if cookies is
    disabled in the browser. But if the cookies
    is disabled, you won't be able to even
    start your session (session_start()). How
    can you start a session without sending a
    cookie to the client browser? If a session
    ID is not generated by (session_start()),
    then there's not session ID pass around,
    as shown here:
    <a href="http://www.someserver.com/admin/preferences.php3?PHPSESSID=<? echo
    "$PHPSESSID"; ?>">Edit Your Portfolio!</a>
  10. #21
  11. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Login verification


    Does anyone know of the best/easiest way of verifying if someone has logged in or not. I was thinking about storing a variable in the session after I check the password like $login=true so that I wouldn't have to keep checking the database to see if they are valid. What I am afraid of is that maybe someone could somehow change the value of $login (maybe by creating a dummy page that submits the variable to my page) even though they didn't log in. On the other hand, I would hate to query the database on every page if I don't have to. Am I just being paranoid?
  12. #22
  13. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Re: Login verification


    Yes i think,
    The session_register(); function will bring the username and password during the session is start using session_start();
    so if you using form and checking the $username and $password , so just use the

    session_register('$username', '$password');



  14. #23
  15. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Re: Session Varibles


    tryy put
    the session_start() dan session_register() before decalaring any variable, maybe it's help
  16. #24
  17. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Re: session-security


    em,
    maybe can try the php-wrapper, run the php using the user id, so the web server can't view although the user can insert script into the server
  18. #25
  19. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Re: Session data removal


    If you want to generate your session id and make it unique, get the unix system time when creating the session id and use it. The Professional PHP Programming book (Wrox Press) uses something like this in Chapter 9 of that book( combining it with a userid presumably derived from a login proceedure, and a mysql db with 3 fields in a sessions table, all bundled into a "Sessions" class), ie (based on their version):

    <!-- Code -->
    <p><pre><font color=#008000><xmp>
    $current=time();
    $random=$this->userid . $current;
    $this->seshid=md5($random);
    $query=mysql_query("insert into sessions values('$this->seshid','$this->userid', $current))";
    </xmp></font></pre><p>
    <!-- Code -->


    As you can see, they use MD5 encryption combining the time of the user session creation with the userid to produce an encrypted sessionid which is only valid for a stated period of time (get the book and read their class code - its a great book). This seems to be a great solution for someone seeking a simple session system.
  20. #26
  21. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    session_destroy()


    Hi --

    After successfully registering session ids, I am unable to destroy the sessions.

    I am trying to log out, and when doing so, it should destroy all sessions. I placed the "session_destroy();" at the top of the php file and the session still remains.

    Has anyone experienced similar problems?

    Chad
  22. #27
  23. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Re: Login verification


    In order to propagate the session variables
    such as $login and $password in the linked pages, you have to either set session.auto_start=1 in php.ini file or
    use session_start() in every page.
    What is the difference between the two ways?
    Does setting the auto_start variable starts
    a session for each *.php wheather I want it or not? The second way is definitely inconvenient.

  24. #28
  25. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    Re: session_destroy()


    Yes Chad, I've experienced the same problem. My solution is this:


    <!-- Code -->
    <p><pre><font color=#008000><xmp>
    session_unset();
    session_destroy();
    $p = session_get_cookie_params();
    setcookie(session_name(), "", 0, $p "path"], $p["domain"]);
    </xmp></font></pre><p>
    <!-- Code -->


    It looks (no, it is) heavy-handed, but it's the only thing that seems to work effectively.

    Have a look here to see a discussion on this: http://www.php.net/manual/function.session-destroy.php

    Like you, I expected that session_destroy() would do all the above, but apparently not. If you find an alternative explanation/solution, let me know! I've just had a thought - it may be that session_destroy is not working as I would expect because I am testing it on my local Windows 98 machines (as opposed to a remote server) and running PHP as a cgi-script (as opposed to an Apache module). More testing to do I suppose...
  26. #29
  27. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    session_start() error


    in doing the first part of the tutorial, these are the errors i get and the code i use is directly below it. Any thoughts?

    errors:

    Warning: Cannot send session cookie - headers already sent by (output started at /home/serve/..../index.php:10) in /home/serve/..../index.php on line 13

    Warning: Cannot send session cache limiter - headers already sent (output started at /home/serve/..../index.php:10) in /home/serve/..../index.php on line 13

    code:
    <?php

    // initialize a session
    session_start();

    // register a session variable
    session_register('counter');

    ?>

    thanks for any help anyone can give me.

  28. #30
  29. No Profile Picture
    guest
    Guest
    Devshed Newbie (0 - 499 posts)

    (session_start() error) fixed post


    in doing the first part of the tutorial, these are the errors i get and the code i use is directly below it. Any thoughts?

    errors:

    Warning: Cannot send session cookie - headers already sent by (output started at /home/serve/..../index.php:10) in /home/serve/..../index.php on line 13

    Warning: Cannot send session cache limiter - headers already sent (output started at /home/serve/..../index.php:10) in /home/serve/..../index.php on line 13

    code:
    Code:
    <?php
    
    // initialize a session
    session_start();
    
    // register a session variable
    session_register('counter');
    
    ?>
    thanks for any help anyone can give me.


IMN logo majestic logo threadwatch logo seochat tools logo