[PHP] Apache 2 w/ PHP database sessions
I recently upgraded to apache 2.0 from 1.23.x on my server. Previously,
I had sessions working using the database to store session information.
I recently noticed that this is no longer working as it did. The
sessions are still working, however, the session information is not
being transfered via the url. I have verified that everything is setup
correctly.
I have a development server setup with the same settings before I
upgraded apache and it is working fine. The only difference is the
version of Apache.
Does anyone know of a fix for this? Did I set something up wrong? Below
is a copy of the sessions section from my php.ini file.
Thanks
Chris
psThe settings and instructions I used were obtained from the Web
Database Applications book from O'reilly.
[Session]
; Handler used to store/retrieve data.
#session.save_handler = files
session.save_handler = user
; Argument passed to save_handler. In the case of files, this is the
path
; where data files are stored. Note: Windows users have to change
this
; variable in order to use PHP's session functions.
; As of PHP 4.0.1, you can define the path as:
; session.save_path = N;/path
; where N is an integer. Instead of storing all the session files in
; /path, what this will do is use subdirectories N-levels deep, and
; store the session data in those directories. This is useful if you
; or your OS have problems with lots of files in one directory, and
is
; a more efficient layout for servers that handle lots of sessions.
; NOTE 1: PHP will not create this directory structure automatically.
; You can use the script in the ext/session dir for that
purpose.
; NOTE 2: See the section on garbage collection below if you choose
to
; use subdirectories for session storage
#session.save_path = /tmp
session.save_path = mdas_users
; Whether to use cookies.
#session.use_cookies = 1
session.use_cookies = 0
; This option enables administrators to make their users invulnerable
to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1
; Name of the session (used as cookie name).
#session.name = PHPSESSID
session.name = USID
; Initialize session on request startup.
session.auto_start = 0
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0
; The path for which the cookie is valid.
session.cookie_path = /
; The domain for which the cookie is valid.
session.cookie_domain =
; Handler used to serialize data. php is the standard serializer of
PHP.
session.serialize_handler = php
; Define the probability that the 'garbage collection' process is
started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.
session.gc_probability = 1
session.gc_divisor = 100
; After this number of seconds, stored data will be seen as 'garbage'
and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440
; NOTE: If you are using the subdirectory option for storing session
files
; (see session.save_path above), then garbage collection does
*not*
; happen automatically. You will need to do your own garbage
; collection through a shell script, cron entry, or some other
method.
; For example, the following script would is the equivalent of
; setting session.gc_maxlifetime to 1440 (1440 seconds = 24
minutes):
;cd /path/to/sessions; find -cmin +24 | xargs rm
; PHP 4.2 and less have an undocumented feature/bug that allows you
to
; to initialize a session variable in the global scope, albeit
register_globals
; is disabled. PHP 4.3 and later will warn you, if this feature is
used.
; You can disable the feature and the warning seperately. At this
time,
; the warning is only displayed, if bug_compat_42 is enabled.
session.bug_compat_42 = 1
session.bug_compat_warn = 1
; Check HTTP Referer to invalidate externally stored URLs containing
ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =
; How many bytes to read from the file.
session.entropy_length = 0
; Specified here to create the session id.
session.entropy_file =
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache
; Document expires after n minutes.
#session.cache_expire = 180
session.cache_expire = 60
; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID
Re: [PHP] Apache 2 w/ PHP database sessions
Thanks Chris. I just compared the trans_sid on the dev box and it is set to 1. I'll make that change and report in. Many thanks. Owe you another beer if that was it. ;) Chris Chris Shiflett [EMAIL PROTECTED] 03/26/04 10:41AM --- Christopher Ditty [EMAIL PROTECTED] wrote: I recently upgraded to apache 2.0 from 1.23.x on my server. 1.3.x you mean? :-) The sessions are still working, however, the session information is not being transfered via the url. [snip] session.use_trans_sid = 0 There's your answer. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- 03/26/2004, 11:31:54 AM This e-mail and any attachments represent the views and opinions of only the sender and are not necessarily those of Memphis Light, Gas Water Division, and no such inference should be made. == -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Fusebox - Circuit within another Circuit
We are using PHP Fusebox to develop one of our applications where I
work.
I have a descent-grasp on the whole fusebox concept, but I am having
problems getting my head around how sub-circuits work. Can anyone
offer
any advice? When I go to the main fuseaction, all works fine. When I
try to go to main.admin, I just get a blank screen. Even if there is
nothing in the admin directory.
I have copied my switch and circuits file below.
Chris
fbx_Switch.php
switch($Fusebox[fuseaction]){
case main:
case Fusebox.defaultFuseaction:
dsp_page_header($config, $_GET);
dsp_page_main($config, $_GET);
dsp_page_footer($config, $_GET);
break;
case admin:
$XFA[admin] = admin.main;
break;
default:
print I received a fuseaction called b' .
$Fusebox[fuseaction] . '/b that circuit b' .
$Fusebox[circuit]
. '/b does not have a handler for.;
break;
}
fbx_Circuits.php
$Fusebox[circuits][home] = home;
$Fusebox[circuits][admin] = home/admin;
$Fusebox[circuits][account] = home/account;
$Fusebox[circuits][electric] = home/electric;
$Fusebox[circuits][gas] = home/gas;
$Fusebox[circuits][registration] = home/registration;
--
05/28/2003, 03:51:02 PM
This e-mail and any attachments represent the views and opinions of only the sender
and are not necessarily those of Memphis Light, Gas Water Division, and no such
inference should be made.
==
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to Return 403 Forbidden headers
I have a customer that wants to return a 403 Forbidden header/page when certain conditions are met. I looked through the online manual and all the examples listed would not work. This is what I am using. header(Location: HTTP/1.0 403); PHP tried to send the user to a HTTP/1.0 403 webpage. Any ideas? CDitty -- 03/27/2003, 09:42:13 AM This e-mail and any attachments represent the views and opinions of only the sender and are not necessarily those of Memphis Light, Gas Water Division, and no such inference should be made. == -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How to Return 403 Forbidden headers
Thanks, but it returns a blank page.
Matt Schroebel [EMAIL PROTECTED] 03/27/03 09:52AM
-Original Message-
From: Christopher Ditty [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2003 10:42 AM
To: [EMAIL PROTECTED]
Subject: [PHP] How to Return 403 Forbidden headers
header('HTTP/1.0 403 Forbidden');
--
03/27/2003, 09:59:06 AM
This e-mail and any attachments represent the views and opinions of only the sender
and are not necessarily those of Memphis Light, Gas Water Division, and no such
inference should be made.
==
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Encrypting/Compiling PHP Scripts
There is also Source Guardian. If you need a program that will support an unencrypted configuration file, ie, user definable variables, this one will do it. Ioncube wouldn't last I looked and I can't speak for Zend. I have used this, but the end result has not been favorable. So far, I am running at about 50% success rate for my users being able to run my encrypted programs. I support encrypting my scripts, but with all the problems I am having with this, I am leaning to it not being worth the hassle right now. Just my $0.02. CDitty Leif K-Brooks [EMAIL PROTECTED] 03/11/03 11:54PM http://zend.com/store/products/zend-encoder.php http://www.ioncube.com/ Davis Tan wrote: Hi, Would like to know whether is there any possibilities to encrypt or compile the PHP scripts so that it is not human-readable? Thanks! -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- 03/12/2003, 09:24:53 AM This e-mail and any attachments represent the views and opinions of only the sender and are not necessarily those of Memphis Light, Gas Water Division, and no such inference should be made. == -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Testing for installed components....
I am trying to write a small script that will test and report what PHP components are available on a given server. Is there a quick and easy way to do this? I know about php info, but I would prefer to have something that will spit hte information out in my format where the user can easily understand it. Chris -- 03/04/2003, 10:09:13 AM This e-mail and any attachments represent the views and opinions of only the sender and are not necessarily those of Memphis Light, Gas Water Division, and no such inference should be made. == -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP FTP a security risk?????
Hello all. I have a customer that purchased on of my scripts and attempted to install it on their server. This script, among other things, FTPs a text file from a central server. When we tried to run my script, it simply stops. No errors, no nothing. I talked to his host and found out that they do not allow PHP FTP because it is a security risk. ? U, ok? I spoke with my customer about this and below is what his web host told him. My understanding of PHP FTP is that my script opens an ftp connection from the server to another FTP server somewhere else on the internet. Basically, PHP FTP does nothing more than a program like SmartFTP or WS-FTP. Even the first line in the PHP manual about FTP says The functions in this extension implement client access to file servers speaking the File Transfer Protocol (FTP) Someone please tell me that I am correct and that this webhost is wrong. :) Chris I have been speaking with our linux techs, and have gained a more complete understanding of the feature in PHP that you want to use. We actually did have it enabled at one point, and it caused the server to be compromised. Essentially, it allows people on a machine to be able to transfer files from anywhere on the internet. This begs for people who want to run warez sites, and the like, to hack the server, and use it for their own illegal software stores. The level of permission required to allow this to run allows people to essentially load, and run whatever they want. This is an EXTREME security problem. I understand that you are moving, and I cannot persuade you differntly, but please take my advise and do some independant research. The individual that is advising you about this program is downplaying some real problems. It is the opinion of our techs, that if you are running this, eventaully, you WILL be hacked. There a plenty of things that can be done to ftp to a machine without that functionality running. We know that you have a number of sites, and we know that you would likely referr business. That being the case, it just doesn't make sense that we would not do this for you if it were safe, or even a minor problem. It is a big problem, not just with us, but with anyone running it on the internet. Please ask someone other than the person that is trying to sell it to you. That is all we ask. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP FTP a security risk?????
Unfortunately, I can only get the file via FTP. I just want to know where this other host got it's information. Chris Reuben D. Budiardja [EMAIL PROTECTED] 02/11/03 01:35PM On Tuesday 11 February 2003 02:11 pm, Jason Wong wrote: I agree with that. It's only a (potential) problem if you're running an FTP server, not client. The one thing that makes me curious is as to how webhost ban this ftp client. You said you're only transferring text file. Does the server that you're transferring the file from offer other methods than FTP? how about HTTP? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP FTP a security risk?????
Chris, Did you read the rest of the message? It sounds like the web host is saying that someone can access PHP FTP from an outside server and hack into the server. I am not trying to start a debate on whether or not people should send passwords and userids over plain text. Yes, that is a security risk. My concern is that this webhost is telling my customer that PHP FTP itself is a security risk when it does nothing more than act like ws-ftp. Chris Wesley [EMAIL PROTECTED] 02/11/03 02:22PM On Tue, 11 Feb 2003, Chris Wesley wrote: On Tue, 11 Feb 2003, Christopher Ditty wrote: errors, no nothing. I talked to his host and found out that they do not allow PHP FTP because it is a security risk. ? U, ok? That said ... FTP is a protocol; there's nothing stopping you from opening a socket and talking FTP back forth across it (unless your host has disabled fsockopen() too). If you know the protocol, you probably know how and why to avoid its security concerns. Other options: Move to a less security-minded hosting provider (looks like you've already started that), or ask the FTP server admin to provide download access to your file via HTTP. You might find this interesting too -- straight from Example 1 for fopen() in the PHP manual: http://www.php.net/manual/en/function.fopen.php $handle = fopen (ftp://user:[EMAIL PROTECTED]/somefile.txt;, w); b.careful ... g.luck, ~Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Cycle through multiple servers....
Hello all. I have a few servers that I need to check during a login process. If the
first server fails to connect, then I need to do server #2 and so on. Below is the
code that I am using, but I am unable to get it to work like it should. Can anyone
offer some advice on how this should be accomplushed?
Thanks
CDitty
function sConnect($serverID){
$ds = ldap_connect($serverID);
return $ds;
}
$i = 0;
do{
ldapConnect($config['ldapServer'][$i]);
$i++;
}while(!$ds ($i (count($config['ldapServer']) + 1)));
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP/Oracle Command line Segmentation Fault
Anyone?
CDitty
Christopher Ditty [EMAIL PROTECTED] 01/09/03 04:04PM
I have successfully installed oracle 8.1.7 w/ php and have it
configured
to run from the command line. When I run a simple script that
connects,
and selects records from the database, the last line is a segmentation
fault error. This does not seem to happen when the same script is run
through the browser.
Can anyone offer any help or advice? The code is listed below.
CDitty
#!/usr/bin/php
?
function oci8Connect(){
$db_conn = ocilogon(usrname,pwd, dbase);
if (!$db_conn){
echo Helpbr;
exit ();
}
echo Connectedbr;
return ($db_conn);
}
$conn = oci8Connect();
$stmt = ociparse($conn,select * from US_MSTR);
ociexecute($stmt);
$i=0;
$row = array();
while(OCIFetchInto($stmt, $row, OCI_ASSOC)){
# do stuff with $row...
echo $row['US_ID'] . $ibr;
$i++;
}
ocifreestatement($stmt);
ocilogoff($conn);
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Source Guardian
Does anyone here use Source Guardian? I am about to purchase it and thought I'd ask before I do. Any problems using it? Thanks CDitty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Reading Registry
Hello all. I don't think this is possible, but I wanted to ask to be sure. Is it possible to read and write to a web user's registry with php? I believe this can be done with CF and ASP, but I was not sure about PHP. A search turned up nothing usefull. Thanks CDitty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP/Oracle Command line Segmentation Fault
I have successfully installed oracle 8.1.7 w/ php and have it configured
to run from the command line. When I run a simple script that connects,
and selects records from the database, the last line is a segmentation
fault error. This does not seem to happen when the same script is run
through the browser.
Can anyone offer any help or advice? The code is listed below.
CDitty
#!/usr/bin/php
?
function oci8Connect(){
$db_conn = ocilogon(usrname,pwd, dbase);
if (!$db_conn){
echo Helpbr;
exit ();
}
echo Connectedbr;
return ($db_conn);
}
$conn = oci8Connect();
$stmt = ociparse($conn,select * from US_MSTR);
ociexecute($stmt);
$i=0;
$row = array();
while(OCIFetchInto($stmt, $row, OCI_ASSOC)){
# do stuff with $row...
echo $row['US_ID'] . $ibr;
$i++;
}
ocifreestatement($stmt);
ocilogoff($conn);
?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
