Re: [PHP] SESSIONS QUESTION

2008-07-18 Thread tedd 

At 9:59 AM -0700 7/18/08, R.C. wrote:

What's the sequence here.  I was able to get the password going, protect the
main.php page, sent the email etc. but can't get that password to remain on
the main.php when they user tries to get back to that page.

Really appreciate some input and coding.  I am totally stumped!

Thanks much
REF


REF:

Try this:

http://www.webbytedd.com/b1/simple-session

The code is there.

Cheers,

tedd

--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] SESSIONS QUESTION

2008-07-18 Thread R.C. 
Hi group,

I'm still having trouble with sessions on a page and need help.  I've been
working with all sorts of configurations on this one but it doesn't seem to
be working properly.

Here's the scenario:  I have a login.html page that thas two fields for user
input i.e. a password (that is given to them) and an email address.  Once
they input the right password, it opens up a main.php page, that contains a
few links to items.  They click on a link, check out the item, hit the back
button to return to the main.php page ... and now they have to log back in
with a password which is not what I want.

I need this main.php page to be available during a browser session so the
user can click on the other items on that page, view them, hit the back
button, view more and then maybe exit the browser.. I do not want them to
have to log in with password everytime they hit the back button to go back
to the main.php page to select another item.

What's the sequence here.  I was able to get the password going, protect the
main.php page, sent the email etc. but can't get that password to remain on
the main.php when they user tries to get back to that page.

Really appreciate some input and coding.  I am totally stumped!

Thanks much
REF



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions question

2004-10-22 Thread Reinhart Viane 
Owkee here goes:

* Removing the foreach loop only supplied me with not being able to log
in.
  But again I dunnot think this is the problem.
  The variables are stored correctly.
  At certain times the user_id sessions were just swapped...

* Now I've seen that 

session_register('email');
$_SESSION['email'] = $email;

  Did not supply any output when listing my session variables with

echo "\n";
print_r($_SESSION);
echo "\n";

  When I removed this line (and I am testing 2 hours already now) I have
not ecountered any problems so far.
  Could this be logical?
  Could a session variable with no value at all cause the earlier
mentioned problems?

* Also when a file was uploaded and it's parameters were inputed in the
database I used this code to do it:

//get the id of the current logged in user
$submit_user_id=$_SESSION['user_id'];
//set the file url
$url= ("documents/".$file_name);
$sql4 = "insert into documents (document_name,
document_description, document_submit_date,
document_submitter_user_id, document_folder_id, document_url,
document_ext, document_author) values ('$_POST  [documentname]',
'$_POST[documentdescription]', '$inputdate', '$submit_user_id',
'$_POST[folderid]', '$url', '$ext', '$_POST[documentauthor]' )";

  Which I now changed into:

//get the id of the current logged in user
//$submit_user_id=$_SESSION['user_id'];
//set the file url
$url= ("documents/".$file_name);
$sql4 = "insert into documents (document_name,
document_description, document_submit_date,
document_submitter_user_id, document_folder_id, document_url,
document_ext, document_author) values ('$_POST  [documentname]',
'$_POST[documentdescription]', '$inputdate', $_SESSION['user_id'],
'$_POST[folderid]', '$url', '$ext', '$_POST[documentauthor]' )";

  Maybe for some bizarre reason sometimes the value of the last
$submit_user_id was given to $_SESSION[user_id].
  As you can see I'm getting very suspecious about everything hehe. 



* Secondly I now use this: 

$sql = mysql_query("SELECT * FROM users WHERE
username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
$$key = stripslashes( $val );
}
// Register some session variables!
session_register('user_id');
$_SESSION['user_id'] = $user_id;
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
//session_register('email');
//$_SESSION['email'] = $email;
session_register('user_level');
$_SESSION['user_level'] = $user_level;
}

  should it be better when I use this??

$sql = mysql_query("SELECT * FROM users WHERE
username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){

// Register some session variables!
session_register('user_id');
$_SESSION['user_id'] = $row->user_id;
session_register('first_name');
$_SESSION['first_name'] = $row->first_name;
session_register('last_name');
$_SESSION['last_name'] = $row->last_name;
//session_register('email');
//$_SESSION['email'] = $email;
session_register('user_level');
$_SESSION['user_level'] = $row->user_level;
}

* last question.
  Very soon I will need a good and secure usersystem preferabbly with no
cookies. So I think sessions are the way to go.
  Maybe you can supply me with some good tutorials or scripts which can
help me create a well closed usersystem.
  After these encounters with security problems, I'm not really sure no
more what to use or to do. 

Thx again for all the efforts you are doing to help me out.
It's highly appreciated (if I would be a girl I would give you a kiss).

Greetings,
Reinhart Viane

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions question

2004-10-21 Thread Reinhart Viane 
I do not think this causes the problem.
It's just redundant.

Thx anyway

-Original Message-
From: Curt Zirzow [mailto:[EMAIL PROTECTED] 
Sent: donderdag 21 oktober 2004 22:11
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions question


* Thus wrote Reinhart Viane:
> PHP Code
> // Register some session variables!
> session_register('userid');
> $_SESSION['userid'] = $userid;

Do not use session_register with $_SESSION.

http://php.net/session-register

Curt
-- 
Quoth the Raven, "Nevermore."

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] php sessions question

2004-10-21 Thread Reinhart Viane 

>I normally do as you have suggested here - but why do you suggest that 
>this method is better?
>  
>

One reason is for security. You cannot ever rule out the possibility of 
a user injecting someone else's data into the session to get access to 
information that he should not have. Of course he can fake the userid 
too. That's why each time you retrieve the userid from the session  you 
should check if that id has been logged in. I do this (so do many 
others) by keeping two column table with session id and userid in it.

-- 
Raditha Dissanayake.

Do you have an example or dou you know of any tutorials where this
method is used?
Thx
Reinhart

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] php sessions question

2004-10-21 Thread raditha dissanayake 
Pete wrote:

 

You should only save the userId in the session, everything else should 
be retrieved from your database using that id.
   

I normally do as you have suggested here - but why do you suggest that
this method is better?
 

One reason is for security. You cannot ever rule out the possibility of 
a user injecting someone else's data into the session to get access to 
information that he should not have. Of course he can fake the userid 
too. That's why each time you retrieve the userid from the session  you 
should check if that id has been logged in. I do this (so do many 
others) by keeping two column table with session id and userid in it.



--
Raditha Dissanayake.

http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 128 KB | with progress bar.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] php sessions question

2004-10-21 Thread Pete 
In message <[EMAIL PROTECTED]>, raditha dissanayake
<[EMAIL PROTECTED]> writes
>Reinhart Viane wrote:
>
>>in a page checkuser i do this after the user is logged in:
>>  PHP Code
>>  // Register some session variables!
>>  session_register('userid');
>>  $_SESSION['userid'] = $userid;
>>  session_register('first_name');
>>  $_SESSION['first_name'] = $first_name;
>>  session_register('last_name');
>>  $_SESSION['last_name'] = $last_name;
>>  session_register('email_address');
>>  $_SESSION['email_address'] = $email_address;
>>  session_register('user_level');
>>  $_SESSION['user_level'] = $user_level;
>>  
>>
>You should only save the userId in the session, everything else should 
>be retrieved from your database using that id.

I normally do as you have suggested here - but why do you suggest that
this method is better?

-- 
Pete Clark

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2004-10-21 Thread Curt Zirzow 
* Thus wrote Reinhart Viane:
> PHP Code
> // Register some session variables!
> session_register('userid');
> $_SESSION['userid'] = $userid;

Do not use session_register with $_SESSION.

http://php.net/session-register

Curt
-- 
Quoth the Raven, "Nevermore."

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2004-10-21 Thread Greg Donald 
On Thu, 21 Oct 2004 10:14:47 -0400, Mike Smith <[EMAIL PROTECTED]> wrote:
> How about changing

How about learning to trim your posts?  Thanks.  :)


-- 
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2004-10-21 Thread raditha dissanayake 
hi,
Please don't send multiple posts, I just replied to your previous 
message thinking that it had not been answered, a little further down I 
come across this. It's very confusing to everyone.

thanks
--
Raditha Dissanayake.

http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 128 KB | with progress bar.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2004-10-21 Thread Mike Smith 
On Thu, 21 Oct 2004 14:43:45 +0200, Reinhart Viane <[EMAIL PROTECTED]> wrote:
> Hey Mike,
> 
> After some intensive testing it seemed that $user_id did not solve the
> isue
> 
> I hereby give the script to get the $user_id:
> 
> // check if the user info validates the db
> ($username and $password are the POST values of username and password
> given in on a form)
> $sql = mysql_query("SELECT * FROM users WHERE username='$username' AND
> password='$password' AND activated='1'");
> $login_check = mysql_num_rows($sql);
> 
> if($login_check > 0){
> while($row = mysql_fetch_array($sql)){
> foreach( $row AS $key => $val ){
> $$key = stripslashes( $val );
> }
> // Register some session variables!
> session_register('user_id');
> $_SESSION['user_id'] = $user_id;
> session_register('first_name');
> $_SESSION['first_name'] = $first_name;
> session_register('last_name');
> $_SESSION['last_name'] = $last_name;
> session_register('email_address');
> $_SESSION['email_address'] = $email_address;
> session_register('user_level');
> $_SESSION['user_level'] = $user_level;
> 
> mysql_query("UPDATE users SET last_login=now() WHERE
> user_id='$user_id'");
> 
> header("Location: main.php");
> 
> }
> 
> Now this is my conclusion till now:
> 
> All other session items are correctly displayed, except the
> $_SESSION['user_id']
> I'm trying to find the way when this happens since it does not seem to
> happen in a strict order
> The method mentioned b4:
> '>Now let's say user 1 logs in, his session is registered (with userid
> > from database is 5 and first_name is XXX) Then another user logs in,
> > again his session is registered (with userid from database is 1 and 
> > first_name is YYY)'
> 
> is not always faulty.
> I've checked everything I know and the last thing I've done is putted:
> 
> session_start();
> 
> On the first line instead of after this:
>  require('xx.inc.php');
> connect_db();
> 
> Untill now all seems to be ok, but I'm not certain at all it is ok.
> There can be hundreds of methods how several users log in, upload, log
> out etc. so I can not test them all... :(
> 
> It seems that sometimes the $_SESSION['user_id'] of the several users
> get mixed and this may not happen.
> 
> I don't know if this is a known bug or if there are cases which can
> cause this...
> If im not certain if this can be solved I will have to use another
> method to keep the logged in users info (but what one? Don't want to use
> cookies)
> 
> Thx in advance for any help.
> 
> Greetings,
> 
> Reinhart 
> 
> 
> 
> -Original Message-
> From: Mike Smith [mailto:[EMAIL PROTECTED]
> Sent: donderdag 21 oktober 2004 13:28
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP] Sessions question
> 
> On Thu, 21 Oct 2004 11:39:23 +0200, Reinhart Viane <[EMAIL PROTECTED]> wrote:
> > Hey all, i'm new to this list so forgive me if  i make any huge
> > mistakes. I'm in a beginning stage of learning php and i hope you guys
> 
> > can help me out with this question:
> >
> > in a file named checkuser i do this when a users logs in:
> > PHP Code
> > // Register some session variables!
> > session_register('userid');
> > $_SESSION['userid'] = $userid;
> > session_register('first_name');
> > $_SESSION['first_name'] = $first_name;
> > session_register('last_name');
> > $_SESSION['last_name'] = $last_name;
> > session_register('email_address');
> > $_SESSION['email_address'] = $email_address;
> > session_register('user_level');
> > $_SESSION['user_level'] = $user_level;
> >
> > Now let's say user 1 logs in, his session is registered (with userid
> > from database is 5 and first_name is XXX) Then another user logs in,
> > again his session is registered (with userid from database is 1 and
> > first_name is YYY)
> >
> > Now user 1 leaves the pages (closes the browser) and user 2 uploads a
> > documen

Re: [PHP] php sessions question

2004-10-21 Thread raditha dissanayake 
Reinhart Viane wrote:
in a page checkuser i do this after the user is logged in:
 PHP Code
 // Register some session variables!
 session_register('userid');
 $_SESSION['userid'] = $userid;
 session_register('first_name');
 $_SESSION['first_name'] = $first_name;
 session_register('last_name');
 $_SESSION['last_name'] = $last_name;
 session_register('email_address');
 $_SESSION['email_address'] = $email_address;
 session_register('user_level');
 $_SESSION['user_level'] = $user_level;
 

You should only save the userId in the session, everything else should 
be retrieved from your database using that id.


Now let's say user 1 logs in, his session is registered (with userid from 
database is 5 and first_name is XXX)
Then another user logs in, again his session is registered (with userid from 
database is 1 and first_name is YYY)

 

Are both user's in the same computer? then there may be a question about 
the old cookie being sent back to the server (if it's expiration time 
has not been exceeded). If the users are not using the same computer the 
chances are you have a bug in your code.

Now user 1 leaves the pages (closes the browser) and user 2 uploads a 
document (with my own script).

When the document is succesfully uploaded i display this:
 PHP Code
 echo ($_SESSION['first_name']).", the document has been succesfully 
added";
 echo ($_SESSION['userid']);


This results in the folowing output:
YYY, the document has been succesfully added
5
Meaning the $_SESSION['first_name'] is correct, but the $_SESSION['userid'] 
is the one of the user who logged out...

Now when using user_id in all places it seems to work correctly...
Is userid something that is defined by the server when making sessions?
 

no.
If not, i don't have any clue what is going wrong...
Can someone help me on this? So i know what is wrong?
 


Thx in advance
Pout
 


--
Raditha Dissanayake.

http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 128 KB | with progress bar.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2004-10-21 Thread Greg Donald 
On Thu, 21 Oct 2004 16:06:37 +0200, Reinhart Viane <[EMAIL PROTECTED]> wrote:
> I don't know if this can be caused by the fact register_globals seem to
> be 'on' on the server (btw PHP Version 4.2.3)

You can override that setting if the web server is running apache and
AllowOverrides is set for your directory.  You can make an .htaccess
file with this in it:

php_flag register_globals Off


-- 
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions question

2004-10-21 Thread Reinhart Viane 
Thanks Greg,

I'll try this, but I do not think this will solve the issue since at
first hand the session variables are correctly made.

The problem arrises (I think) whenever two or more users are logged in
and one closes the pages (so his session is killed I suppose).
Sometimes after that, the other users seem to get other values for the
user_id session variable.
Strange thing is the other session (like first_name or last_name)
variables of the user stay correct. Only the user_id session variable is
changed.

I don't know if this can be caused by the fact register_globals seem to
be 'on' on the server (btw PHP Version 4.2.3)

Thx for the advice, I hope I can sort it out soon

Greetz
Reinhart




-Original Message-
From: Greg Donald [mailto:[EMAIL PROTECTED] 
Sent: donderdag 21 oktober 2004 15:47
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions question


On Thu, 21 Oct 2004 14:43:45 +0200, Reinhart Viane <[EMAIL PROTECTED]> wrote:
> Hey Mike,
> 
> After some intensive testing it seemed that $user_id did not solve the

> isue
> 
> I hereby give the script to get the $user_id:
> 
> // check if the user info validates the db
> ($username and $password are the POST values of username and password 
> given in on a form) $sql = mysql_query("SELECT * FROM users WHERE 
> username='$username' AND password='$password' AND activated='1'");
> $login_check = mysql_num_rows($sql);
> 
> if($login_check > 0){
> while($row = mysql_fetch_array($sql)){
> foreach( $row AS $key => $val ){

Your select * query above is probably pulling more than two fields, so a
$key and $val in the foreach() will only work with two of those fields,
the other fields will be unhandled.  You might want to ditch the
foreach() loop and just use the while() loop by itself since you can
easily access all the fields from your query in the $row array.



-- 
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2004-10-21 Thread Greg Donald 
On Thu, 21 Oct 2004 14:43:45 +0200, Reinhart Viane <[EMAIL PROTECTED]> wrote:
> Hey Mike,
> 
> After some intensive testing it seemed that $user_id did not solve the
> isue
> 
> I hereby give the script to get the $user_id:
> 
> // check if the user info validates the db
> ($username and $password are the POST values of username and password
> given in on a form)
> $sql = mysql_query("SELECT * FROM users WHERE username='$username' AND
> password='$password' AND activated='1'");
> $login_check = mysql_num_rows($sql);
> 
> if($login_check > 0){
> while($row = mysql_fetch_array($sql)){
> foreach( $row AS $key => $val ){

Your select * query above is probably pulling more than two fields, so
a $key and $val in the foreach() will only work with two of those
fields, the other fields will be unhandled.  You might want to ditch
the foreach() loop and just use the while() loop by itself since you
can easily access all the fields from your query in the $row array.



-- 
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions question

2004-10-21 Thread Reinhart Viane 
Hey Mike,

After some intensive testing it seemed that $user_id did not solve the
isue

I hereby give the script to get the $user_id:

// check if the user info validates the db
($username and $password are the POST values of username and password
given in on a form)
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND
password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
$$key = stripslashes( $val );
}
// Register some session variables!
session_register('user_id');
$_SESSION['user_id'] = $user_id;
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('user_level');
$_SESSION['user_level'] = $user_level;

mysql_query("UPDATE users SET last_login=now() WHERE
user_id='$user_id'"); 

header("Location: main.php");  

}

Now this is my conclusion till now:

All other session items are correctly displayed, except the
$_SESSION['user_id']
I'm trying to find the way when this happens since it does not seem to
happen in a strict order
The method mentioned b4:
'>Now let's say user 1 logs in, his session is registered (with userid 
> from database is 5 and first_name is XXX) Then another user logs in, 
> again his session is registered (with userid from database is 1 and 
> first_name is YYY)'

is not always faulty.
I've checked everything I know and the last thing I've done is putted:

session_start();

On the first line instead of after this:
mailto:[EMAIL PROTECTED] 
Sent: donderdag 21 oktober 2004 13:28
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Sessions question


On Thu, 21 Oct 2004 11:39:23 +0200, Reinhart Viane <[EMAIL PROTECTED]> wrote:
> Hey all, i'm new to this list so forgive me if  i make any huge 
> mistakes. I'm in a beginning stage of learning php and i hope you guys

> can help me out with this question:
> 
> in a file named checkuser i do this when a users logs in:
> PHP Code
> // Register some session variables!
> session_register('userid');
> $_SESSION['userid'] = $userid;
> session_register('first_name');
> $_SESSION['first_name'] = $first_name;
> session_register('last_name');
> $_SESSION['last_name'] = $last_name;
> session_register('email_address');
> $_SESSION['email_address'] = $email_address;
> session_register('user_level');
> $_SESSION['user_level'] = $user_level;
> 
> Now let's say user 1 logs in, his session is registered (with userid 
> from database is 5 and first_name is XXX) Then another user logs in, 
> again his session is registered (with userid from database is 1 and 
> first_name is YYY)
> 
> Now user 1 leaves the pages (closes the browser) and user 2 uploads a 
> document (with my own script).
> 
> When the document is succesfully uploaded i display this:
> PHP Code
> echo ($_SESSION['first_name']).", the document has been succesfully 
> added"; echo ($_SESSION['userid']);
> 
> This results in the folowing output:
> YYY, the document has been succesfully added
> 5
> 
> Meaning the $_SESSION['first_name'] is correct, but the 
> $_SESSION['userid'] is the one of the user who logged out...
> 
> Now when using user_id in all places it seems to work correctly...
> 
> Is userid something that is defined by the server when making 
> sessions?
> 
> If not, i don't have any clue what is going wrong...
> Can someone help me on this? So i know what is wrong?
> 
> Thx in advance
> 
> Reinhart Viane
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

Where does the value $userid come from is it the result of a query i.e.
SELECT userid FROM users WHERE username='$_POST['username']' AND
passwd='$_POST['password']'

 or do you have a form (text/hidden) with that value?

You mention userid and user_id maybe a typo, but those would be
different. You can see all session variables (for testing) by adding:

echo "\n";
print_r($_SESSION);
echo "\n";

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2004-10-21 Thread Mike Smith 
On Thu, 21 Oct 2004 11:39:23 +0200, Reinhart Viane <[EMAIL PROTECTED]> wrote:
> Hey all, i'm new to this list so forgive me if  i make any huge
> mistakes.
> I'm in a beginning stage of learning php and i hope you guys can help me
> out with this question:
> 
> in a file named checkuser i do this when a users logs in:
> PHP Code
> // Register some session variables!
> session_register('userid');
> $_SESSION['userid'] = $userid;
> session_register('first_name');
> $_SESSION['first_name'] = $first_name;
> session_register('last_name');
> $_SESSION['last_name'] = $last_name;
> session_register('email_address');
> $_SESSION['email_address'] = $email_address;
> session_register('user_level');
> $_SESSION['user_level'] = $user_level;
> 
> Now let's say user 1 logs in, his session is registered (with userid
> from database is 5 and first_name is XXX)
> Then another user logs in, again his session is registered (with userid
> from database is 1 and first_name is YYY)
> 
> Now user 1 leaves the pages (closes the browser) and user 2 uploads a
> document (with my own script).
> 
> When the document is succesfully uploaded i display this:
> PHP Code
> echo ($_SESSION['first_name']).", the document has been succesfully
> added";
> echo ($_SESSION['userid']);
> 
> This results in the folowing output:
> YYY, the document has been succesfully added
> 5
> 
> Meaning the $_SESSION['first_name'] is correct, but the
> $_SESSION['userid'] is the one of the user who logged out...
> 
> Now when using user_id in all places it seems to work correctly...
> 
> Is userid something that is defined by the server when making sessions?
> 
> If not, i don't have any clue what is going wrong...
> Can someone help me on this? So i know what is wrong?
> 
> Thx in advance
> 
> Reinhart Viane
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

Where does the value $userid come from is it the result of a query
i.e.
SELECT userid FROM users WHERE username='$_POST['username']' AND
passwd='$_POST['password']'

 or do you have a form (text/hidden) with that value?

You mention userid and user_id maybe a typo, but those would be different.
You can see all session variables (for testing) by adding:

echo "\n";
print_r($_SESSION);
echo "\n";

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions question

2004-10-21 Thread Reinhart Viane 
Hey all, i'm new to this list so forgive me if  i make any huge
mistakes.
I'm in a beginning stage of learning php and i hope you guys can help me
out with this question:

in a file named checkuser i do this when a users logs in:
PHP Code
// Register some session variables!
session_register('userid');
$_SESSION['userid'] = $userid;
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('user_level');
$_SESSION['user_level'] = $user_level;



Now let's say user 1 logs in, his session is registered (with userid
from database is 5 and first_name is XXX)
Then another user logs in, again his session is registered (with userid
from database is 1 and first_name is YYY)

Now user 1 leaves the pages (closes the browser) and user 2 uploads a
document (with my own script).

When the document is succesfully uploaded i display this:
PHP Code
echo ($_SESSION['first_name']).", the document has been succesfully
added";
echo ($_SESSION['userid']);



This results in the folowing output:
YYY, the document has been succesfully added
5

Meaning the $_SESSION['first_name'] is correct, but the
$_SESSION['userid'] is the one of the user who logged out...

Now when using user_id in all places it seems to work correctly...

Is userid something that is defined by the server when making sessions?

If not, i don't have any clue what is going wrong...
Can someone help me on this? So i know what is wrong?

Thx in advance

Reinhart Viane

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] php sessions question

2004-10-21 Thread Reinhart Viane 
in a page checkuser i do this after the user is logged in:
  PHP Code
  // Register some session variables!
  session_register('userid');
  $_SESSION['userid'] = $userid;
  session_register('first_name');
  $_SESSION['first_name'] = $first_name;
  session_register('last_name');
  $_SESSION['last_name'] = $last_name;
  session_register('email_address');
  $_SESSION['email_address'] = $email_address;
  session_register('user_level');
  $_SESSION['user_level'] = $user_level;



Now let's say user 1 logs in, his session is registered (with userid from 
database is 5 and first_name is XXX)
Then another user logs in, again his session is registered (with userid from 
database is 1 and first_name is YYY)

Now user 1 leaves the pages (closes the browser) and user 2 uploads a 
document (with my own script).

When the document is succesfully uploaded i display this:
  PHP Code
  echo ($_SESSION['first_name']).", the document has been succesfully 
added";
  echo ($_SESSION['userid']);



This results in the folowing output:
YYY, the document has been succesfully added
5

Meaning the $_SESSION['first_name'] is correct, but the $_SESSION['userid'] 
is the one of the user who logged out...

Now when using user_id in all places it seems to work correctly...

Is userid something that is defined by the server when making sessions?

If not, i don't have any clue what is going wrong...
Can someone help me on this? So i know what is wrong?

Thx in advance

Pout

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Re: PHP Sessions Question

2004-07-08 Thread Warren Vail 
I have a suggestion that would allow you to take charge of what is going on
with your sessions.  Install your own session handler routines, storing your
own session data in your own database table.  These functions would need to
be loaded on each page before you execute the session_start() function on
each page.

http://www.php.net/manual/en/function.session-set-save-handler.php

Since the Garbage Cleanup and session read function is now under your
control, you can establish the session expiration that is appropriate for
your application, independent from the PHP default for the site.  Be
careful, however for the parameters that control the life of the cookie in
the browser, they can also cause the session to be lost if not set properly.

http://www.php.net/manual/en/function.session-set-cookie-params.php

This may sometimes seem intermittent, since the cookie will expire from the
time first established in the browser, and if you are only aware of the time
from the last page, and the cookie goes away, the session will appear to
have been destroyed.

good luck,

Warren Vail
[EMAIL PROTECTED]


-Original Message-
From: Jason Barnett [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 08, 2004 11:23 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Sessions Question


> On garbage collection, it happens sometimes within seconds and sometimes
> within minutes.  It tends to occur in batches with lulls of 20 to 30
> minutes.  So, for example, I can login, navigate through 11 different
pages
> to generate the problem, navigate 2 pages to generate the problem, and
then
> not see the problem again for another 5 minutes.  Does that fall in line
> with what you're thinking?
>

Actually, no.  Garbage collection would destroy the sessions, so if
they're only "temporarily" disappearing then load balancing seems even
more likely.

I'm going to assume not, but are you using a non-default session
handler?  If for instance you were storing sessions in another database,
or simply on a different machine then connections can fail.  This would
most likely only be set up through the set_session_handler directive I
mentioned before... but you should also check your php.ini values for
session.save_handler and session.save_path

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Sessions Question

2004-07-08 Thread Curt Zirzow 
* Thus wrote My Self:
> 
> or using the default handler, and the /tmp dir is full.

where /tmp being the local value for your session.save_path ini
setting.

Curt
-- 
First, let me assure you that this is not one of those shady pyramid schemes
you've been hearing about.  No, sir.  Our model is the trapezoid!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Sessions Question

2004-07-08 Thread Curt Zirzow 
* Thus wrote Jason Barnett:
> >On garbage collection, it happens sometimes within seconds and sometimes
> >within minutes.  It tends to occur in batches with lulls of 20 to 30
> >minutes.  So, for example, I can login, navigate through 11 different pages
> >to generate the problem, navigate 2 pages to generate the problem, and then
> >not see the problem again for another 5 minutes.  Does that fall in line
> >with what you're thinking?
> >
> 
> Actually, no.  Garbage collection would destroy the sessions, so if 
> they're only "temporarily" disappearing then load balancing seems even 
> more likely.
> 
> I'm going to assume not, but are you using a non-default session 
> handler?  If for instance you were storing sessions in another database, 

or using the default handler, and the /tmp dir is full.

Garabage Collection cleans up things so it works for a while until 
it fills up again, then breaks again (possibly saving a session or
two with the minimal disk) till GC decides to kick in again.


df -ih /tmp/

Check Avail and ifree.


Curt
-- 
First, let me assure you that this is not one of those shady pyramid schemes
you've been hearing about.  No, sir.  Our model is the trapezoid!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: PHP Sessions Question

2004-07-08 Thread Jason Barnett 
On garbage collection, it happens sometimes within seconds and sometimes
within minutes.  It tends to occur in batches with lulls of 20 to 30
minutes.  So, for example, I can login, navigate through 11 different pages
to generate the problem, navigate 2 pages to generate the problem, and then
not see the problem again for another 5 minutes.  Does that fall in line
with what you're thinking?
Actually, no.  Garbage collection would destroy the sessions, so if 
they're only "temporarily" disappearing then load balancing seems even 
more likely.

I'm going to assume not, but are you using a non-default session 
handler?  If for instance you were storing sessions in another database, 
or simply on a different machine then connections can fail.  This would 
most likely only be set up through the set_session_handler directive I 
mentioned before... but you should also check your php.ini values for 
session.save_handler and session.save_path

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Re: PHP Sessions Question

2004-07-08 Thread Ed Lazor 
Thanks Jason, I'll keep the information handy for creating my own session
handler in case other options I'm exploring right now don't work.

On garbage collection, it happens sometimes within seconds and sometimes
within minutes.  It tends to occur in batches with lulls of 20 to 30
minutes.  So, for example, I can login, navigate through 11 different pages
to generate the problem, navigate 2 pages to generate the problem, and then
not see the problem again for another 5 minutes.  Does that fall in line
with what you're thinking?

-Ed
 


> -Original Message-
> To try logging this, you probably need to make your own session handler.
>   Most importantly you would want to write to the log during the open
> and destroy functions.
> http://www.php.net/session_set_save_handler
> 
> >
> > Most recent updates were made last week and everything has been working
> fine
> > until this afternoon.  Session data is somehow being lost.  It seems
> random.
> 
> As the other guy said, load balancing seems likely.  It might also be
> that php.ini settings for garbage collection and session/cookie
> lifetimes have changed.  Garbage collection can seem random.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: PHP Sessions Question

2004-07-08 Thread Jason Barnett 
Ed Lazor wrote:
What kind of problems could be happening server-side that would result in
PHP sessions randomly disappearing?  And, is there a way to log or track
this information?  Oh, and best of all, any recommendations on solutions?
To try logging this, you probably need to make your own session handler. 
 Most importantly you would want to write to the log during the open 
and destroy functions.
http://www.php.net/session_set_save_handler

Most recent updates were made last week and everything has been working fine
until this afternoon.  Session data is somehow being lost.  It seems random.
As the other guy said, load balancing seems likely.  It might also be 
that php.ini settings for garbage collection and session/cookie 
lifetimes have changed.  Garbage collection can seem random.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PHP Sessions Question

2004-07-08 Thread Tim Traver 
It could be a case that your provider is load balancing across several 
machines. If they are, and they aren't storing the session data in a 
central location, then that might account for the issue.

That would explain the intermittent failure. The user might be making 
keepalive requests to the same box and being ok, and then get bounced once 
it hits a machine that doesn't have the session data...

You might ask them about it...
Tim.

At 09:43 PM 7/8/2004, Ed Lazor wrote:
What kind of problems could be happening server-side that would result in
PHP sessions randomly disappearing?  And, is there a way to log or track
this information?  Oh, and best of all, any recommendations on solutions?

I have a PHP / MySQL application that's been running at a host provider for
almost a year now.  PHP sessions are used to track logged in users, For
example, $_SESSION["UserID"].  If the UserID isn't stored as a session
variable, the user must not be logged in, so prompt them with a login
screen.

Most recent updates were made last week and everything has been working fine
until this afternoon.  Session data is somehow being lost.  It seems random.
A person will be logged in and navigating through the site when they
suddenly get a login screen.  They'll log back in and continue navigating
for a little while when it will happen again - sometimes within seconds and
othertimes within minutes.  Sometimes it won't even happen for 30 minutes
and then it suddenly begins to occur again.

Thanks in advance for any ideas or recommendations that I can forward to my
hosting provider on how to fix the problem.

-Ed



SimpleNet's Back !
http://www.simplenet.com

[PHP] PHP Sessions Question

2004-07-08 Thread Ed Lazor 
What kind of problems could be happening server-side that would result in
PHP sessions randomly disappearing?  And, is there a way to log or track
this information?  Oh, and best of all, any recommendations on solutions?

 

I have a PHP / MySQL application that's been running at a host provider for
almost a year now.  PHP sessions are used to track logged in users, For
example, $_SESSION["UserID"].  If the UserID isn't stored as a session
variable, the user must not be logged in, so prompt them with a login
screen.

 

Most recent updates were made last week and everything has been working fine
until this afternoon.  Session data is somehow being lost.  It seems random.
A person will be logged in and navigating through the site when they
suddenly get a login screen.  They'll log back in and continue navigating
for a little while when it will happen again - sometimes within seconds and
othertimes within minutes.  Sometimes it won't even happen for 30 minutes
and then it suddenly begins to occur again.

 

Thanks in advance for any ideas or recommendations that I can forward to my
hosting provider on how to fix the problem.

 

-Ed

RE: [PHP] Sessions Question

2003-10-15 Thread Chris W. Parker 
Jake McHenry 
on Wednesday, October 15, 2003 12:55 PM said:

> Once I get a complete list, I can just copy and paste that to all my
> files, correct?

Yes you can just copy and paste the code.

> What happens if I try to call a variable in $_SESSION
> that hasn't been created yet? This might not let me copy and
> paste

Nothing will happen except that you'll have an empty string (I think).

Give it a shot and find out.





Put that into a new page and see what happens.



Chris.


--
Don't like reformatting your Outlook replies? Now there's relief!
http://home.in.tum.de/~jain/software/outlook-quotefix/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-15 Thread Jake McHenry 
Chris W. Parker wrote:
> Jake McHenry 
> on Wednesday, October 15, 2003 12:39 PM said:
> 
>> Also, say on a separate page, how do I call the variabes stored in
>> $_SESSION? Like this? $name = $_SESSION["name"];
> 
> Yes. But whenever you plan to access $_SESSION you must
> always use 'session_start();' first. In my scripts it's
> always the very first line on each page that I use session's
> (which happens to be just about every page).
> 
> 
> 
> Chris.

Ok, I got my index and userpage working... Geez.. This is going to be
a lg process! What I did for right now is just add a new
section to the top of my files, $var = $_SESSION["var"];

Once I get a complete list, I can just copy and paste that to all my
files, correct? What happens if I try to call a variable in $_SESSION
that hasn't been created yet? This might not let me copy and
paste

Thank you to everyone who has replied to this thread...!

Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-15 Thread Jake McHenry 
> -Original Message-
> From: Chris W. Parker [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 15, 2003 12:01 PM
> To: Jake McHenry; [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions Question
> 
> 
> Jake McHenry <mailto:[EMAIL PROTECTED]>
> on Tuesday, October 14, 2003 7:00 PM said:
> 
> > Mainly what my problem is, is that when I turn
> Register_Globals = Off,
> > then my scripts stop working. I can't even get past the
> page I showed
> > you, the login page. No errors, it's just like I didn't enter any
> > data.
> 
> Doesn't that just mean that instead of retrieving form
> variables by their name you need to grab them from $_POST or $_GET?
> 
> Here is an example of what you should be doing to retrieve
> the values sent from a form:
> 
> 
>  
>  
> 
> 
> nextpage.php:
> 
>  
>   $name = $_POST['name'];
> 
> ?>
> 
> 
> 
> HTH,
> Chris.
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

Also, say on a separate page, how do I call the variabes stored in
$_SESSION? Like this? $name = $_SESSION["name"];

Thanks,

Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-15 Thread Jake McHenry 
> -Original Message-
> From: Chris W. Parker [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 15, 2003 12:01 PM
> To: Jake McHenry; [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions Question
> 
> 
> Jake McHenry <mailto:[EMAIL PROTECTED]>
> on Tuesday, October 14, 2003 7:00 PM said:
> 
> > Mainly what my problem is, is that when I turn
> Register_Globals = Off,
> > then my scripts stop working. I can't even get past the
> page I showed
> > you, the login page. No errors, it's just like I didn't enter any
> > data.
> 
> Doesn't that just mean that instead of retrieving form
> variables by their name you need to grab them from $_POST or $_GET?
> 
> Here is an example of what you should be doing to retrieve
> the values sent from a form:
> 
> 
>  
>  
> 
> 
> nextpage.php:
> 
>  
>   $name = $_POST['name'];
> 
> ?>
> 
> 
> 
> HTH,
> Chris.
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

Do I need to add the start_session() function to my config.php and
time.php? Do I need to change any variables in those files?

Thanks,


Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-15 Thread Chris W. Parker 
Jake McHenry 
on Tuesday, October 14, 2003 7:00 PM said:

> Mainly what my problem is, is that when I turn Register_Globals = Off,
> then my scripts stop working. I can't even get past the page I showed
> you, the login page. No errors, it's just like I didn't enter any
> data.

Doesn't that just mean that instead of retrieving form variables by
their name you need to grab them from $_POST or $_GET?

Here is an example of what you should be doing to retrieve the values
sent from a form:


 
 


nextpage.php:





HTH,
Chris.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-15 Thread Chris W. Parker 
Mike Brum 
on Tuesday, October 14, 2003 5:31 PM said:

> One quick note - if you're starting a session then you can't user the
> header() function afterwards. You'll get the lovel "headers already
> sent" error.
> 
> Be sure to use an alternate method of redirection if you're starting a
> session before your redirect logic takes place.

That's not true.

Your session_start() is not what's causing the "headers already sent"
error. The problem is that you have already sent data to the client
somewhere. You've done some echo's or print's somewhere before the
header() and that's what's causing it to fail.

Alternatively you can use ob_start() to buffer the output of your script
until after the very last command in your script. Since header() comes
somewhere before the script is done executing you will still be able to
use it.



Chris.


--
Don't like reformatting your Outlook replies? Now there's relief!
http://home.in.tum.de/~jain/software/outlook-quotefix/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-15 Thread Ford, Mike [LSS] 
On 15 October 2003 05:25, Jake McHenry contributed these pearls of wisdom:

> Yes, submit, inout, username and password all come from the
> index.php form submission, but username changes throughout the
> different pages, that was one of my problems. I'm not sure
> what I did wrong before, but once I set a variable using
> $_SESSION, I couldn't change it unless I close the browser and
> start over. 
> 
> Just to make sure, register_globals should be set to off for
> best security reasons, correct? I guess that should have been
> my first question. And will sessions still work if it's turned
> off? Right now it's turned on for all my stuff to work.

Yes, and Yes.  But, from the code you've posted, it looks like you're still trying to 
use global variables, which just plain won't work with register_globals=Off.  Just to 
be clear, if submit, inout, username and password come from a form, then you can't 
just refer to $submit, $inout etc., which your code appears to do (at least, I can't 
find any initializations of them).  You must use $_POST['submit'] etc. if your form 
method='post', or $_GET['submit'] etc. if your form action='get'.  And *all* your 
session variable handling should likewise be done with $_SESSION[], without using 
session_register(), session_unregister().

I know I may be telling you stuff you're probably already aware of, but I just want to 
be clear that we're all starting from the same baseline.

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-15 Thread Ford, Mike [LSS] 
On 15 October 2003 01:31, Mike Brum contributed these pearls of wisdom:

> One quick note - if you're starting a session then you can't
> user the header() function afterwards. You'll get the lovel
> "headers 
> already sent"
> error.

Actually, so long as you do both *before* outputting any actual page content, it 
shouldn't matter which order you do them in.

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions Question

2003-10-15 Thread James Kaufman 
On Tue, Oct 14, 2003 at 05:23:54PM -0800, Chris Hubbard wrote:
> to use php sessions:
> you will need some place where you set up/create the sessions.  typically
> this is the login page.  let's assume you'll use the login page.  The logic
> for the login page goes something like this:
> 1.  present a form for logging in (usually username/password)
> 2.  on post, clean the posted data (remove html, special characters, etc)
> 3.  check the cleaned username/password against the data in the database
> 4.  if the username/password is valid, create your session and assign
> variables to it like this:
>   session_start();  //create the session
>   $id = session_id();  // create a unique session id
>   session_register("id");  // register id as a session variable
>   session_register("name");  // register name as a session variable
>   session_register("email");  // register email as a session variable
>   $_SESSION["id"] = $id;  // assign the unique session id to session array
>   $_SESSION["name"] = $data["name"];  // assign the username to session array
>   $_SESSION["email"] = $data["email"];  // assign additional values (after
> regisering them) to session array
> 
> Hope this is helpful.
> 
> Chris
> 

There is no need to register variables as a session variable if
register_globals is foff. The manual states:

If you want your script to work regardless of register_globals, you need to
instead use the $_SESSION array as $_SESSION entries are automatically
registered. If your script uses session_register(), it will not work in
environments where the PHP directive register_globals is disabled.

So the three 'session_register' statements above should be removed.

-- 
Jim Kaufman mailto:[EMAIL PROTECTED]
Linux Evangelistcell: 612-481-9778  
public key 0x6D802619   fax:  952-937-9832
http://www.linuxforbusiness.net
---
Any smoothly functioning technology will have the appearance of magic.
-- Arthur C. Clarke

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-14 Thread Jake McHenry 
Yes, submit, inout, username and password all come from the index.php
form submission, but username changes throughout the different pages,
that was one of my problems. I'm not sure what I did wrong before, but
once I set a variable using $_SESSION, I couldn't change it unless I
close the browser and start over.

Just to make sure, register_globals should be set to off for best
security reasons, correct? I guess that should have been my first
question. And will sessions still work if it's turned off? Right now
it's turned on for all my stuff to work.

Thanks,

Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com

> -Original Message-
> From: Chris Hubbard [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 14, 2003 11:37 PM
> To: Jake McHenry; [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions Question
> 
> 
> Jake,
> given that I can't see what is in config.php time.php, I'll
> focus on your index.php.  I assume that the issues I point 
> out will be applicable to config and time also.
> 
> this:
>  should be:
>  
> include("config.php");
> include("time.php");
> 
> assuming that $SuBmIt and inout and username and password all
> come from your log in form it should read something like: 
>  if ($_POST["SuBmIT"]) {
>   // make sure posted variables are clean and are the 
> kind you expect
>   if ($_POST["inout"] != "")
>   {
>   // add other validation here
>   }else{
>   $error[] = "inout not set";
>   }
>   if ($_POST["username"] != "")
>   {
>   // add other validation here
>   }else{
>   $error[] = "username not entered";
>   }
>   if ($_POST["password"] != "")
>   {
>   // add other validation here
>   }else{
>   $error[] = "password not entered";
>   }
>   if (count($error) == 0)
>   {
>   $sql = "SELECT * FROM `users` WHERE `uname` 
> LIKE '%". $_POST["username"] ."%'";
>   // insert code to strip out < and > signs and ;
>   // like this:
>   $sql = str_replace("<","",$sql);
>   $sql = str_replace(">","",$sql);
>   $sql = str_replace(";","",$sql);
>   // when we know that $sql is clean do the query
>   $result = mysql_query($sql);
>   $row = mysql_fetch_array($result);
> 
> The preceding should do roughly the same as your following 
> code.  Note the sql query should not use LIKE (which you're 
> using) and you should use both the username and the password, 
> so something like this would be better $sql = "SELECT * FROM 
> `users` WHERE (`uname` = '". $_POST["username"] ."') AND 
> (`password` = '". md5($_POST["password"]) ."')"; You are 
> encrypting your password correct?
> 
> 
> if (($SuBmIt) && ($inout) && ($username) && ($password))
> {
>   $result = mysql_query("SELECT * FROM `users` WHERE `uname`
> LIKE '$username'");
>   $row = mysql_fetch_array($result);
> 
> 
> This should get you firmly on the road.  NOTE: I have not run
> the above code, so might work, and it might not.  Either way 
> it's on you to sort out.
> 
> Hope this is helpful,
> chris
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-14 Thread Jake McHenry 
As I said in one of my posts, I'm not encrypting my passwords as of
yet, because it was all internal, all employees use their own
computers. My company is very relaxed. But since my boss want's to
start selling a time clock database to our partners, I have to fix
everything. I started this when I was just learning php, and have been
changing things as I go.

I'll mess around with what you gave me so far, as I've been doing.
Last week I had sessions in place and from what I read on phpbuilder,
everything was right. But as soon as I turn register_globals=off, then
nothing works.

All of the variables in the index.php and all other script files are
passed from either forms or in the url.

I'm doing pretty much a complete overhaul of my app, I know this is
going to take some time, but it needs to be done.

Thanks,
Jake


Config.php:
\n  \nJMTimeSheet $version
© 2002-2003 JMM - mailto:[EMAIL PROTECTED]">mchenry@
nittanytravel.com - Last revision: $updated\n
\n";
$topcredit = ""; $credit = "";

?>


Time.php
 12)
{
  $LogInOutHourShow = $LogInOutHour - 12;
}

if ($LogInOutHour == 0)
{
  $LogInOutHourShow = $LogInOutHour + 12;
}

if ($LogInOutHour >= 12)
{
  $LogInOutAmPm = "PM";
}

if ($LogInOutMinute < 10)
{
  $Temp = $LogInOutMinute;
  $LogInOutMinute = 0;
  $LogInOutMinute .= $Temp;
}

if ($LogInOutSecond < 10)
{
  $Temp = $LogInOutSecond;
  $LogInOutSecond = 0;
  $LogInOutSecond .= $Temp;
}

$YearToShow = $CurDate['year'];
$MonthToShow = $CurDate['mon'];
$DayToShow = $CurDate['mday'];
$NumberOfDays = date(t,$CurDate);
$DayOfWeek = $CurDate['weekday'];

$MonthNumber = $MonthToShow;
if ($MonthToShow < 10)
{
  $MonthNumber = 0;
  $MonthNumber .= $MonthToShow;
}

$DayNumber = $DayToShow;
if ($DayToShow < 10)
{
  $DayNumber = 0;
  $DayNumber .= $DayToShow;
}

$MonthNames =
array(1=>'January','February','March','April','May','June','July','Aug
ust','September','October','November','December');
$MonthID =
array(1=>'01','02','03','04','05','06','07','08','09','10','11','12');
$Years =
array($YearToShow-5,$YearToShow-4,$YearToShow-3,$YearToShow-2,$YearToS
how-1,$YearToShow,$YearToShow+1,$YearToShow+2,$YearToShow+3,$YearToSho
w+4,$YearToShow+5);

?>

Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com

> -Original Message-
> From: Chris Hubbard [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 14, 2003 11:37 PM
> To: Jake McHenry; [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions Question
> 
> 
> Jake,
> given that I can't see what is in config.php time.php, I'll
> focus on your index.php.  I assume that the issues I point 
> out will be applicable to config and time also.
> 
> this:
>  should be:
>  
> include("config.php");
> include("time.php");
> 
> assuming that $SuBmIt and inout and username and password all
> come from your log in form it should read something like: 
>  if ($_POST["SuBmIT"]) {
>   // make sure posted variables are clean and are the 
> kind you expect
>   if ($_POST["inout"] != "")
>   {
>   // add other validation here
>   }else{
>   $error[] = "inout not set";
>   }
>   if ($_POST["username"] != "")
>   {
>   // add other validation here
>   }else{
>   $error[] = "username not entered";
>   }
>   if ($_POST["password"] != "")
>   {
>   // add other validation here
>   }else{
>   $error[] = "password not entered";
>   }
>   if (count($error) == 0)
>   {
>   $sql = "SELECT * FROM `users` WHERE `uname` 
> LIKE '%". $_POST["username"] ."%'";
>   // insert code to strip out < and > signs and ;
>   // like this:
>   $sql = str_replace("<","",$sql);
>   $sql = str_replace(">","",$sql);
>   $sql = str_replace(";","",$sql);
>   // when we know that $sql is clean do the query
>   $result = mysql_query($sql);
>   $row = mysql_fetch_array($result);
> 
> The preceding should do roughly the same as your following 
> code.  Note the sql query should not use LIKE (which you're 
> using) and you should use both the username and the password, 
> so something like

RE: [PHP] Sessions Question

2003-10-14 Thread Chris Hubbard 
Jake,
given that I can't see what is in config.php time.php, I'll focus on your
index.php.  I assume that the issues I point out will be applicable to
config and time also.

this:

if ($_POST["SuBmIT"])
{
// make sure posted variables are clean and are the kind you expect
if ($_POST["inout"] != "")
{
// add other validation here
}else{
$error[] = "inout not set";
}
if ($_POST["username"] != "")
{
// add other validation here
}else{
$error[] = "username not entered";
}
if ($_POST["password"] != "")
{
// add other validation here
}else{
$error[] = "password not entered";
}
if (count($error) == 0)
{
$sql = "SELECT * FROM `users` WHERE `uname` LIKE '%". 
$_POST["username"]
."%'";
// insert code to strip out < and > signs and ;
// like this:
$sql = str_replace("<","",$sql);
$sql = str_replace(">","",$sql);
$sql = str_replace(";","",$sql);
// when we know that $sql is clean do the query
$result = mysql_query($sql);
$row = mysql_fetch_array($result);

The preceding should do roughly the same as your following code.  Note the
sql query should not use LIKE (which you're using) and you should use both
the username and the password, so something like this would be better
$sql = "SELECT * FROM `users` WHERE (`uname` = '". $_POST["username"] ."')
AND (`password` = '". md5($_POST["password"]) ."')";
You are encrypting your password correct?


if (($SuBmIt) && ($inout) && ($username) && ($password))
{
  $result = mysql_query("SELECT * FROM `users` WHERE `uname` LIKE
'$username'");
  $row = mysql_fetch_array($result);


This should get you firmly on the road.  NOTE: I have not run the above
code, so might work, and it might not.  Either way it's on you to sort out.

Hope this is helpful,
chris

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-14 Thread Jake McHenry 
Mainly what my problem is, is that when I turn Register_Globals = Off,
then my scripts stop working. I can't even get past the page I showed
you, the login page. No errors, it's just like I didn't enter any
data.

Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com

> -Original Message-
> From: Chris Hubbard [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, October 14, 2003 9:24 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions Question
> 
> 
> Jake,
> it would be helpful if we could see your code.
> 
> That said...
> 
> first you need to identify what information you need to track 
> in the sessions, and whether you're going to use php sessions 
> (the $_SESSIONS
> array) or build your own mysql based session tracker.
> 
> to use php sessions:
> you will need some place where you set up/create the 
> sessions.  typically this is the login page.  let's assume 
> you'll use the login page.  The logic for the login page goes 
> something like this: 1.  present a form for logging in 
> (usually username/password) 2.  on post, clean the posted 
> data (remove html, special characters, etc) 3.  check the 
> cleaned username/password against the data in the database 4. 
>  if the username/password is valid, create your session and 
> assign variables to it like this:
>   session_start();  //create the session
>   $id = session_id();  // create a unique session id
>   session_register("id");  // register id as a session variable
>   session_register("name");  // register name as a 
> session variable
>   session_register("email");  // register email as a 
> session variable
>   $_SESSION["id"] = $id;  // assign the unique session id 
> to session array
>   $_SESSION["name"] = $data["name"];  // assign the 
> username to session array
>   $_SESSION["email"] = $data["email"];  // assign 
> additional values (after regisering them) to session array
> 
> 5.  now either redirect to your main application page, or 
> create another page with links to that main applicaiton page. 
>  In either case every page where you want to use sessions has 
> to start with: session_start();
> 
> for example:
>  session_start();
> the rest of your code.
> 
> 6.  I recommend that you add a check to your pages to make 
> sure that the session is still the right one and it's intact, 
> something like this: if (!$_SESSION["id"])  // if no session 
> id, return to the login page {
>   header ("Refresh: 0; url=login.php");  //or
>   // header ("location:http://www.mydomain.com/login.php";);
> }else{
>   // the body of your code goes here.
> }
> 
> 7.  so with all that the pages you want to access session in 
> should have a structure similar to:  (!$_SESSION["id"]) {
>   header ("Refresh: 0; url=login.php");
> }else{
>   // do all kinds of nifty time card things here
> }
> ?>
> 
> 
> Hope this is helpful.
> 
> Chris
> 
> -Original Message-
> From: Jake McHenry [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 14, 2003 4:00 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Sessions Question
> 
> 
> Hi everyone,
> 
> I've been trying to set up sessions, but have been having 
> problems. I created an online time clock for my company using 
> php and a mysql database. It's everything that my boss 
> wanted. The only problem is, he told me today that he is 
> planning on selling it to our partners. The actual software 
> and database will reside on my server, but I will give them 
> their own database.
> 
> I started designing it about 2 years ago, and the machine 
> that I was working on at the time had register_globals=on, so 
> I built my scripting around that. I didn't know much about 
> php at the time, but have learned an immense amount since then.
> 
> Since a people are now going to be accessing the time clock 
> from outside my company, I need to turn register_globals off, 
> and turn sessions on. My problem is that all my variables are 
> declared locally in the individual files, and are being 
> passed by forms to $PHP_SELF, and all of the variables and 
> their values can be seen in the address bar.
> 
> This never concerned me while being inside my firewall, since 
> it was only my employees and I. I knew what was going on.
> 
> I've read a lot of documents on the net concerning sessions, 
> but still can't get it to work right. Whenever I try to go to 
> another page, or submit a time, it either doesn't work at 
> all, or it works,

RE: [PHP] Sessions Question

2003-10-14 Thread Chris Hubbard 
Mike,
I don't get the "headers already sent" error.  here's the code I'm using:

if ($_POST)
{
$result = cleanData($_POST);
$sql = "SELECT `id`,`username`,`password`,`email` FROM `users` WHERE
(`username` = '". $result["username"] ."') AND (`password` = '".
md5($result["password"]) ."')";
if ($conn->query($sql))
{
// if name and password match
while (!$conn->movenext())
{
$data["id"] = $conn->value("id");
$data["name"] = $conn->value("username");
$data["email"] = $conn->value("email");
}
// Now create the session
session_start();
$id = session_id();
session_register("id");
session_register("name");
session_register("email");
session_register("sections");
$_SESSION["id"] = $id;
$_SESSION["name"] = $data["name"];
$_SESSION["email"] = $data["email"];
header("Location:
http://ubb.atlantic-records.com/gallery/admin/index.php";);
}else{
        // if name and password don't match
header ("Refresh: 0; url=login.php");
}
}

-Original Message-
From: Mike Brum [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:31 PM
To: 'Chris Hubbard'; [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question


One quick note - if you're starting a session then you can't user the
header() function afterwards. You'll get the lovel "headers already sent"
error.

Be sure to use an alternate method of redirection if you're starting a
session before your redirect logic takes place.

-M

-Original Message-
From: Chris Hubbard [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 9:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question


Jake,
it would be helpful if we could see your code.

That said...

first you need to identify what information you need to track in the
sessions, and whether you're going to use php sessions (the $_SESSIONS
array) or build your own mysql based session tracker.

to use php sessions:
you will need some place where you set up/create the sessions.  typically
this is the login page.  let's assume you'll use the login page.  The logic
for the login page goes something like this: 1.  present a form for logging
in (usually username/password) 2.  on post, clean the posted data (remove
html, special characters, etc) 3.  check the cleaned username/password
against the data in the database 4.  if the username/password is valid,
create your session and assign variables to it like this:
session_start();  //create the session
$id = session_id();  // create a unique session id
session_register("id");  // register id as a session variable
session_register("name");  // register name as a session variable
session_register("email");  // register email as a session variable
$_SESSION["id"] = $id;  // assign the unique session id to session
array
$_SESSION["name"] = $data["name"];  // assign the username to
session array
$_SESSION["email"] = $data["email"];  // assign additional values
(after regisering them) to session array

5.  now either redirect to your main application page, or create another
page with links to that main applicaiton page.  In either case every page
where you want to use sessions has to start with: session_start();

for example:
http://www.mydomain.com/login.php";);
}else{
// the body of your code goes here.
}

7.  so with all that the pages you want to access session in should have a
structure similar to: 


Hope this is helpful.

Chris

-Original Message-
From: Jake McHenry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:00 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Sessions Question


Hi everyone,

I've been trying to set up sessions, but have been having problems. I
created an online time clock for my company using php and a mysql database.
It's everything that my boss wanted. The only problem is, he told me today
that he is planning on selling it to our partners. The actual software and
database will reside on my server, but I will give them their own database.

I started designing it about 2 years ago, and the machine that I was working
on at the time had register_globals=on, so I built my scripting around that.
I didn't know much about php at the time, but hav

RE: [PHP] Sessions Question

2003-10-14 Thread Jake McHenry 
Sorry, I sent that last email directly to someone... Here it is again.

Here is my index file, it's the smallest of the set. This would be a
huge post if I would submit one of those. Config.php has config
options, time.php is basically getting the system time and then
manipulating it, instead of in each file.

I tried what you mentioned, almost exactly, missing the register id,
but I was using the $_SESSION for all my variables, and that's where I
ran into not being able to change them unless I would close the
browser and start over. And yes, I was using session_start() at the
beginning of all my files.

If the person puts in username: admin, then it basically dumps the
entire database onto the screen, with some manipulation of course,
otherwise, it only shows the individual employees data.

I also know I have to change the way people log in, I need to hash the
password and compare the two instead of all plain text.

Thanks,
Jake


Database Error: Not Logged In, please try
again";
}
  }
  else
  {
echo "Error: You are already clocked in!";
  }
}
else if ($inout == "out")
{
  if ($error != 0)
  {
$sql = "UPDATE $username SET `cotime`='$LogInOutTime',
`coampm`='$LogInOutAmPm' WHERE `ymd` LIKE
'$Year-$MonthNumber-$DayNumber' AND `cotime` LIKE '00:00:00' LIMIT 1";
$result = mysql_query($sql);

if ($result == 1)
{
  Header("Location:
userpage.php?uname=$username&fullname=$fullname&inout=$inout\n\n");
}
else
{
  echo "Database Error: Not Logged Out, please try
again";
}
  }
  else
  {
echo "Error: You are not clocked in!";
  }
}
else if ($inout == "timeoff")
{
Header("Location:
timeoff.php?uname=$username&fullname=$fullname&inout=$inout\n\n");
}
else
{
Header("Location:
userpage.php?uname=$username&fullname=$fullname&inout=$inout\n\n");
}
  }
  else
  {
echo "Error: invalid password!";
  }
}

echo <<http://www.nittanytravel.com

> -Original Message-
> From: Chris Hubbard [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 14, 2003 9:24 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions Question
> 
> 
> Jake,
> it would be helpful if we could see your code.
> 
> That said...
> 
> first you need to identify what information you need to track
> in the sessions, and whether you're going to use php sessions 
> (the $_SESSIONS
> array) or build your own mysql based session tracker.
> 
> to use php sessions:
> you will need some place where you set up/create the
> sessions.  typically this is the login page.  let's assume 
> you'll use the login page.  The logic for the login page goes 
> something like this: 1.  present a form for logging in 
> (usually username/password) 2.  on post, clean the posted 
> data (remove html, special characters, etc) 3.  check the 
> cleaned username/password against the data in the database 4. 
>  if the username/password is valid, create your session and 
> assign variables to it like this:
>   session_start();  //create the session
>   $id = session_id();  // create a unique session id
>   session_register("id");  // register id as a session variable
>   session_register("name");  // register name as a 
> session variable
>   session_register("email");  // register email as a 
> session variable
>   $_SESSION["id"] = $id;  // assign the unique session id 
> to session array
>   $_SESSION["name"] = $data["name"];  // assign the 
> username to session array
>   $_SESSION["email"] = $data["email"];  // assign 
> additional values (after regisering them) to session array
> 
> 5.  now either redirect to your main application page, or
> create another page with links to that main applicaiton page. 
>  In either case every page where you want to use sessions has 
> to start with: session_start();
> 
> for example:
>  session_start();
> the rest of your code.
> 
> 6.  I recommend that you add a check to your pages to make
> sure that the session is still the right one and it's intact, 
> something like this: if (!$_SESSION["id"])  // if no session 
> id, return to the login page {
>   header ("Refresh: 0; url=login.php");  //or
>   // header ("location:http://www.mydomain.com/login.php";);
> }else{
>       // the body of your code goes here.
> }
> 
> 7.  so with all that the pages you want to access session in
> should have a structure simila

RE: [PHP] Sessions Question

2003-10-14 Thread Mike Brum 
One quick note - if you're starting a session then you can't user the
header() function afterwards. You'll get the lovel "headers already sent"
error. 

Be sure to use an alternate method of redirection if you're starting a
session before your redirect logic takes place.

-M

-Original Message-
From: Chris Hubbard [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 14, 2003 9:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Sessions Question


Jake,
it would be helpful if we could see your code.

That said...

first you need to identify what information you need to track in the
sessions, and whether you're going to use php sessions (the $_SESSIONS
array) or build your own mysql based session tracker.

to use php sessions:
you will need some place where you set up/create the sessions.  typically
this is the login page.  let's assume you'll use the login page.  The logic
for the login page goes something like this: 1.  present a form for logging
in (usually username/password) 2.  on post, clean the posted data (remove
html, special characters, etc) 3.  check the cleaned username/password
against the data in the database 4.  if the username/password is valid,
create your session and assign variables to it like this:
session_start();  //create the session
$id = session_id();  // create a unique session id
session_register("id");  // register id as a session variable
session_register("name");  // register name as a session variable
session_register("email");  // register email as a session variable
$_SESSION["id"] = $id;  // assign the unique session id to session
array
$_SESSION["name"] = $data["name"];  // assign the username to
session array
$_SESSION["email"] = $data["email"];  // assign additional values
(after regisering them) to session array

5.  now either redirect to your main application page, or create another
page with links to that main applicaiton page.  In either case every page
where you want to use sessions has to start with: session_start();

for example:
http://www.mydomain.com/login.php";);
}else{
// the body of your code goes here.
}

7.  so with all that the pages you want to access session in should have a
structure similar to: 


Hope this is helpful.

Chris

-Original Message-
From: Jake McHenry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:00 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Sessions Question


Hi everyone,

I've been trying to set up sessions, but have been having problems. I
created an online time clock for my company using php and a mysql database.
It's everything that my boss wanted. The only problem is, he told me today
that he is planning on selling it to our partners. The actual software and
database will reside on my server, but I will give them their own database.

I started designing it about 2 years ago, and the machine that I was working
on at the time had register_globals=on, so I built my scripting around that.
I didn't know much about php at the time, but have learned an immense amount
since then.

Since a people are now going to be accessing the time clock from outside my
company, I need to turn register_globals off, and turn sessions on. My
problem is that all my variables are declared locally in the individual
files, and are being passed by forms to $PHP_SELF, and all of the variables
and their values can be seen in the address bar.

This never concerned me while being inside my firewall, since it was only my
employees and I. I knew what was going on.

I've read a lot of documents on the net concerning sessions, but still can't
get it to work right. Whenever I try to go to another page, or submit a
time, it either doesn't work at all, or it works, but the value that's in
the variable is stuck there, and I can't change it without closing the
browser and starting over.

Can someone point me in the right direction here?

Thanks,
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-14 Thread Chris W. Parker 
Jake McHenry 
on Tuesday, October 14, 2003 5:00 PM said:

[snip]

> Can someone point me in the right direction here?

I'd love to help you but you did not provide enough information.


What exactly are you trying to do and what is it failing? Try showing us
the code in question.

Are you receiving any errors messages?

Are you making sure to start the session with 'session_start();' on each
page the session needs to be accessed?



HTH,
Chris.

--
Don't like reformatting your Outlook replies? Now there's relief!
http://home.in.tum.de/~jain/software/outlook-quotefix/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-10-14 Thread Chris Hubbard 
Jake,
it would be helpful if we could see your code.

That said...

first you need to identify what information you need to track in the
sessions, and whether you're going to use php sessions (the $_SESSIONS
array) or build your own mysql based session tracker.

to use php sessions:
you will need some place where you set up/create the sessions.  typically
this is the login page.  let's assume you'll use the login page.  The logic
for the login page goes something like this:
1.  present a form for logging in (usually username/password)
2.  on post, clean the posted data (remove html, special characters, etc)
3.  check the cleaned username/password against the data in the database
4.  if the username/password is valid, create your session and assign
variables to it like this:
session_start();  //create the session
$id = session_id();  // create a unique session id
session_register("id");  // register id as a session variable
session_register("name");  // register name as a session variable
session_register("email");  // register email as a session variable
$_SESSION["id"] = $id;  // assign the unique session id to session array
$_SESSION["name"] = $data["name"];  // assign the username to session array
$_SESSION["email"] = $data["email"];  // assign additional values (after
regisering them) to session array

5.  now either redirect to your main application page, or create another
page with links to that main applicaiton page.  In either case every page
where you want to use sessions has to start with:
session_start();

for example:
http://www.mydomain.com/login.php";);
}else{
// the body of your code goes here.
}

7.  so with all that the pages you want to access session in should have a
structure similar to:



Hope this is helpful.

Chris

-Original Message-
From: Jake McHenry [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 14, 2003 4:00 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Sessions Question


Hi everyone,

I've been trying to set up sessions, but have been having problems. I
created an online time clock for my company using php and a mysql
database. It's everything that my boss wanted. The only problem is, he
told me today that he is planning on selling it to our partners. The
actual software and database will reside on my server, but I will give
them their own database.

I started designing it about 2 years ago, and the machine that I was
working on at the time had register_globals=on, so I built my
scripting around that. I didn't know much about php at the time, but
have learned an immense amount since then.

Since a people are now going to be accessing the time clock from
outside my company, I need to turn register_globals off, and turn
sessions on. My problem is that all my variables are declared locally
in the individual files, and are being passed by forms to $PHP_SELF,
and all of the variables and their values can be seen in the address
bar.

This never concerned me while being inside my firewall, since it was
only my employees and I. I knew what was going on.

I've read a lot of documents on the net concerning sessions, but still
can't get it to work right. Whenever I try to go to another page, or
submit a time, it either doesn't work at all, or it works, but the
value that's in the variable is stuck there, and I can't change it
without closing the browser and starting over.

Can someone point me in the right direction here?

Thanks,
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions Question

2003-10-14 Thread Jake McHenry 
Hi everyone,

I've been trying to set up sessions, but have been having problems. I
created an online time clock for my company using php and a mysql
database. It's everything that my boss wanted. The only problem is, he
told me today that he is planning on selling it to our partners. The
actual software and database will reside on my server, but I will give
them their own database.

I started designing it about 2 years ago, and the machine that I was
working on at the time had register_globals=on, so I built my
scripting around that. I didn't know much about php at the time, but
have learned an immense amount since then.

Since a people are now going to be accessing the time clock from
outside my company, I need to turn register_globals off, and turn
sessions on. My problem is that all my variables are declared locally
in the individual files, and are being passed by forms to $PHP_SELF,
and all of the variables and their values can be seen in the address
bar.

This never concerned me while being inside my firewall, since it was
only my employees and I. I knew what was going on.

I've read a lot of documents on the net concerning sessions, but still
can't get it to work right. Whenever I try to go to another page, or
submit a time, it either doesn't work at all, or it works, but the
value that's in the variable is stuck there, and I can't change it
without closing the browser and starting over.

Can someone point me in the right direction here?

Thanks,
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions Question

2003-06-27 Thread Ford, Mike [LSS] 
> -Original Message-
> From: Bob Irwin [mailto:[EMAIL PROTECTED]
> Sent: 27 June 2003 08:01
> 
> Oops.
> 
> Forgot to remove the Re: - it was a new thread - I just 
> replied to an old
> message to get the php list email address

That's exactly what you shouldn't do.  Most newsreaders, and some email
clients, are capable of tracking the thread no matter what you change the
subject to -- by replying to an existing thread with a new topic, people
usaing those clients see your new message in the middle of the old topic
thread.

If you're posting a new topic, do it with a completely new message.  (Why
not use your client's address book or nickname facility to give yourself an
easily-remembered alias for this list?)

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions Question

2003-06-27 Thread Bob Irwin 
Oops.

Forgot to remove the Re: - it was a new thread - I just replied to an old
message to get the php list email address then managed to stuff the subject
up.

Thanks for the help though!

Best Regards
Bob Irwin
*** Email [EMAIL PROTECTED] for speedy email response ***
- Original Message - 
From: "- Edwin -" <[EMAIL PROTECTED]>
To: "Bob Irwin" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, June 27, 2003 2:39 PM
Subject: Re: [PHP] Sessions Question


>
> "Bob Irwin" <[EMAIL PROTECTED]> wrote:
>
> > Aside from the fact that bad code can obviously make sessions hackable,
what
> > does everyone think about the security of sessions?
> >
> > I rely on them fairly heavily for low-mid range security on some of my
> > scripts, but if I was to do something that involved more sensitive info,
are
> > sessions bullet proof?  Can someone forge them somehow?
>
> I think you'll find related info if you try Google or the archives for
>
>   "hijack sessions"
>
> And, talking about "hijacking", you just hijacked this thread which is not
good.
>
>   http://marc.theaimsgroup.com/?l=php-general&m=105337989306112&w=2
>
> - E -
> __
> Do You Yahoo!?
> Yahoo! BB is Broadband by Yahoo!
> http://bb.yahoo.co.jp/
>
>
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> Scanned by PeNiCillin http://safe-t-net.pnc.com.au/
>


Scanned by PeNiCillin http://safe-t-net.pnc.com.au/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions Question

2003-06-26 Thread - Edwin - 

"Bob Irwin" <[EMAIL PROTECTED]> wrote:

> Aside from the fact that bad code can obviously make sessions hackable, what
> does everyone think about the security of sessions?
> 
> I rely on them fairly heavily for low-mid range security on some of my
> scripts, but if I was to do something that involved more sensitive info, are
> sessions bullet proof?  Can someone forge them somehow?

I think you'll find related info if you try Google or the archives for

  "hijack sessions"

And, talking about "hijacking", you just hijacked this thread which is not good.

  http://marc.theaimsgroup.com/?l=php-general&m=105337989306112&w=2

- E -
__
Do You Yahoo!?
Yahoo! BB is Broadband by Yahoo!
http://bb.yahoo.co.jp/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions Question

2003-06-26 Thread Bob Irwin 
Aside from the fact that bad code can obviously make sessions hackable, what
does everyone think about the security of sessions?

I rely on them fairly heavily for low-mid range security on some of my
scripts, but if I was to do something that involved more sensitive info, are
sessions bullet proof?  Can someone forge them somehow?

Bob


Scanned by PeNiCillin http://safe-t-net.pnc.com.au/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-22 Thread Beauford.2002 
Why? You wouldn't even know it happened - nor would the site. This is just a
security precaution.

- Original Message -
From: "Jason Wong" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, March 22, 2003 2:25 AM
Subject: Re: [PHP] Sessions question


> On Saturday 22 March 2003 08:09, Beauford.2002 wrote:
> > I don't quite understand this. If a user is on my site and then decides
to
> > go into his favourites and go to yahoo.com - this won't work. I think
you
> > are assuming the user is going to click on something I have set up - I
want
> > this to be invisible - however this user decides to leave my site. It
> > appears though from the answers I have received - that this is not
> > possible
>
> You're right it is not possible and quite rightly so. I wouldn't want a
site
> to know when I have 'left' their site.
>
> --
> Jason Wong -> Gremlins Associates -> www.gremlins.biz
> Open Source Software Systems Integrators
> * Web Design & Hosting * Internet & Intranet Applications Development *
> --
> Search the list archives before you post
> http://marc.theaimsgroup.com/?l=php-general
> --
> /*
> Lee's Law:
> Mother said there would be days like this,
> but she never said that there'd be so many!
> */
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-21 Thread Jason Wong 
On Saturday 22 March 2003 08:09, Beauford.2002 wrote:
> I don't quite understand this. If a user is on my site and then decides to
> go into his favourites and go to yahoo.com - this won't work. I think you
> are assuming the user is going to click on something I have set up - I want
> this to be invisible - however this user decides to leave my site. It
> appears though from the answers I have received - that this is not
> possible

You're right it is not possible and quite rightly so. I wouldn't want a site 
to know when I have 'left' their site.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
Lee's Law:
Mother said there would be days like this,
but she never said that there'd be so many!
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-21 Thread Beauford.2002 
I don't quite understand this. If a user is on my site and then decides to
go into his favourites and go to yahoo.com - this won't work. I think you
are assuming the user is going to click on something I have set up - I want
this to be invisible - however this user decides to leave my site. It
appears though from the answers I have received - that this is not
possible

B.

- Original Message -
From: "Kevin Stone" <[EMAIL PROTECTED]>
To: "PHP General" <[EMAIL PROTECTED]>
Sent: Friday, March 21, 2003 4:21 PM
Subject: Re: [PHP] Sessions question


> This is one of those rare things in programming that can only be done one
> way.  Absolutely the only way to kill the session when a user leaves your
> site is to go through a script and then redirect after the session has
been
> destroyed.  For this to work every outgoing link on your website will have
> to point to a script.  Then you'll pass the redirect url or url id (that
> referse to a url in your database) through the link and redirect after
> session_destroy() has killed the session.
>
> The link can look like this:
> http://www.thiersite.com";>www.theirsite.com
>
> The script will look something like this:
>  session_start();
> session_destroy();
> header("Location: ".$_POST['url']);
> ?>
>
> Keep in mind if you want to do this then the user will not be able to use
> his/her back button in order to return to your website unless you define
an
> additional redirect in a conditional that states "if the session is not
> active then go here".
>
> Voodoo.  *LOL*
>
> - Kevin
>
>
> - Original Message -
> From: "Beauford.2002" <[EMAIL PROTECTED]>
> To: "Ford, Mike [LSS]" <[EMAIL PROTECTED]>; "'Justin French'"
> <[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]>
> Sent: Friday, March 21, 2003 12:56 PM
> Subject: Re: [PHP] Sessions question
>
>
> > So is there anyway to do this - perl, javascript, voodo?
> >
> >
> > - Original Message -
> > From: "Ford, Mike [LSS]" <[EMAIL PROTECTED]>
> > To: "'Justin French'" <[EMAIL PROTECTED]>; "Beauford.2002"
> > <[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]>
> > Sent: Friday, March 21, 2003 11:04 AM
> > Subject: RE: [PHP] Sessions question
> >
> >
> > > > -Original Message-
> > > > From: Justin French [mailto:[EMAIL PROTECTED]
> > > > Sent: 21 March 2003 15:59
> > > >
> > > > on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
> > > >
> > > > > What about cookies - someone said if you put no time limit
> > > > on a cookie it
> > > > > dies when you leave the site - I'm not sure about this, but
> > > > any help is
> > > > > appreciated.
> > > >
> > > > I think it's defined as "when the browser is closed", not
> > > > "when the browser
> > > > is no longer in your domain"
> > >
> > > That is correct.
> > >
> > > Cheers!
> > >
> > > Mike
> > >
> > > -
> > > Mike Ford,  Electronic Information Services Adviser,
> > > Learning Support Services, Learning & Information Services,
> > > JG125, James Graham Building, Leeds Metropolitan University,
> > > Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
> > > Email: [EMAIL PROTECTED]
> > > Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-21 Thread Kevin Stone 
This is one of those rare things in programming that can only be done one
way.  Absolutely the only way to kill the session when a user leaves your
site is to go through a script and then redirect after the session has been
destroyed.  For this to work every outgoing link on your website will have
to point to a script.  Then you'll pass the redirect url or url id (that
referse to a url in your database) through the link and redirect after
session_destroy() has killed the session.

The link can look like this:
http://www.thiersite.com";>www.theirsite.com

The script will look something like this:


Keep in mind if you want to do this then the user will not be able to use
his/her back button in order to return to your website unless you define an
additional redirect in a conditional that states "if the session is not
active then go here".

Voodoo.  *LOL*

- Kevin


- Original Message -
From: "Beauford.2002" <[EMAIL PROTECTED]>
To: "Ford, Mike [LSS]" <[EMAIL PROTECTED]>; "'Justin French'"
<[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]>
Sent: Friday, March 21, 2003 12:56 PM
Subject: Re: [PHP] Sessions question


> So is there anyway to do this - perl, javascript, voodo?
>
>
> - Original Message -
> From: "Ford, Mike [LSS]" <[EMAIL PROTECTED]>
> To: "'Justin French'" <[EMAIL PROTECTED]>; "Beauford.2002"
> <[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]>
> Sent: Friday, March 21, 2003 11:04 AM
> Subject: RE: [PHP] Sessions question
>
>
> > > -Original Message-
> > > From: Justin French [mailto:[EMAIL PROTECTED]
> > > Sent: 21 March 2003 15:59
> > >
> > > on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
> > >
> > > > What about cookies - someone said if you put no time limit
> > > on a cookie it
> > > > dies when you leave the site - I'm not sure about this, but
> > > any help is
> > > > appreciated.
> > >
> > > I think it's defined as "when the browser is closed", not
> > > "when the browser
> > > is no longer in your domain"
> >
> > That is correct.
> >
> > Cheers!
> >
> > Mike
> >
> > -
> > Mike Ford,  Electronic Information Services Adviser,
> > Learning Support Services, Learning & Information Services,
> > JG125, James Graham Building, Leeds Metropolitan University,
> > Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
> > Email: [EMAIL PROTECTED]
> > Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-21 Thread Beauford.2002 
So is there anyway to do this - perl, javascript, voodo?


- Original Message -
From: "Ford, Mike [LSS]" <[EMAIL PROTECTED]>
To: "'Justin French'" <[EMAIL PROTECTED]>; "Beauford.2002"
<[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]>
Sent: Friday, March 21, 2003 11:04 AM
Subject: RE: [PHP] Sessions question


> > -Original Message-
> > From: Justin French [mailto:[EMAIL PROTECTED]
> > Sent: 21 March 2003 15:59
> >
> > on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
> >
> > > What about cookies - someone said if you put no time limit
> > on a cookie it
> > > dies when you leave the site - I'm not sure about this, but
> > any help is
> > > appreciated.
> >
> > I think it's defined as "when the browser is closed", not
> > "when the browser
> > is no longer in your domain"
>
> That is correct.
>
> Cheers!
>
> Mike
>
> -
> Mike Ford,  Electronic Information Services Adviser,
> Learning Support Services, Learning & Information Services,
> JG125, James Graham Building, Leeds Metropolitan University,
> Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
> Email: [EMAIL PROTECTED]
> Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions question

2003-03-21 Thread Darren Young 

It's a "session" cookie, the browser clears it when it's closed. IIRC
you set the time to 0 to turn the cookie into a session one. Not sure
how it'll work with sessions though.

> -Original Message-
> From: Justin French [mailto:[EMAIL PROTECTED] 
> Sent: Friday, March 21, 2003 9:59 AM
> To: Beauford.2002; PHP General
> Subject: Re: [PHP] Sessions question
> 
> 
> I think it's defined as "when the browser is closed", not 
> "when the browser is no longer in your domain" -- but you'd 
> have to ask an expert or read the specs to be sure.
> 
> Justin
> 
> 
> on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
> 
> > What about cookies - someone said if you put no time limit 
> on a cookie 
> > it dies when you leave the site - I'm not sure about this, but any 
> > help is appreciated.
> > 
> > 
> > - Original Message -
> > From: "Justin French" <[EMAIL PROTECTED]>
> > To: "Beauford.2002" <[EMAIL PROTECTED]>; "PHP General" 
> > <[EMAIL PROTECTED]>
> > Sent: Friday, March 21, 2003 2:46 AM
> > Subject: Re: [PHP] Sessions question
> > 
> > 
> >> on 21/03/03 4:57 PM, Beauford.2002 
> ([EMAIL PROTECTED]) wrote:
> >> 
> >>> I have read some posts to this list on sessions and have read as 
> >>> much as
> > I
> >>> can find on them, but one problem still exists which I 
> can't figure 
> >>> out.
> > How
> >>> do I kill the session when the user leaves my site. So if 
>  a user is 
> >>> on www.mine.com and logs in successfully, then goes to 
> www.hers.com 
> >>> - the
> > user
> >>> should have to log in again once coming back to 
> www.mine.com, but at
> > present
> >>> the user is still logged in - and all variables are still set.
> >> 
> >> How can PHP possibly tell when the user closes a window, 
> or manually
> > enters
> >> a new URL into the browser?
> >> 
> >> It can't because PHP is only server side.
> >> 
> >> Set the appropriate session max lifetime and garbage clean out
> > probability,
> >> and sessions should die within a reasonable time of not being used 
> >> (see php.ini for more info).
> >> 
> >> Or, present the user with a logout link, to be sure the session is 
> >> killed instantly.
> >> 
> >> You can also do some *extra* insurance by creating a javascript 
> >> pop-up triggered on a window close event which forces a 
> log out, but 
> >> this will
> > only
> >> help in some cases, and more to the point, client-side scripting 
> >> cannot be relied upon.
> >> 
> >> If you want to kill sessions as people click on external 
> links within 
> >> your site, you can do so by creating a middle-man script 
> between your 
> >> page and the external site:
> >> 
> >> Instead of
> >> click you would do this:
> >> 
> >>  href='out.php?url=http://newsite.com')?>'>click
> >> 
> >> out.php would be responsible for killing the session before doing a
> > header()
> >> redirect to the target url.
> >> 
> >> 
> >> But, end of the day, all these are work-arounds.  Offer a 
> logout link 
> >> on every page of your site.  If the user chooses not to 
> logout, then 
> >> they are consciously making this decision -- they may want to come 
> >> back shortly, or they may not care about the security 
> implications -- 
> >> either way, it's
> > their
> >> call.
> >> 
> >> 
> >> Justin
> >> 
> >> 
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >> 
> >> 
> > 
> > 
> > ---
> > [This E-mail scanned for viruses]
> > 
> > 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions question

2003-03-21 Thread Ford, Mike [LSS] 
> -Original Message-
> From: Justin French [mailto:[EMAIL PROTECTED]
> Sent: 21 March 2003 15:59
> 
> on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
> 
> > What about cookies - someone said if you put no time limit 
> on a cookie it
> > dies when you leave the site - I'm not sure about this, but 
> any help is
> > appreciated.
> 
> I think it's defined as "when the browser is closed", not 
> "when the browser
> is no longer in your domain" 

That is correct.

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-21 Thread Justin French 
I think it's defined as "when the browser is closed", not "when the browser
is no longer in your domain" -- but you'd have to ask an expert or read the
specs to be sure.

Justin


on 22/03/03 2:27 AM, Beauford.2002 ([EMAIL PROTECTED]) wrote:

> What about cookies - someone said if you put no time limit on a cookie it
> dies when you leave the site - I'm not sure about this, but any help is
> appreciated.
> 
> 
> - Original Message -
> From: "Justin French" <[EMAIL PROTECTED]>
> To: "Beauford.2002" <[EMAIL PROTECTED]>; "PHP General"
> <[EMAIL PROTECTED]>
> Sent: Friday, March 21, 2003 2:46 AM
> Subject: Re: [PHP] Sessions question
> 
> 
>> on 21/03/03 4:57 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
>> 
>>> I have read some posts to this list on sessions and have read as much as
> I
>>> can find on them, but one problem still exists which I can't figure out.
> How
>>> do I kill the session when the user leaves my site. So if  a user is on
>>> www.mine.com and logs in successfully, then goes to www.hers.com - the
> user
>>> should have to log in again once coming back to www.mine.com, but at
> present
>>> the user is still logged in - and all variables are still set.
>> 
>> How can PHP possibly tell when the user closes a window, or manually
> enters
>> a new URL into the browser?
>> 
>> It can't because PHP is only server side.
>> 
>> Set the appropriate session max lifetime and garbage clean out
> probability,
>> and sessions should die within a reasonable time of not being used (see
>> php.ini for more info).
>> 
>> Or, present the user with a logout link, to be sure the session is killed
>> instantly.
>> 
>> You can also do some *extra* insurance by creating a javascript pop-up
>> triggered on a window close event which forces a log out, but this will
> only
>> help in some cases, and more to the point, client-side scripting cannot be
>> relied upon.
>> 
>> If you want to kill sessions as people click on external links within your
>> site, you can do so by creating a middle-man script between your page and
>> the external site:
>> 
>> Instead of
>> click you would do this:
>> 
>> http://newsite.com')?>'>click
>> 
>> out.php would be responsible for killing the session before doing a
> header()
>> redirect to the target url.
>> 
>> 
>> But, end of the day, all these are work-arounds.  Offer a logout link on
>> every page of your site.  If the user chooses not to logout, then they are
>> consciously making this decision -- they may want to come back shortly, or
>> they may not care about the security implications -- either way, it's
> their
>> call.
>> 
>> 
>> Justin
>> 
>> 
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>> 
>> 
> 
> 
> ---
> [This E-mail scanned for viruses]
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-21 Thread Beauford.2002 
What about cookies - someone said if you put no time limit on a cookie it
dies when you leave the site - I'm not sure about this, but any help is
appreciated.


- Original Message -
From: "Justin French" <[EMAIL PROTECTED]>
To: "Beauford.2002" <[EMAIL PROTECTED]>; "PHP General"
<[EMAIL PROTECTED]>
Sent: Friday, March 21, 2003 2:46 AM
Subject: Re: [PHP] Sessions question


> on 21/03/03 4:57 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote:
>
> > I have read some posts to this list on sessions and have read as much as
I
> > can find on them, but one problem still exists which I can't figure out.
How
> > do I kill the session when the user leaves my site. So if  a user is on
> > www.mine.com and logs in successfully, then goes to www.hers.com - the
user
> > should have to log in again once coming back to www.mine.com, but at
present
> > the user is still logged in - and all variables are still set.
>
> How can PHP possibly tell when the user closes a window, or manually
enters
> a new URL into the browser?
>
> It can't because PHP is only server side.
>
> Set the appropriate session max lifetime and garbage clean out
probability,
> and sessions should die within a reasonable time of not being used (see
> php.ini for more info).
>
> Or, present the user with a logout link, to be sure the session is killed
> instantly.
>
> You can also do some *extra* insurance by creating a javascript pop-up
> triggered on a window close event which forces a log out, but this will
only
> help in some cases, and more to the point, client-side scripting cannot be
> relied upon.
>
> If you want to kill sessions as people click on external links within your
> site, you can do so by creating a middle-man script between your page and
> the external site:
>
> Instead of
> click you would do this:
>
> http://newsite.com')?>'>click
>
> out.php would be responsible for killing the session before doing a
header()
> redirect to the target url.
>
>
> But, end of the day, all these are work-arounds.  Offer a logout link on
> every page of your site.  If the user chooses not to logout, then they are
> consciously making this decision -- they may want to come back shortly, or
> they may not care about the security implications -- either way, it's
their
> call.
>
>
> Justin
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: SPAM: Re: [PHP] Sessions question

2003-03-20 Thread Justin French 
on 21/03/03 6:20 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote:

> What about HTTP_REFERER - is there someway I could incorporate it to so if
> the user didn't come from xxx (a page on my site)  then kill the session and
> redirect him to the login page...

The referrer can maybe *help* (not sure how though!), but can't be relied
upon, because it's not always set by the client (browser usually).

Justin


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-20 Thread Justin French 
on 21/03/03 4:57 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote:

> I have read some posts to this list on sessions and have read as much as I
> can find on them, but one problem still exists which I can't figure out. How
> do I kill the session when the user leaves my site. So if  a user is on
> www.mine.com and logs in successfully, then goes to www.hers.com - the user
> should have to log in again once coming back to www.mine.com, but at present
> the user is still logged in - and all variables are still set.

How can PHP possibly tell when the user closes a window, or manually enters
a new URL into the browser?

It can't because PHP is only server side.

Set the appropriate session max lifetime and garbage clean out probability,
and sessions should die within a reasonable time of not being used (see
php.ini for more info).

Or, present the user with a logout link, to be sure the session is killed
instantly.

You can also do some *extra* insurance by creating a javascript pop-up
triggered on a window close event which forces a log out, but this will only
help in some cases, and more to the point, client-side scripting cannot be
relied upon.

If you want to kill sessions as people click on external links within your
site, you can do so by creating a middle-man script between your page and
the external site:

Instead of 
click you would do this:

http://newsite.com')?>'>click

out.php would be responsible for killing the session before doing a header()
redirect to the target url.


But, end of the day, all these are work-arounds.  Offer a logout link on
every page of your site.  If the user chooses not to logout, then they are
consciously making this decision -- they may want to come back shortly, or
they may not care about the security implications -- either way, it's their
call.


Justin


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-20 Thread Beauford.2002 
What about HTTP_REFERER - is there someway I could incorporate it to so if
the user didn't come from xxx (a page on my site)  then kill the session and
redirect him to the login page...


- Original Message -
From: "Jason Wong" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 21, 2003 1:34 AM
Subject: Re: [PHP] Sessions question


> On Friday 21 March 2003 13:57, Beauford.2002 wrote:
>
> > I have read some posts to this list on sessions and have read as much as
I
> > can find on them, but one problem still exists which I can't figure out.
> > How do I kill the session when the user leaves my site.
>
> There is simply no way to tell when a user 'leaves' your site. PHP
> automatically cleans up sessions that have been idle for some time (see
> php.ini).
>
> > So if  a user is on
> > www.mine.com and logs in successfully, then goes to www.hers.com - the
user
> > should have to log in again once coming back to www.mine.com, but at
> > present the user is still logged in - and all variables are still set.
>
> The only way to be sure someone has logged out is to present them with a
> logout link which when clicked will clear the session.
>
> --
> Jason Wong -> Gremlins Associates -> www.gremlins.biz
> Open Source Software Systems Integrators
> * Web Design & Hosting * Internet & Intranet Applications Development *
> --
> Search the list archives before you post
> http://marc.theaimsgroup.com/?l=php-general
> --
> /*
> I would much rather have men ask why I have no statue, than why I have
one.
> -- Marcus Procius Cato
> */
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question

2003-03-20 Thread Jason Wong 
On Friday 21 March 2003 13:57, Beauford.2002 wrote:

> I have read some posts to this list on sessions and have read as much as I
> can find on them, but one problem still exists which I can't figure out.
> How do I kill the session when the user leaves my site. 

There is simply no way to tell when a user 'leaves' your site. PHP 
automatically cleans up sessions that have been idle for some time (see 
php.ini).

> So if  a user is on
> www.mine.com and logs in successfully, then goes to www.hers.com - the user
> should have to log in again once coming back to www.mine.com, but at
> present the user is still logged in - and all variables are still set.

The only way to be sure someone has logged out is to present them with a 
logout link which when clicked will clear the session.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
I would much rather have men ask why I have no statue, than why I have one.
-- Marcus Procius Cato
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions question

2003-03-20 Thread Beauford.2002 
I have read some posts to this list on sessions and have read as much as I
can find on them, but one problem still exists which I can't figure out. How
do I kill the session when the user leaves my site. So if  a user is on
www.mine.com and logs in successfully, then goes to www.hers.com - the user
should have to log in again once coming back to www.mine.com, but at present
the user is still logged in - and all variables are still set.

Any help is appreciated.

TIA



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question (-enable-trans-sid)

2002-06-06 Thread Justin French 

on 06/06/02 10:20 PM, Jeff Field ([EMAIL PROTECTED]) wrote:

> So, it would seem, while the SID being appended to all URI's should work for
> all users, non-PHP pages will break the session (not good).  And, as for the
> cookie method, not all users have cookies enabled for their browser (also,
> not good).  Therefore, IMO, neither the cookie method or appending the URI
> method will work as you'd like 100% of the time.

Correct, if you want to maintain the session across a whole site, AND don't
want to rely on cookies, then all your pages must be parsed through PHP and
have the session ID appended to the URLs...

This can be done by giving all files a .php extension, or by forcing .html
files through Apache (httpd.conf file needs to be modified).

Justin French


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Sessions question (-enable-trans-sid)

2002-06-06 Thread Jeff Field 

Thanks to all for their help on this.  As a follow-up, and after a bunch of
playing around with this yesterday, here's what I've come to learn.  Perhaps
it will be helpful to others:

With enable-trans-id compiled into PHP and the following directives in
php.ini:

session.use_cookies = 0(PHP uses cookies for sessions - off)
session.use_trans_sid = 1  (PHP uses enable-trans-id for sessions - on)

PHP will automatically append the SID to the end of relative links 100% of
the time and will not use cookies no matter whether the user has cookies
enabled for their browser or not.

In the following case (and I presume the more normal way of doing things):

session.use_cookies = 1(PHP uses cookies for sessions - on)
session.use_trans_sid = 1  (PHP uses enable-trans-id for sessions - on)

PHP will behave the same way for those users that do *not* have cookies
enabled for their browser as in the first example, i.e. append links 100% of
the time.  However, for those users that have cookies enabled for their
browser, PHP will append the SID to the links only on the first hit to a
page.  Then, when a user requests the next page, the auto-rewriting of the
URI's stops and cookies are used from that point forward.

Actually, that all makes sense, as the first time a user requests a page,
there's no way for PHP to know if the browser will accept cookies or not.
But, on the second request, the browser will send the cookie back to PHP
(along with the appended URI), and PHP from that point on knows that the
browser accepts cookies and PHP will then drop the rewriting of the URI's.

I hope I've got this all correct.  The one observation I'd make in regards
to using cookies vs. URI's to maintain the session is this (and please
someone correct me if I'm wrong):

If a user does *not* have cookies enabled for their browser, you can lose
the session if the user hits an html page at your site (because PHP will not
be involved and will not rewrite the URI's for the .html page).  Not good.

If a user *does* have cookies enabled, they can hit non-PHP pages all they
want and when they get back to a PHP page, the session is still intact.

So, it would seem, while the SID being appended to all URI's should work for
all users, non-PHP pages will break the session (not good).  And, as for the
cookie method, not all users have cookies enabled for their browser (also,
not good).  Therefore, IMO, neither the cookie method or appending the URI
method will work as you'd like 100% of the time.

I suppose one thing you could do so that non-PHP pages won't break the
session for those users that don't have cookies enabled would be to just run
every page in your site through PHP.  That way, the URI's for every page
will be appended with the SID, and maybe that's the way to go.

Anyway, I hope I've got this all right and I hope it helps someone.

Jeff


> -Original Message-
> From: Jeff Field [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 05, 2002 11:56 AM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Sessions question (-enable-trans-sid)
>
>
> Hi,
>
> I'm confused about one thing regarding sessions and haven't been able to
> find the definitive answer anywhere.  Hopefully, I can here.
>
> There are two ways to enable sessions:
>
> 1) Session ID is passed through cookies
> 2) Session ID is passed through the URL, either done manually or by
> automatic URL rewriting
>
> All the books, tutorials, etc. basically say that cookies are the
> way to go
> but "when users don't have cookies enabled, you have to use the
> URL method".
> Since I have an e-commerce site that is available to the world,
> I'm assuming
> *some* are not going to have cookies enabled.  Duh!
>
> So, from what I've read, you can implement the URL method of sessions by
> either manually attaching the session ID to the URLs, or, by compiling PHP
> with enable-trans-sid, which will add the session ID to the URL's
> automatically.  The answer that I haven't been able to find is this:
>
> Is this a one or the other proposition?  IOW, if I implement sessions with
> cookies, then I can't use the URL method?  Or, if I implement the
> URL method
> (with enable-trans-sid), I can't use the cookie method?  Or, do
> they work in
> combination.  IOW, does PHP automatically know that if a user has cookies
> enabled, PHP will use the cookie method and, when cookies are
> *not* enabled,
> PHP automatically implements the URL method?
>
> Thanks for the help!
>
> Jeff
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question (-enable-trans-sid)

2002-06-05 Thread Nick Wilson 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


* and then 1LT John W. Holmes declared
> I guess PHP just can't tell that cookies are enabled. I'm sure the method
> isn't full proof. Your sessions get through either way, so what's the big
> deal?

Mainly in SEO stuff. If an SE like google as a good example picks up the
PHPSESSID=slkfjdsjfsdlkf and then comes back and gets a different id
next time you can lose page rank for duplicate content.

Big deal indeed i'd say.

- -- 
Nick Wilson //  www.explodingnet.com



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE8/o7FHpvrrTa6L5oRAkYuAKCD/9s4L2X7DK9oVsWZmI0Hq6mk2QCgnIZk
4uJyIEUuzPEnPdwmIFWDqLk=
=fm70
-END PGP SIGNATURE-

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question (-enable-trans-sid)

2002-06-05 Thread 1LT John W. Holmes 

I guess PHP just can't tell that cookies are enabled. I'm sure the method
isn't full proof. Your sessions get through either way, so what's the big
deal?

---John Holmes...
- Original Message -
From: "Dan Hardiker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 05, 2002 4:50 PM
Subject: Re: [PHP] Sessions question (-enable-trans-sid)


> > Hmmm I've had a problem with this: I have --enable-trans-sid but I
> > see url appends on my browser when I *know* cookies are working.
>
>
> Personally I cant say this is a bad thing... not all browsers enable
> cookies and they can be messy and insecure at times (eg: cross domain
> issues). Placing in the URL may make it look a bit messier (the URL that
> is) but its much more compatable.
>
> Just my 2 cents.
>
>
> --
> Dan Hardiker [[EMAIL PROTECTED]]
> ADAM Software & Systems Engineer
> First Creative Ltd
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question (-enable-trans-sid)

2002-06-05 Thread Dan Hardiker 

> Hmmm I've had a problem with this: I have --enable-trans-sid but I
> see url appends on my browser when I *know* cookies are working.


Personally I cant say this is a bad thing... not all browsers enable
cookies and they can be messy and insecure at times (eg: cross domain
issues). Placing in the URL may make it look a bit messier (the URL that
is) but its much more compatable.

Just my 2 cents.


-- 
Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer
First Creative Ltd



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question (-enable-trans-sid)

2002-06-05 Thread Nick Wilson 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


* and then 1LT John W. Holmes declared
> If you compile it with --enable-trans-sid, then PHP will use cookies when
> they are available and if they are not, it'll append the SID to links and
> forms. Basically, it's automatic.

Hmmm I've had a problem with this: I have --enable-trans-sid but I
see url appends on my browser when I *know* cookies are working. 

Any reason for that? 
- -- 
Nick Wilson //  www.explodingnet.com



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE8/nnOHpvrrTa6L5oRAgaQAJ9V6HNkSyI4QnADFhOg+dJ/q71UHwCfYmCE
X8M7cSVafv4ThCSH5zhmxKU=
=dEox
-END PGP SIGNATURE-

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question (-enable-trans-sid)

2002-06-05 Thread 1LT John W. Holmes 

If you compile it with --enable-trans-sid, then PHP will use cookies when
they are available and if they are not, it'll append the SID to links and
forms. Basically, it's automatic.

---John Holmes...

- Original Message -
From: "Jeff Field" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 05, 2002 12:56 PM
Subject: [PHP] Sessions question (-enable-trans-sid)


> Hi,
>
> I'm confused about one thing regarding sessions and haven't been able to
> find the definitive answer anywhere.  Hopefully, I can here.
>
> There are two ways to enable sessions:
>
> 1) Session ID is passed through cookies
> 2) Session ID is passed through the URL, either done manually or by
> automatic URL rewriting
>
> All the books, tutorials, etc. basically say that cookies are the way to
go
> but "when users don't have cookies enabled, you have to use the URL
method".
> Since I have an e-commerce site that is available to the world, I'm
assuming
> *some* are not going to have cookies enabled.  Duh!
>
> So, from what I've read, you can implement the URL method of sessions by
> either manually attaching the session ID to the URLs, or, by compiling PHP
> with enable-trans-sid, which will add the session ID to the URL's
> automatically.  The answer that I haven't been able to find is this:
>
> Is this a one or the other proposition?  IOW, if I implement sessions with
> cookies, then I can't use the URL method?  Or, if I implement the URL
method
> (with enable-trans-sid), I can't use the cookie method?  Or, do they work
in
> combination.  IOW, does PHP automatically know that if a user has cookies
> enabled, PHP will use the cookie method and, when cookies are *not*
enabled,
> PHP automatically implements the URL method?
>
> Thanks for the help!
>
> Jeff
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions question (-enable-trans-sid)

2002-06-05 Thread Martin Clifford 

I'm sure this is not a definitive answer, but I would assume that since you would be 
passing the information through both the URI and Cookies, it will work regardless of 
cookies enabled or disabled.  On the other hand, if you are passing the session id 
through the URI in the first place, you don't have to worry about cookies being on at 
all.  Just some idle speculation, I've never tried to use both at the same time.

Martin

>>> "Jeff Field" <[EMAIL PROTECTED]> 06/05/02 12:56PM >>>
Hi,

I'm confused about one thing regarding sessions and haven't been able to
find the definitive answer anywhere.  Hopefully, I can here.

There are two ways to enable sessions:

1) Session ID is passed through cookies
2) Session ID is passed through the URL, either done manually or by
automatic URL rewriting

All the books, tutorials, etc. basically say that cookies are the way to go
but "when users don't have cookies enabled, you have to use the URL method".
Since I have an e-commerce site that is available to the world, I'm assuming
*some* are not going to have cookies enabled.  Duh!

So, from what I've read, you can implement the URL method of sessions by
either manually attaching the session ID to the URLs, or, by compiling PHP
with enable-trans-sid, which will add the session ID to the URL's
automatically.  The answer that I haven't been able to find is this:

Is this a one or the other proposition?  IOW, if I implement sessions with
cookies, then I can't use the URL method?  Or, if I implement the URL method
(with enable-trans-sid), I can't use the cookie method?  Or, do they work in
combination.  IOW, does PHP automatically know that if a user has cookies
enabled, PHP will use the cookie method and, when cookies are *not* enabled,
PHP automatically implements the URL method?

Thanks for the help!

Jeff


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php 



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions question (-enable-trans-sid)

2002-06-05 Thread Jeff Field 

Hi,

I'm confused about one thing regarding sessions and haven't been able to
find the definitive answer anywhere.  Hopefully, I can here.

There are two ways to enable sessions:

1) Session ID is passed through cookies
2) Session ID is passed through the URL, either done manually or by
automatic URL rewriting

All the books, tutorials, etc. basically say that cookies are the way to go
but "when users don't have cookies enabled, you have to use the URL method".
Since I have an e-commerce site that is available to the world, I'm assuming
*some* are not going to have cookies enabled.  Duh!

So, from what I've read, you can implement the URL method of sessions by
either manually attaching the session ID to the URLs, or, by compiling PHP
with enable-trans-sid, which will add the session ID to the URL's
automatically.  The answer that I haven't been able to find is this:

Is this a one or the other proposition?  IOW, if I implement sessions with
cookies, then I can't use the URL method?  Or, if I implement the URL method
(with enable-trans-sid), I can't use the cookie method?  Or, do they work in
combination.  IOW, does PHP automatically know that if a user has cookies
enabled, PHP will use the cookie method and, when cookies are *not* enabled,
PHP automatically implements the URL method?

Thanks for the help!

Jeff


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sessions Question

2001-07-28 Thread Rasmus Lerdorf 

> session_register("$refresh");
> session_register("$seconds");
> session_register("$title");

You probably want to remove the $ signs in the above.

-Rasmus


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] Sessions Question

2001-07-28 Thread Jeff Oien 

Hope I can explain this. I want to have scripts that will automatically refresh
a page entered by the user. So a form will have URL to refresh, seconds to
refresh and title of page. I want the page to continually refresh every X seconds.

I think I would need two pages that go back and forth between each other.
Here is what I have for the first script/page after the form. I don't know what
to do after this on the second page in order to pass the variables on to it.

Thanks for any help.
Jeff Oien

-




$title




If you can see this message you are using a browser that is incapable of displaying
frames.

;"
?>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Sessions question.

2001-05-16 Thread Rasmus Lerdorf 

> Is there a way to get the name of each variable in a session?

Just walk through $HTTP_SESSION_VARS

-Rasmus


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] Sessions question.

2001-05-16 Thread Brandon Orther 

Hello,

Is there a way to get the name of each variable in a session?

Thanks
Brandon

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Sessions question

2001-02-27 Thread Richard Lynch 

You probably need to "unset" the cookie PHP is using to store the session ID
when you destroy the session.

Change your cookie handling in your browser to the "warn me before every
cookie" and play around a bit maybe.

--
Visit the Zend Store at http://www.zend.com/store/
Wanna help me out?  Like Music?  Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
- Original Message -
From: Evelio Martinez <[EMAIL PROTECTED]>
Newsgroups: php.general
Sent: Monday, February 26, 2001 11:58 AM
Subject: [PHP] Sessions question


>
> How can I have an new session id without closing the browser?
>
> session.inc contains  basically the postgresql session functions (user
> handler) in  http://www.php.net/manual/en/ref.session.php
> I have change  pg_pconnect for pg_connect and I have added
> pg_destroy_session.
>
> 1. There is a login/password page
> 2. Afterwards all pages that access the DB have the following include
> file:
>
>  include('sesion.inc');
>
> if (!isset($g_login)) {// flag that indicates that validation was
> succesful
>
>   echo "
>  <!--
>   var lugar = window.location.href;
>   if ( lugar != \"<A  HREF="http://www.my_web.com/login.php\">http://www.my_web.com/login.php\</A>" ) {
>  window.location.assign('<A  HREF="http://www.my_web.com/login.php">http://www.my_web.com/login.php</A>');
>   }
>   file://-->
>  ";
> }
>
> if (isset($g_hora)) {
>
>   $timeout = 3600 ;
>   $lapso = time() - $g_hora;
>   if ( $lapso >= $timeout )  {
>
> session_destroy();// delete session  from  database
> session_unset();  // suppose to delete session
> variable from memory
> $sesion = md5(uniqid("prueba"));
> session_id($sesion);  // new session
>
> echo "
><!--
> var lugar = window.location.href;
> var lugars;
>
> window.alert('La sesión ha expirado');
> var lugar = window.location.href;
> if ( lugar != \"<A  HREF="http://www.my_web.com/login.php\">http://www.my_web.com/login.php\</A>" ) {
>
> window.location.assign('<A  HREF="http://www.my_web.com/login.php">http://www.my_web.com/login.php</A>');
>   }
> file://-->
>";
>   }
> }
> ?>
>
>
> 3. How am I supposed to create a new session identificator ?
> session_unset is suppose to "free" (delete?)  all session variables
> currently registered, isn't it?
> After timeout, it goes to login page but I have still the old
> session id instead of the new one.
>
> What am I missing?
>
> TIA
>
> --
> Evelio Martínez
>
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] Sessions question

2001-02-26 Thread Evelio Martinez 


How can I have an new session id without closing the browser?

session.inc contains  basically the postgresql session functions (user
handler) in  http://www.php.net/manual/en/ref.session.php
I have change  pg_pconnect for pg_connect and I have added
pg_destroy_session.

1. There is a login/password page
2. Afterwards all pages that access the DB have the following include
file:


 
 ";
}

if (isset($g_hora)) {

  $timeout = 3600 ;
  $lapso = time() - $g_hora;
  if ( $lapso >= $timeout )  {

session_destroy();// delete session  from  database
session_unset();  // suppose to delete session
variable from memory
$sesion = md5(uniqid("prueba"));
session_id($sesion);  // new session

echo "
   
   ";
  }
}
?>


3. How am I supposed to create a new session identificator ?
session_unset is suppose to "free" (delete?)  all session variables
currently registered, isn't it?
After timeout, it goes to login page but I have still the old
session id instead of the new one.

What am I missing?

TIA

--
Evelio Martínez