Re: [PHP] Sessions that last for ever
On Saturday, February 16, 2002, at 03:10 PM, Nigel Gilbert wrote: > But very many commercial sites, including Apple and Amazon to name two, > do exactly this. When you re-enter the site they 'remember' who you > are using a cookie. In my case, I'm building a multi-player strategy > game and while I want the players to go through an initial briefing the > first time they ever join the game, thereafter they should be able to > get straight into the game if they are still using the same PC. But as > I said, the specifics of my use aren't so important - lots of sites > leave permanent cookies around and the results don't seem to be > catastrophic. The data that these sites leave in their cookies is usually trivial -- things like UserID, or UserName, or something like that. This way they know who you are when you bring up the site again, all the actual data is still stored at the site in a database. It's way too easy for cookies to be intercepted or faked to leave sensitive data in them, like credit card numbers or whatever. If you left game stats and what-not (say, weapons or items or something) in cookies, then an HTTP-aware player could probably give themself quad damage or equivalent whenever they wanted. > The question is still: how to do it? Store all their critical info and stats in a database, and use a cookie to store their name or something. Then, when they get to the site, you can either run a password authentication to make sure that they are who their cookie says they are, or skip that and deal with the fact that some people may change their cookie to be the name of their opponent so that they can play as another character. Sounds like a cool site, good luck Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions that last for ever
Actually, sites that "remember" you don't typically keep the same session around. They send a separate cookie that contains just userid information and when you return, they just set the session variables in such a way based off of the userid cookie. If you really want to keep the same session around, just use the function 'session_set_cookie_params()' and set the lifetime to be some huge number, or use the session.cookie_lifetime setting in php.ini. Jaime Bozza -Original Message- From: Nigel Gilbert [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 2:10 PM To: Erik Price Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions that last for ever But very many commercial sites, including Apple and Amazon to name two, do exactly this. When you re-enter the site they 'remember' who you are using a cookie. In my case, I'm building a multi-player strategy game and while I want the players to go through an initial briefing the first time they ever join the game, thereafter they should be able to get straight into the game if they are still using the same PC. But as I said, the specifics of my use aren't so important - lots of sites leave permanent cookies around and the results don't seem to be catastrophic. The question is still: how to do it? Nigel On Saturday, February 16, 2002, at 07:52 PM, Erik Price wrote: > > On Saturday, February 16, 2002, at 07:43 AM, Nigel Gilbert wrote: > >> By default, a session (created with session_register) seems to last >> just as long as the user has their browser open. If a user quits the >> browser, the session is automatically destroyed. >> >> I want a session to last indefinitely (or until my program destroys >> it). There are some hints about how this could be done with cookies >> in the documentation, but not a clear recipe. What sequence of PHP >> statements should I use to achieve this? > > I don't have the answer you're looking for (maybe it's a php.ini > setting), but I suspect that it might be a dangerous idea. The longer > a session ID is hanging about, the easier it is for a cracker to hijack > it and use it for evil intent. > > Remember, every time a page is requested within any given session, > either a cookie variable or a GET variable is being sent along with the > HTTP headers. Keeping a session going for more time than needed means > that the variable representing the session ID is leaving footprints all > over the place. > > > Erik <-- who has become overcautious lately upon learning how HTTP > works > > > > > > Erik Price > Web Developer Temp > Media Lab, H.H. Brown > [EMAIL PROTECTED] > > __ Professor Nigel Gilbert, FREng, AcSS, Pro Vice-Chancellor and Professor of Sociology, University of Surrey, Guildford GU2 7XH, UK. +44 (0)1483 689173 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions that last for ever
On Sunday 17 February 2002 04:10, Nigel Gilbert wrote: > But very many commercial sites, including Apple and Amazon to name two, > do exactly this. When you re-enter the site they 'remember' who you are > using a cookie. In my case, I'm building a multi-player strategy game > and while I want the players to go through an initial briefing the first > time they ever join the game, thereafter they should be able to get > straight into the game if they are still using the same PC. But as I > said, the specifics of my use aren't so important - lots of sites leave > permanent cookies around and the results don't seem to be catastrophic. > > The question is still: how to do it? Try changing the value of "session.cookie_lifetime" in php.ini. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk /* Have a taco. -- P.S. Beagle */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions that last for ever
> But very many commercial sites, including Apple and Amazon to name two, > do exactly this. When you re-enter the site they 'remember' who you are > using a cookie. In my case, I'm building a multi-player strategy game > and while I want the players to go through an initial briefing the first > time they ever join the game, thereafter they should be able to get > straight into the game if they are still using the same PC. But as I > said, the specifics of my use aren't so important - lots of sites leave > permanent cookies around and the results don't seem to be catastrophic. > > The question is still: how to do it? If each user has a unique user id, then make a table called seen_briefing: create table seen_briefing ( id int(11) unsigned not null default '0', primary key (id) ) Make an entry once a user has seen whatever they need to. Then, on their next login, do a join against the seen_briefing table, check for an entry... -- Greg Donald -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions that last for ever
But very many commercial sites, including Apple and Amazon to name two, do exactly this. When you re-enter the site they 'remember' who you are using a cookie. In my case, I'm building a multi-player strategy game and while I want the players to go through an initial briefing the first time they ever join the game, thereafter they should be able to get straight into the game if they are still using the same PC. But as I said, the specifics of my use aren't so important - lots of sites leave permanent cookies around and the results don't seem to be catastrophic. The question is still: how to do it? Nigel On Saturday, February 16, 2002, at 07:52 PM, Erik Price wrote: > > On Saturday, February 16, 2002, at 07:43 AM, Nigel Gilbert wrote: > >> By default, a session (created with session_register) seems to last >> just as long as the user has their browser open. If a user quits the >> browser, the session is automatically destroyed. >> >> I want a session to last indefinitely (or until my program destroys >> it). There are some hints about how this could be done with cookies >> in the documentation, but not a clear recipe. What sequence of PHP >> statements should I use to achieve this? > > I don't have the answer you're looking for (maybe it's a php.ini > setting), but I suspect that it might be a dangerous idea. The longer > a session ID is hanging about, the easier it is for a cracker to hijack > it and use it for evil intent. > > Remember, every time a page is requested within any given session, > either a cookie variable or a GET variable is being sent along with the > HTTP headers. Keeping a session going for more time than needed means > that the variable representing the session ID is leaving footprints all > over the place. > > > Erik <-- who has become overcautious lately upon learning how HTTP works > > > > > > Erik Price > Web Developer Temp > Media Lab, H.H. Brown > [EMAIL PROTECTED] > > __ Professor Nigel Gilbert, FREng, AcSS, Pro Vice-Chancellor and Professor of Sociology, University of Surrey, Guildford GU2 7XH, UK. +44 (0)1483 689173 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions that last for ever
On Saturday, February 16, 2002, at 07:43 AM, Nigel Gilbert wrote: > By default, a session (created with session_register) seems to last > just as long as the user has their browser open. If a user quits the > browser, the session is automatically destroyed. > > I want a session to last indefinitely (or until my program destroys > it). There are some hints about how this could be done with cookies in > the documentation, but not a clear recipe. What sequence of PHP > statements should I use to achieve this? I don't have the answer you're looking for (maybe it's a php.ini setting), but I suspect that it might be a dangerous idea. The longer a session ID is hanging about, the easier it is for a cracker to hijack it and use it for evil intent. Remember, every time a page is requested within any given session, either a cookie variable or a GET variable is being sent along with the HTTP headers. Keeping a session going for more time than needed means that the variable representing the session ID is leaving footprints all over the place. Erik <-- who has become overcautious lately upon learning how HTTP works Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sessions that last for ever
By default, a session (created with session_register) seems to last just as long as the user has their browser open. If a user quits the browser, the session is automatically destroyed. I want a session to last indefinitely (or until my program destroys it). There are some hints about how this could be done with cookies in the documentation, but not a clear recipe. What sequence of PHP statements should I use to achieve this? Thanks for any help, Nigel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php