Page 2 of 2 First 12
  • Jump to page:
    #16
  1. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Yes, I gave you two links to do exactly that.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  2. #17
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Yes, we know. Then you have to do one of the things I said:

    1) Increase the session timeout of the cookie and the garbage collection (using [phpnet=session_set_cookie_params]session_set_cookie_params[/phpnet] and session.gc_maxlifetime)

    2) Roll your own auto-login solution. This is not recommended as you do not understand the security implications, though it was discussed at length in this thread.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #18
  5. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    I don't see how you could accidentally kill the session like E-Oreo says. This would require you to explicitly change the lifetime in any of your scripts -- why would you do that?
    You wouldn't do it on purpose, but there are quite a few ways you could accidentally do it:

    1) PHP is frequently configured to use different configurations for different execution environments; different web servers, different execution interfaces (fcgi, cgi), different user accounts (particularly on shared hosts) etc. If you end up executing a PHP script on the server via any environment that you haven't changed from defaults, it will use the default garbage collection value and potentially wipe out your sessions.

    2) You may install a third party script which changes the value for its own purposes, probably without you even realizing it.

    3) Upgrading PHP or installing a second version of PHP, particularly via a package manager, has the potential to change your configuration file back to defaults.

    However, you can mitigate the risk here by changing session.save_path at run-time in your script.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  6. #19
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Also remember that many installs of PHP store the sessions inside the operating system's temporary file store. /tmp gets cleared out by the OS, as well as getting cleared by PHP. There's no guarantee a file will last longer than a couple hours in /tmp, completely unrelated to PHP at all.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #20
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2013
    Location
    Australia
    Posts
    4
    Rep Power
    0
    Making sessions will not let them to register again. One they register, they only user their login and pass to come back to your website and make posts.
  10. #21
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    3
    Hi guys!

    Thanks again for all the help, now i had contact with our server provider. and i can't have access to the php.ini file.. How can i make the length longer when i don't have access to the .ini?

    Thanks!
  12. #22
  13. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    With the functions we've already mentioned more than once.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  14. #23
  15. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    As long as your host does not have sessions set to auto start, you can use set_ini to change most of the session configuration values. You need to call set_ini before session start though.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  16. #24
  17. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    You don't even need set_ini, the session cookie has its own control functions which I already linked to. set_ini would work as well, but is unnecessary given the existing function which does exactly what you're looking for.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  18. #25
  19. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4123
    Maybe I'm reading this whole thread wrong...but to me it seems there's an underlying misunderstanding about the persistence of user data.

    One assumes that you are storing the registration data - eg in a database.

    Rather than the user carrying round a flag (in a cookie) that says "hey, I registered here last week", you know when they registered by looking in your database. By constraining a field to be unique (eg by email address or username) you intrinsically prevent a future registration with those details.

    One also assumes that you may log in to this system - at any time after registration; and for this the default php session is adequate - it uses a cookie to identify the user to the app, which can then match up to a locally stored object which can the reference a database. Use cookies to remember usernames if you wish but beware the EU cookie monster laws
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  20. #26
  21. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    As far as I know, set_ini is the only way to change the garbage collection lifetime at runtime. If you don't change it, sessions may be deleted after 30 minutes.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  22. #27
  23. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Easily, that's true. I recommend switching the session store location and the session lifetime using ini_set, then set the cookie to relatively permanent (~1 year or more) either through ini_set or through the built-in function.

    Rolling his own session handling class would also work for this, since that garbage collection function allows for minute control.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  24. #28
  25. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4123
    Rolling your own session handling logic (inc ignoring session set save handler) is a good learning exercise for how session logic works
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo