Thanks for Email to me so soon!
1. Before I sent you Emails I read the function "session_destroy()" and function
"session_unset()" again
I use session in this sequence:
session_start();
//after user has been authenticated (using database authentication)
$userid = $txtUser; //txtUser is the text input in the log page;
session_register("userid");
//after user log out
session_unset;
session_destroy();
I wonder whether this is a right sequence in using session. Could you give me some
advice?
2. I know the session is stored on the SERVER.
But I am develop a Homepage Administration System for my university. This system
is used to manage the users and store all the users' own homepage. User need to
register
before he/she can store his/her own homepage on the SERVER.
All the users id are listed out for others' visit. So all the users id are known.
I mean the url:"login.php" is known. But if one person know my session variable
and he use "login.php?userid=mintbaggio"(mintbaggio is a user in this system).
Now I use 3 variables in session to store the use's information. Before somebody
enter the user's
own page(Not the user's homepage,but the user's information like name,age,etc) ,
these 3 variables
are examined whether they are all valid. Is this safer?
----- Original Message -----
From: "Justin French" <[EMAIL PROTECTED]>
To: "mintbaggio" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, August 13, 2002 10:21 AM
Subject: Re: [PHP] Some questions.
> on 13/08/02 3:42 AM, mintbaggio ([EMAIL PROTECTED]) wrote:
>
> > I'm a Chinese university student,I want to ask some questions about session.
> > These days I'm build a website for my university with PHP, But I meet a
> > question when I develop the part of User Management: After I have log out
> > from a user page(I use "session_unset()" and "session_destroy()"),I can
> > return to the page again by click the button "Back"to that pagea and refresh
> > it, the user page can be shown again. This is unsafe.
> > So I want to ask that the function "session_unset" and "session_destroy()"
> > will
> > destroy session immediately or there is a life-time for session. In my memory,
> > I think that there is a life-time for session and the life-time can be
> > configured.
>
> Firstly, make sure you've read the page at php.net/session_destroy and
> php.net/session_unset, because it supplies perfect code for destroying a
> session.
>
> Make sure your code matches either example 1 or 2, depending on your code.
> If you're unsure, test with both.
>
> If you've named your session somewhere, you need to unset and destroy it
> WITH that name, I think (never had to do it).
>
>
>
> > Another question:
> > If the user log page is "main.php",the page for authenticate the user is
> > "login.php"
> > I use session to store the infomation of user such as :
> > session_register($userid);
> > But if the variables in the session are unfortunately be known by somebody
> > else.
> > and he can visit others' information bye the url:"login.php?userid=***",how
> > can solve
> > these problem? use a ugly but difficult session varable?
>
> When you store the the username as a session variable, it's stored on the
> SERVER, not on the client. Hence, there is less chance of the session
> variables being disclosed. Better still, if you NEVER store both the
> password and username in the session, then the "hacker" will not be able to
> do anything without the password.
>
> The only thing stored on the browser or transmitted in clear view when
> running a session is the session id (a long number), NOT the variables
> assigned to the session... that's the whole point.
>
>
> FWIW, if you really want to make things more secure, you should turn off
> register globals, learn about the new super global arrays like $_POST,
> $_SESSION, $_GET, etc etc.
>
> In short, you'd register a new session variable as $_SESSION['var'] =
> "value"; rather than $var="value"; session_register($var);
>
>
> Justin French
