RE: [PHP] Sessions Timing Out Too Often
> I'm finding that my sessions seem to be timing out fairly quickly. For > example, in a little forum I wrote with PHP, people are telling me that if > they type a long message and click Submit, they are taken to the Login > page > because their session obviously timed out, and they loose their posts in > the > forum. I do have a "remember me" feature that uses a cookie, but, not all > visitors are using it, and they are the ones experiencing this problem. > > Is there a way to extend session time, and is that the best way to reduce > this problem from happening to most members? You can change the session.gc_maxlifetime in php.ini to a larger value. That is the number of seconds after which inactive session files will be seen as garbage. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Timing Out Too Often
Did you look in the manual first? Didn't think so. php.net/session first search result is http://www.php.net/manual/en/ref.session.php There are two PHP.ini settings you should look at: "session.gc_probability specifies the probability that the gc (garbage collection) routine is started on each request in percent. Defaults to 1. session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up." if you can't change the settings yourself in php.ini (or ask the host to), then i'm 99% sure they can be over-ridden on a per-directory basis using a .htaccess file (apache assumption here). Something like (guess): php_flag session.gc_maxlifetime 1440 Of course, all this was available by: a) searching the manial b) searching the archives, where this gets asked weekly :) Justin French on 19/02/03 12:59 PM, Monty ([EMAIL PROTECTED]) wrote: > I'm finding that my sessions seem to be timing out fairly quickly. For > example, in a little forum I wrote with PHP, people are telling me that if > they type a long message and click Submit, they are taken to the Login page > because their session obviously timed out, and they loose their posts in the > forum. I do have a "remember me" feature that uses a cookie, but, not all > visitors are using it, and they are the ones experiencing this problem. > > Is there a way to extend session time, and is that the best way to reduce > this problem from happening to most members? > > Thanks! > > Monty > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] sessions terminating randomly please help
Make sure that the url is always the same. For example if a user is at a
page http://mysite.com/phpscript.php and you link to
http://www.mysite.com/phpscript.php (notice the www) the session might not
follow because the url is different.
-Original Message-
From: freaky deaky [mailto:[EMAIL PROTECTED]
Sent: Monday, March 10, 2003 3:26 PM
To: [EMAIL PROTECTED]
Subject: [PHP] sessions terminating randomly please help
Importance: Low
hi
i am experiencing a major problem with sessions expiring randomly in some of
my
apps. i will log in and start clicking around and then i will eventually
arrive at a page that tells me that i'm not logged in anymore. this happens
apparently randomly. i have seen it on ie6, ie for mac, netscape 4.7 for pc,
and mozilla
the apps are hosted on
freebsd 4.7-release p2
apache 1.3.27
php version 4.2.3
compiled with --enable-trans-sid
i can't go into production if there's the possibility that users will be
randomly logged off. i went through all of my code over the weekend, and i
don't think i can attribute this to a miscoding:
when a user logs in, i create a session with
session_start();
$valid_user=$_POST['username'];
session_register("valid_user");
i have the following code at the top of each page to check to see if the
session
is valid:
session_start();
$valid_user=$_SESSION['valid_user'];
global $valid_user;
if (session_is_registered("valid_user")
{...function to spit out an error message if the session is not valid...;}
i have a logout page that destroys the session
session_start();
session_destroy();
i also have a javascript timer in the header of every page that redirects to
the
logout page if the user has been inactive for 20 minutes.
i have played around with session.gc_probability, setting it to 100, but
that
doesn't seem to have fixed the problem.
this is a huge problem.
if anyone can give some advice, i'd really appreciate it.
thanks
--
__
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr
Powered by Outblaze
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions terminating randomly please help
> From: "freaky deaky" <[EMAIL PROTECTED]>
>
> i am experiencing a major problem with sessions expiring randomly in some of
> my
> apps. i will log in and start clicking around and then i will eventually
> arrive at a page that tells me that i'm not logged in anymore. this happens
> apparently randomly. i have seen it on ie6, ie for mac, netscape 4.7 for pc,
> and mozilla
>
> the apps are hosted on
>
> freebsd 4.7-release p2
> apache 1.3.27
> php version 4.2.3
> compiled with --enable-trans-sid
>
> i can't go into production if there's the possibility that users will be
> randomly logged off. i went through all of my code over the weekend, and i
> don't think i can attribute this to a miscoding:
>
> when a user logs in, i create a session with
>
> session_start();
> $valid_user=$_POST['username'];
> session_register("valid_user");
>
> i have the following code at the top of each page to check to see if the
> session
> is valid:
>
> session_start();
> $valid_user=$_SESSION['valid_user'];
> global $valid_user;
> if (session_is_registered("valid_user")
> {...function to spit out an error message if the session is not valid...;}
>
> i have a logout page that destroys the session
>
> session_start();
> session_destroy();
>
> i also have a javascript timer in the header of every page that redirects to
> the
> logout page if the user has been inactive for 20 minutes.
>
> i have played around with session.gc_probability, setting it to 100, but that
> doesn't seem to have fixed the problem.
>
> this is a huge problem.
> if anyone can give some advice, i'd really appreciate it.
Is your session.save_path set to /tmp? It's my understanding that you should
specify a directory for saving session data -- or use a database -- that
/tmp is subject to garbage collection, and specifying a directory prevents
that. I made this change to a site recently. In tests prior to the change
the session would last up to about 2.5 hours with no activity. After
specifying a directory with session_save_path() right before
session_start(), the session was still OK after almost 4 hours of
inactivity. (Not much of a controlled test, I admit.)
That said, here's a disturbing fact that turned up last week -- a designer
working on the same site was continually being logged off unexpectedly.
After many tests he identified that the problem was Microsoft IE/Entourage.
Every time he checks email he's no longer recognized as logged in (Mac OSX
IE). He got Microsoft tech support to duplicate the behavior and confirm
it's a problem with IE -- doesn't happen with Mozilla.
So, it's important to verify the problem with more than one system, but it
sounds like you have since you mention both IE6 and IE Mac!
--
Lowell Allen
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] sessions terminating randomly please help
> Is your session.save_path set to /tmp? It's my understanding that you > should > specify a directory for saving session data -- or use a database -- that > /tmp is subject to garbage collection, and specifying a directory prevents > that. I made this change to a site recently. In tests prior to the change > the session would last up to about 2.5 hours with no activity. After > specifying a directory with session_save_path() right before > session_start(), the session was still OK after almost 4 hours of > inactivity. (Not much of a controlled test, I admit.) Note that your session files will never be cleaned up if you use session_save_path(), unless you do it yourself. This means that a file will be created each time someone comes to your site and it won't be erased. Only the path specified in php.ini will be cleaned up... which is what you want. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions and iframes (or frames)?
> I built this site using using different iframes: one for a login, other > for > a forum, another for a voting poll, etc... > > I was wondering what is the best way to ensure that you could only post a > topic in the forum, or vote if you had already logged in. > > I'm somewhat familiar with the $_session global variable, but only if the > code happens in the same page. How can you check, from another frame, that > user is logged? That "other frame" would have to refresh and check the $_SESSION just like any other page. Each frame is it's own request, so in order for a frame to do anything with PHP, it will need to be refreshed or something requested within the frame. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and iframes (or frames)?
My advice is to first get REALLY comfortable with sessions in a non-framed environment... get a grip on logging in, logging out, showing different code for logged in members, restricting a user from doing something more than once, etc etc. THEN try to get it happening in a framed environment. As discussed by John, you will have to force a refresh for any frame to be "aware" of a recently logged in user, and you will have to do a lot of checking when receiving a form or request in each of these frames, to ensure there is a user logged in, etc. As per ANY session stuff between pages, you need to propogate the session id either through the URL to each frame (or hope that trans-sid takes care of it), or rely on the user having cookies enabled. To point out the really obvious, needs to be called on the top of the script for EACH FRAME. Justin on 31/03/03 5:41 AM, Tiago Simões ([EMAIL PROTECTED]) wrote: > Hello. > > > I built this site using using different iframes: one for a login, other for > a forum, another for a voting poll, etc... > > I was wondering what is the best way to ensure that you could only post a > topic in the forum, or vote if you had already logged in. > > I'm somewhat familiar with the $_session global variable, but only if the > code happens in the same page. How can you check, from another frame, that > user is logged? > > Thanks in advance... > Tiago Simões > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [sessions] using [sockets]. Very tough!
Nicholas F. Singh wrote:
Hello all you great PHPers,
Who among you can solve this tricky problem?
OK, a little background: my goal is to send local POST requests to some of my php pages from **within** a php program. I have already successfully done simple POST data transfers with sockets using "HTTPClient.class". This is not an issue. This class really just prints out the appropriate headers and receives a server response using sockets -- rather simple.
I am now trying to get php SESSIONS to work with this socketed setup. I already have sessions working for "normal" HTTP requests. You can pass session IDs using cookies or with a POST/GET variable, as you know.
Now, I've set up two files, "tst1.php" and "tst2.php". TST1 sends TST2 some POST data, and attempts to relay the session id to maintain session state:
tst1.php
--
include("HTTPClient.class");
session_save_path("mypathtosessions"); //No, this is not what I actually have in my
code, silly
session_start(); //Executes a new session.
//Create socket object
$HTTP = new Net_HTTP_Client("mydomain",80); //No, this is not what I actually have in
my code, silly
///
// (1) GET - This example attempts to send the session ID via the GET method. If you execute the code below,
// it will "lock" up. However, if you change "PHPSESSID" to, say, "blah", the code will not lock up.
// There's some problem, here!
$HTTP->Post("/~refcoord/tst2.php?PHPSESSID=".session_id(), // <--
array( "Bob" => "Jones",
"ID_we_need_to_pass_to_tst2" => session_id()
));
Sure it will lock up. tst1.php has the session file locked for itself,
and as you use the same session id, the same session file would be used
for tst2.php. You can use different session_save_paths for each file. Or
you can let tst2.php set its own session id and get the cookie.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [sessions] using [sockets]. Very tough!
Good point. However, the whole point is that I need to pass that session ID
so that TST2 can access the same session info TST1 is. Know what I mean? I
wonder how I can resolve this...
Thanks for the reply!
- Original Message -
From: "Marek Kilimajer" <[EMAIL PROTECTED]>
To: "Nicholas F. Singh" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, May 29, 2003 11:11 AM
Subject: Re: [PHP] [sessions] using [sockets]. Very tough!
>
> Nicholas F. Singh wrote:
>
> >Hello all you great PHPers,
> >
> >Who among you can solve this tricky problem?
> >
> >OK, a little background: my goal is to send local POST requests to some
of my php pages from **within** a php program. I have already successfully
done simple POST data transfers with sockets using "HTTPClient.class". This
is not an issue. This class really just prints out the appropriate headers
and receives a server response using sockets -- rather simple.
> >
> >I am now trying to get php SESSIONS to work with this socketed setup. I
already have sessions working for "normal" HTTP requests. You can pass
session IDs using cookies or with a POST/GET variable, as you know.
> >
> >Now, I've set up two files, "tst1.php" and "tst2.php". TST1 sends TST2
some POST data, and attempts to relay the session id to maintain session
state:
> >
> > tst1.php
>
>---
---
> >include("HTTPClient.class");
> >session_save_path("mypathtosessions"); //No, this is not what I actually
have in my code, silly
> >session_start(); //Executes a new session.
> >
> >//Create socket object
> >$HTTP = new Net_HTTP_Client("mydomain",80); //No, this is not what I
actually have in my code, silly
> >
>
>///
> >// (1) GET - This example attempts to send the session ID via the GET
method. If you execute the code below,
> >// it will "lock" up. However, if you change "PHPSESSID" to, say, "blah",
the code will not lock up.
> >// There's some problem, here!
> >$HTTP->Post("/~refcoord/tst2.php?PHPSESSID=".session_id(), // <--
> >
array( "Bob" => "Jones",
> >
"ID_we_need_to_pass_to_tst2" => session_id()
>
));
> >
> Sure it will lock up. tst1.php has the session file locked for itself,
> and as you use the same session id, the same session file would be used
> for tst2.php. You can use different session_save_paths for each file. Or
> you can let tst2.php set its own session id and get the cookie.
>
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [sessions] using [sockets]. Very tough!
You can do:
session_start();
$session_id = session_id();
session_write_close();
Lock has been released, now you are free to post $session_id to the
other script
N. F. Singh wrote:
Good point. However, the whole point is that I need to pass that session ID
so that TST2 can access the same session info TST1 is. Know what I mean? I
wonder how I can resolve this...
Thanks for the reply!
- Original Message -
From: "Marek Kilimajer" <[EMAIL PROTECTED]>
To: "Nicholas F. Singh" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, May 29, 2003 11:11 AM
Subject: Re: [PHP] [sessions] using [sockets]. Very tough!
Nicholas F. Singh wrote:
Hello all you great PHPers,
Who among you can solve this tricky problem?
OK, a little background: my goal is to send local POST requests to some
of my php pages from **within** a php program. I have already successfully
done simple POST data transfers with sockets using "HTTPClient.class". This
is not an issue. This class really just prints out the appropriate headers
and receives a server response using sockets -- rather simple.
I am now trying to get php SESSIONS to work with this socketed setup. I
already have sessions working for "normal" HTTP requests. You can pass
session IDs using cookies or with a POST/GET variable, as you know.
Now, I've set up two files, "tst1.php" and "tst2.php". TST1 sends TST2
some POST data, and attempts to relay the session id to maintain session
state:
tst1.php
---
---
include("HTTPClient.class");
session_save_path("mypathtosessions"); //No, this is not what I actually
have in my code, silly
session_start(); //Executes a new session.
//Create socket object
$HTTP = new Net_HTTP_Client("mydomain",80); //No, this is not what I
actually have in my code, silly
///
// (1) GET - This example attempts to send the session ID via the GET
method. If you execute the code below,
// it will "lock" up. However, if you change "PHPSESSID" to, say, "blah",
the code will not lock up.
// There's some problem, here!
$HTTP->Post("/~refcoord/tst2.php?PHPSESSID=".session_id(), // <--
array( "Bob" => "Jones",
"ID_we_need_to_pass_to_tst2" => session_id()
));
Sure it will lock up. tst1.php has the session file locked for itself,
and as you use the same session id, the same session file would be used
for tst2.php. You can use different session_save_paths for each file. Or
you can let tst2.php set its own session id and get the cookie.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [sessions] using [sockets]. Very tough!
Fantastic! I was totally unaware of this function. Thanks very much! If any
of you guys found this helpfull, be sure to call session_start() again if
you're using --enable-trans-sid. Otherwise, on your subsequent call to
another page needing a session state, the SID won't be propogated (at least
on my server, Apache).
Thanks again, Marek.
NFS
- Original Message -
From: "Marek Kilimajer" <[EMAIL PROTECTED]>
To: "N. F. Singh" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, May 29, 2003 11:24 AM
Subject: Re: [PHP] [sessions] using [sockets]. Very tough!
> You can do:
> session_start();
> $session_id = session_id();
> session_write_close();
>
> Lock has been released, now you are free to post $session_id to the
> other script
>
> N. F. Singh wrote:
>
> >Good point. However, the whole point is that I need to pass that session
ID
> >so that TST2 can access the same session info TST1 is. Know what I mean?
I
> >wonder how I can resolve this...
> >
> >Thanks for the reply!
> >
> >- Original Message -
> >From: "Marek Kilimajer" <[EMAIL PROTECTED]>
> >To: "Nicholas F. Singh" <[EMAIL PROTECTED]>
> >Cc: <[EMAIL PROTECTED]>
> >Sent: Thursday, May 29, 2003 11:11 AM
> >Subject: Re: [PHP] [sessions] using [sockets]. Very tough!
> >
> >
> >
> >
> >>Nicholas F. Singh wrote:
> >>
> >>
> >>
> >>>Hello all you great PHPers,
> >>>
> >>>Who among you can solve this tricky problem?
> >>>
> >>>OK, a little background: my goal is to send local POST requests to some
> >>>
> >>>
> >of my php pages from **within** a php program. I have already
successfully
> >done simple POST data transfers with sockets using "HTTPClient.class".
This
> >is not an issue. This class really just prints out the appropriate
headers
> >and receives a server response using sockets -- rather simple.
> >
> >
> >>>I am now trying to get php SESSIONS to work with this socketed setup. I
> >>>
> >>>
> >already have sessions working for "normal" HTTP requests. You can pass
> >session IDs using cookies or with a POST/GET variable, as you know.
> >
> >
> >>>Now, I've set up two files, "tst1.php" and "tst2.php". TST1 sends TST2
> >>>
> >>>
> >some POST data, and attempts to relay the session id to maintain session
> >state:
> >
> >
> >>> tst1.php
> >>>
> >>>
>
>>--
-
> >>
> >>
> >---
> >
> >
> >>>include("HTTPClient.class");
> >>>session_save_path("mypathtosessions"); //No, this is not what I
actually
> >>>
> >>>
> >have in my code, silly
> >
> >
> >>>session_start(); //Executes a new session.
> >>>
> >>>//Create socket object
> >>>$HTTP = new Net_HTTP_Client("mydomain",80); //No, this is not what I
> >>>
> >>>
> >actually have in my code, silly
> >
> >
>
>>//
/
> >>
> >>
> >
> >
> >
> >>>// (1) GET - This example attempts to send the session ID via the GET
> >>>
> >>>
> >method. If you execute the code below,
> >
> >
> >>>// it will "lock" up. However, if you change "PHPSESSID" to, say,
"blah",
> >>>
> >>>
> >the code will not lock up.
> >
> >
> >>>// There's some problem, here!
> >>>$HTTP->Post("/~refcoord/tst2.php?PHPSESSID=".session_id(), // <--
> >>>
> >>>
> >>>
> >array( "Bob" => "Jones",
> >
> >
> >"ID_we_need_to_pass_to_tst2" => session_id()
> >
> >
> > ));
> >
> >
> >>Sure it will lock up. tst1.php has the session file locked for itself,
> >>and as you use the same session id, the same session file would be used
> >>for tst2.php. You can use different session_save_paths for each file. Or
> >>you can let tst2.php set its own session id and get the cookie.
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] sessions and browser back[Scanned]
Bibhas, I'm sure I've read somewhere that this is a deliberate security feature with using sessions - i.e. you can't view contents of form fields by using the back button on your browser. Couldn't you use JavaScript to ensure that the data is validated on the client side before the form is submitted? Regards, Michael Egan -Original Message- From: Bibhas Kumar Samanta [mailto:[EMAIL PROTECTED] Sent: 25 June 2003 14:26 To: [EMAIL PROTECTED] Subject: [PHP] sessions and browser back[Scanned] Hi, I am trying to create restricted pages for my php/mysql/apache server with sessions and passing session varibales to other pages for validation. Eventually I am doinng session_start() at the begining and checking whether logged in user is authorised to use this page by a routine. Now problem is, if filled in data in the form is incorrect, the forms gives an error. But when I press browser BACK button to get the filled in form , the form seems to get reset with _no_ data. When I try without session_start() at the begining of form , things seem to behave normally. Does session_start() reset the form and I guess browser should have returned be by fiiled in page from cache ? Please help -Bibhas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and browser back[Scanned]
Thanks Michael, Can you suggest any other method (without using session_start) by which I can track users and validate for each page. What I do currently , in the login page register the user using sessions and in other pages see if user is registered. I need to restrict each page based on mysql table page access right against each user. Thanks, Bibhas Michael Egan wrote: > > Bibhas, > > I'm sure I've read somewhere that this is a deliberate security feature with using > sessions - i.e. you can't view contents of form fields by using the back button on > your browser. > > Couldn't you use JavaScript to ensure that the data is validated on the client side > before the form is submitted? > > Regards, > > Michael Egan > > -Original Message- > From: Bibhas Kumar Samanta [mailto:[EMAIL PROTECTED] > Sent: 25 June 2003 14:26 > To: [EMAIL PROTECTED] > Subject: [PHP] sessions and browser back[Scanned] > > Hi, > > I am trying to create restricted pages for my php/mysql/apache > server with sessions and passing session varibales to other pages for > validation. > > Eventually I am doinng session_start() at the begining and > checking whether logged in user is authorised to use this page > by a routine. > > Now problem is, if filled in data in the form is incorrect, the forms > gives an error. But when I press browser BACK button to get the > filled in form , the form seems to get reset with _no_ data. > > When I try without session_start() at the begining of form , things > seem to behave normally. > > Does session_start() reset the form and I guess browser should > have returned be by fiiled in page from cache ? > > Please help > > -Bibhas > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and browser back[Scanned]
As a suggestion can you simply redisplay your form on the error page and such avoid having to use the back button? This would also allow you to actually display the error at the place the error occurs. Another thing you might want to try is using a cache header that allows the browser to cache the site for a certain time. This way the browser might redisplay the page without reseting it. I have not tested this and can't promise that this will actually work. Regards Stefan Langer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions, SIDs, and php 4.3
--- David T-G <[EMAIL PROTECTED]> wrote: > If I run > > http://test.locations.org/sessions/extracting.php > > with cookies on, then upon reload $_SESSION[pw] has a value, which is > expected. If cookies are off, though, it does not, and I do not see the > SID in the URL even after the click. So I click the other link, wherein > I specified the SID, and it finally works -- but I thought that PHP was > supposed to format my URLs the right way for me, and even moreso didn't > think that I needed the ? because the SID constant is supposed to be > "smart". Check your php.ini and see if you can find this: session.use_trans_sid = 1 You want that to be 1 in order for PHP to do this for you. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al - ...and then Chris Shiflett said... % % --- David T-G <[EMAIL PROTECTED]> wrote: % > % > I specified the SID, and it finally works -- but I thought that PHP was % > supposed to format my URLs the right way for me, and even moreso didn't % > think that I needed the ? because the SID constant is supposed to be % > "smart". % % Check your php.ini and see if you can find this: % % session.use_trans_sid = 1 Yep. bash-2.05a$ grep trans_sid /usr/local/etc/php.ini session.use_trans_sid = 1 bash-2.05a$ lynx -dump http://test.locations.org/sessions/extracting.php | grep -i trans_sid session.use_trans_sid On On (of course I added a phpinfo() call to the script for the test.) % % You want that to be 1 in order for PHP to do this for you. That I do, but it doesn't seem to matter too much! % % Hope that helps. Thanks anyway. % % Chris HAND :-D -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! pgp0.pgp Description: PGP signature
Re: [PHP] sessions, SIDs, and php 4.3
--- David T-G <[EMAIL PROTECTED]> wrote: > % Check your php.ini and see if you can find this: > % > % session.use_trans_sid = 1 > > Yep. OK, well PHP should add the session identifier to the URL for every link on the first page. This is because PHP can't tell until the next request whether the browser is accepting cookies. You can think of PHP's logic like this: 1. If the user requests a page with no session identifier at all, start a new session. On the page sent to the user, rewrite all URLs to include the session identifier. 2. If the user requests a page with the session identifier in the URL but without a cookie, assume the user's browser did not accept the cookie. Rewrite all URLs to include the session identifier. 3. If the user requests a page with the session identifier in the URL and in a cookie, this is the user's second request, and the user's browser accepts cookies. No rewriting is necessary. 4. If the user requests a page with the session identifier only in a cookie, this is at least the user's third visit, and the user's browser accepts cookies. No rewriting is necessary. So, based on this, I would recommend testing from scratch. Make sure you have no cookies. Restart the browser if necessary. Then, visit the first page (where you first have your session_start() call) and view source. If PHP is doing the session.use_trans_sid stuff correctly, your URLs should all be rewritten to include the session identifier. This would be my first step in trying to debug the situation. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al -- ...and then Chris Shiflett said... % % --- David T-G <[EMAIL PROTECTED]> wrote: % > % % > % session.use_trans_sid = 1 % > % > Yep. % % OK, well PHP should add the session identifier to the URL for every link OK. % on the first page. This is because PHP can't tell until the next request That makes sense. % whether the browser is accepting cookies. You can think of PHP's logic % like this: % % 1. If the user requests a page with no session identifier at all, start a % new session. On the page sent to the user, rewrite all URLs to include the % session identifier. [snip] OK. That's what I thought. % % So, based on this, I would recommend testing from scratch. Make sure you % have no cookies. Restart the browser if necessary. Then, visit the first I restart frequently; it's lynx and it's easy :-) % page (where you first have your session_start() call) and view source. If Right. BTW, the same URL with .phps will let you see the PHP source. % PHP is doing the session.use_trans_sid stuff correctly, your URLs should % all be rewritten to include the session identifier. This would be my first % step in trying to debug the situation. It does not. I get ... Click here to r +eturn. Click here for a SID. A button: and the first link obviously does not have a SID. % % Hope that helps. Still hangin'. Anyone else have any ideas? % % Chris Thanks again & HAND :-D -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! pgp0.pgp Description: PGP signature
Re: [PHP] sessions, SIDs, and php 4.3
--- David T-G <[EMAIL PROTECTED]> wrote: > BTW, the same URL with .phps will let you see the PHP source. Well, hopefully only because you have a duplicate file (or a link) by that name. :-) Also, I meant view source as in the HTML output, not the PHP. > % PHP is doing the session.use_trans_sid stuff correctly, your URLs > % should all be rewritten to include the session identifier. This > % would be my first step in trying to debug the situation. > > It does not. Well, then you problem is found. Why this is happening is still a mystery (to me), but the session.use_trans_sid magic is not happening. If you look at the output of phpinfo() on this exact same script, is the local value of session.use_trans_sid still 1? Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al -- ...and then Chris Shiflett said... % % --- David T-G <[EMAIL PROTECTED]> wrote: % > BTW, the same URL with .phps will let you see the PHP source. % % Well, hopefully only because you have a duplicate file (or a link) by that % name. :-) Yep. Created just for this exercise :-) % % Also, I meant view source as in the HTML output, not the PHP. I figured as much, as noted farther down. % % > % should all be rewritten to include the session identifier. This % > % would be my first step in trying to debug the situation. % > % > It does not. % % Well, then you problem is found. Why this is happening is still a mystery OK, but I know I have a problem and what I need is a solution :-) % (to me), but the session.use_trans_sid magic is not happening. If you look % at the output of phpinfo() on this exact same script, is the local value % of session.use_trans_sid still 1? Yep. See a previous list reply. % % Chris Thanks & TIA & HAND :-D -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! pgp0.pgp Description: PGP signature
Re: [PHP] sessions, SIDs, and php 4.3
--- David T-G <[EMAIL PROTECTED]> wrote: > OK, but I know I have a problem and what I need is a solution :-) Yes, I understand. :-) > > If you look at the output of phpinfo() on this exact same script, > > is the local value of session.use_trans_sid still 1? > > Yep. See a previous list reply. OK, well that is very strange. Can you tell us the output of the following sample code? session.use_trans_sid [] Link Maybe this will reveal something. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al -- ...and then Chris Shiflett said... % % --- David T-G <[EMAIL PROTECTED]> wrote: % > OK, but I know I have a problem and what I need is a solution :-) % % Yes, I understand. :-) *grin* % % > > If you look at the output of phpinfo() on this exact same script, % > > is the local value of session.use_trans_sid still 1? % > % > Yep. See a previous list reply. % % OK, well that is very strange. Can you tell us the output of the following % sample code? ... % Maybe this will reveal something. It sure did -- I see the SID! Let me go back over my code and see where I've screwed something up. % % Chris Thanks & HAND & stay tuned :-D -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! pgp0.pgp Description: PGP signature
Re: [PHP] sessions, SIDs, and php 4.3
Chris, et al -- ...and then David T-G said... % % Let me go back over my code and see where I've screwed something up. That didn't take too long. I was using SCRIPT_URI instead of PHP_SELF. Ah. I guess PHP_SELF is my friend and none other. Good enough! So we have - use session_start() as usual - use $_SESSION for everything (setting and unsetting) - don't bother with session_write_close - use PHP_SELF - do NOT hand-code SID with PHP_SELF :-) as the Golden Rules for sessions. Along with the wonderful world of validating and filtering input that I'm seeing in other threads, is that all there is to The One True Way of Session Handling? % % % % % Chris Thanks a *bunch* for your patience & HAND :-D -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! pgp0.pgp Description: PGP signature
Re: [PHP] Sessions: strange behaviour in 4.3.3 ?
--- Dino Tsoumakis <[EMAIL PROTECTED]> wrote: > Warning: session_start(): Cannot send session cache limiter - headers > already sent (output started at XX/class.session.php:61) in > XX/class.session.php on line 38 You need to either put session_start() prior to any output (my preference) or use output buffering by putting ob_start() prior to any output. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions: strange behaviour in 4.3.3 ?
"Chris Shiflett" <[EMAIL PROTECTED]> wrote news:[EMAIL PROTECTED] > --- Dino Tsoumakis <[EMAIL PROTECTED]> wrote: > > Warning: session_start(): Cannot send session cache limiter - headers > > already sent (output started at XX/class.session.php:61) in > > XX/class.session.php on line 38 > > You need to either put session_start() prior to any output (my preference) > or use output buffering by putting ob_start() prior to any output. If you hve a close look at the code http://www.serv-int.de/class.session.txt you will find the session_start() in the constructor of the class prior to any output. The thing is, that session_start() calls the user defined session functions (defined in session_set_save_handler()) and that's what breaks the whole thing. This is not a problem of session_start(), I'm pretty sure. The problem is, the session id is not set in the open function, but it is set in the read function. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions: strange behaviour in 4.3.3 ?
--- Dino Tsoumakis <[EMAIL PROTECTED]> wrote: > If you hve a close look at the code > http://www.serv-int.de/class.session.txt you will find the > session_start() in the constructor of the class prior to any output. This is apparently not the case, else this error message would not appear. > The thing is, that session_start() calls the user defined session > functions (defined in session_set_save_handler()) and that's what > breaks the whole thing. Keep in mind that an error message can count as output (if it's not logged instead). Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions: I don't get it!!
Looks like you're making it way more complicated than it needs to be. PHP will automatically tack on the Session ID tag to your local url's, but only if it needs to. There is no need to append the SID to url's manually. Nate -Original Message- From: Don [mailto:[EMAIL PROTECTED] Sent: Sunday, November 14, 2004 9:54 PM To: [EMAIL PROTECTED] Subject: [PHP] Sessions: I don't get it!! I'd like to do something with sessions that should be easy. But I'm new to this, and obviously I'm missing something somewhere... I want to use cookies if the visitor allows, but tack the session info (SID) "get style" on the URL of a linked page *only if* the visitor blocks cookies. I've tried a lot of variations, but nothing really works. I either get the entire SID value in the URL (even if cookies are accepted), or the SID doesn't show up in the URL, which means it works only with visitors who accept cookies. Below is my most recent attempt. simple.php detects whether the visitor accepts cookies by forcing a page reload (my thanks to Chris Shiflett), then attempts a redirection, based on whether cookies are accepted. Doesn't work. Anyone got any ideas? TIA. - -- Processing Error "; echo "This Session ID: " . session_id() . ""; echo "SID: " . SID . ""; ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions: I don't get it!!
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
On 15 November 2004 06:13, [EMAIL PROTECTED] wrote:
> Looks like you're making it way more complicated than it
> needs to be. PHP
> will automatically tack on the Session ID tag to your local
> url's, but only
> if it needs to. There is no need to append the SID to url's manually.
Not to most URLs, no, but if the SID is being passed in the URL you *must*
append it to any header("Location: ...") URL.
Fortunately, this, too, is easy, and the OP was making it way more
complicated than it needs to be! ;) The constant SID only contains the
session name and id *when it needs to* -- otherwise it's defined as the
empty string. So you can unconditionally append it to URLs and get the
right result:
header('Location: simple2.php?'.SID);
The only tidying-up you might want to do, if you're really obsessional about
neatness, is suppress the '?' if SID is empty, so:
header('Location: simple2.php'.SID?('?'.SID):'');
I can't see any benefit in applying strip_tags() to SID, unless you're
terminally paranoid -- as it's generated internally by PHP, there shouldn't
be any way it can contain anything that strip_tags() would defend against.
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Objects using PHP4
David OBrien wrote:
I have RTFM and TTFE and still am having a heck of a time getting my
objects to play well between pages
The only real examples are in the notes for classes & objects
http://us2.php.net/manual/en/language.oop.php
(are you on php4 or php5 btw?)
Basic usage
indeed, you must include classes for objects stored in a session before
starting the session. :-)
$songbook = new songbook(); // defined in the class.php
if you are creating this object on every page/call and then assigning it
to the session it will always have a blank/null userid. because
each call overwrites the old object thats stores with a brand new
one. so you need to check the session to see if a songbook
object is already available. so you only ever see the login screen in
your example.
session_register('songbook');
alternative is using $_SESSION. but if you do you must call
session_start() first:
session_start();
if (!isset($_SESSION['songbook']) || !is_object($_SESSION['songbook'])
|| !(get_class($_SESSION['songbook']) == 'songbook'))
{
$_SESSION['songbook'] = new songbook;
}
$songbook->get_stats();
$songbook->populate_manu();
$songbook->populate_series();
if (!isset($songbook->userid) || $songbook->userid == "") {
header("Location: login.php");
}
Now the login.php is basically the same but if the login correctly it
should set $songbook->userid to the username
require('common.php');
session_start();
include_once("class.php");
$songbook = new songbook();
session_register('songbook');
include("newheader.php");
if ( isset($_POST['submitit'])) {
$link = dbconnector();
$sql = "select * from userinfo where
lower(username)=lower('".$_POST['user']."') and
lower(password)=lower('".$_POST['pass']."')";
$result = mysql_query($sql);
if( mysql_num_rows($result) > 0 ) {
$songbook->userid = strtolower($_POST['user']);
header("Location: green.php");
} else {
$errormsg = "Invalid Username or
Password.\nPlease Try Again.";
}
}
So I guess what I am asking is how DO you make objects work across pages?
-Dave
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions still do not persist
Try a session_start() at the top of pages, see if that works.
Maybe the auto_start does not work.
>
> I've posted several times mentioning that I am completely unable
> to cause sessions to persist. Over the intervening time, I have
> replicated this problem to a different machine, with the same
> results. Here's a recap of the problem.
>
> I am not using cookies. Sessions are automatically created (and
> changing that makes no difference) The relevant session variables
> (copied from phpinfo) are:
>Session Support enabled
>session.auto_start On<- hence no session_start
>session.name PHPSESSID
>session.use_cookies Off <- no cookies
>session.use_trans_sidOn
>
> Environment is FreeBSD4.8. phpinfo for apache says:
>Apache/1.3.29 (Unix) mod_perl/1.28 PHP/4.3.4 mod_ssl/2.8.16
> OpenSSL/0.9.6d
>
>
> Here is a cut/paste of the borwser screen for the code below:
>
>Stage:0 SessionID: 04ace04b1fe0bc81d2cd678c9bab1619
>_ [Submit]
>Stage:1 SessionID: 04ace04b1fe0bc81d2cd678c9bab1619 Request: Array ( )
>
> So I type "foo" into the box and hit submit. And the session variable
> is NOT preserved:
>
>Stage:0 SessionID: 55c70989b7279d6a18edfd81b28d67a6
>foo___ [Submit]
>Stage:1 SessionID: 55c70989b7279d6a18edfd81b28d67a6 Request: Array (
> [PHPSESSID] => 04ace04b1fe0bc81d2cd678c9bab1619 [field] => foo )
>
> The session directory IS writable and I see the expected information
> being written there:
>-rw--- 1 nobody wheel 10 May 21 13:35
> sess_04ace04b1fe0bc81d2cd678c9bab1619
>-rw--- 1 nobody wheel 10 May 21 13:38
> sess_55c70989b7279d6a18edfd81b28d67a6
>
> Apache runs as user "nobody" on this server. Both session files contain:
>stage|i:1;
> but the files never seem to be being read back!
>
> Help!?
>
>
> Here's the entire php code I'm testing with:
>
> if (!isset($_SESSION['stage'])) {
>$_SESSION['stage'] = 0;
>}
> if (!isset($_POST['field'])) { $_POST['field'] = ""; }
> ?>
>
> PHP Test page
>
>echo "Stage:"; echo $_SESSION['stage'];
> echo " SessionID: "; echo session_id();
> $_SESSION['stage'] = 1;
> ?>
>
>
>
>
>echo "Stage:"; echo $_SESSION['stage']; echo " ";
> echo " SessionID: "; echo session_id(); echo " ";
> echo " Request: "; print_r($_REQUEST);
> ?>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions still do not persist
On Fri, May 21, 2004 at 11:02:49AM -0700, Daniel Clark wrote: > Try a session_start() at the top of pages, see if that works. > Maybe the auto_start does not work. Done: session.auto_start = 0 added session_start to script. No change in behaviour. /\/\ \/\/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions still do not persist
* Thus wrote Michael R. Wayne ([EMAIL PROTECTED]): > > I've posted several times mentioning that I am completely unable > to cause sessions to persist. Over the intervening time, I have > replicated this problem to a different machine, with the same > results. Here's a recap of the problem. > > I am not using cookies. Sessions are automatically created (and > changing that makes no difference) The relevant session variables > (copied from phpinfo) are: >Session Support enabled >session.auto_start On<- hence no session_start >session.name PHPSESSID >session.use_cookies Off <- no cookies >session.use_trans_sidOn url_rewriter.tags? > > Environment is FreeBSD4.8. phpinfo for apache says: >Apache/1.3.29 (Unix) mod_perl/1.28 PHP/4.3.4 mod_ssl/2.8.16 OpenSSL/0.9.6d > > > Here is a cut/paste of the borwser screen for the code below: > >Stage:0 SessionID: 04ace04b1fe0bc81d2cd678c9bab1619 >_ [Submit] >Stage:1 SessionID: 04ace04b1fe0bc81d2cd678c9bab1619 Request: Array ( ) > > So I type "foo" into the box and hit submit. And the session variable > is NOT preserved: > >Stage:0 SessionID: 55c70989b7279d6a18edfd81b28d67a6 >foo___ [Submit] >Stage:1 SessionID: 55c70989b7279d6a18edfd81b28d67a6 Request: Array ( [PHPSESSID] > => 04ace04b1fe0bc81d2cd678c9bab1619 [field] => foo ) It seems php isn't picking up that session that is in $_REQUEST.. which part of request is that variable in? do this? print_r($_GET); print_r($_POST); print_r($_COOKIE); Also, is the PHPSESSID being written in the form output somewhere? View source of form output. Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions still do not persist
On Fri, May 21, 2004 at 08:41:00PM +, Curt Zirzow wrote: > * Thus wrote Michael R. Wayne ([EMAIL PROTECTED]): > > > > I've posted several times mentioning that I am completely unable > > to cause sessions to persist. Over the intervening time, I have > > replicated this problem to a different machine, with the same > > results. Here's a recap of the problem. > > > > I am not using cookies. Sessions are automatically created (and > > changing that makes no difference) The relevant session variables > > (copied from phpinfo) are: > >Session Support enabled > >session.auto_start On <- hence no session_start > >session.name PHPSESSID > >session.use_cookies Off <- no cookies > >session.use_trans_sidOn > > url_rewriter.tags? url_rewriter.tags a=href,area=href,frame=src,input=src,form=fakeentry session.use_trans_sid Off > It seems php isn't picking up that session that is in $_REQUEST.. > which part of request is that variable in? do this? > > print_r($_GET); > print_r($_POST); > print_r($_COOKIE); Done - see below > Also, is the PHPSESSID being written in the form output somewhere? > View source of form output. Done all 3 times === initial load = Stage:0 SessionID: 86cc1b0a4dee900f85981e93bcc855b2 Stage:1 SessionID: 86cc1b0a4dee900f85981e93bcc855b2 Request: Array ( ) GET: Array ( ) POST: Array ( [field] => ) COOKIE: Array ( ) PHP Test page Stage:0 SessionID: 86cc1b0a4dee900f85981e93bcc855b2 Stage:1 SessionID: 86cc1b0a4dee900f85981e93bcc855b2 Request: Array ( ) GET: Array ( ) POST: Array ( [field] => ) COOKIE: Array ( ) = type foo, hit submit. Note differing sesison IDs = Stage:0 SessionID: 7c6cd5d1f965de3f134442600f60565a Stage:1 SessionID: 7c6cd5d1f965de3f134442600f60565a Request: Array ( [PHPSESSID] => 86cc1b0a4dee900f85981e93bcc855b2 [field] => foo ) GET: Array ( [PHPSESSID] => 86cc1b0a4dee900f85981e93bcc855b2 ) POST: Array ( [field] => foo ) COOKIE: Array ( ) PHP Test page Stage:0 SessionID: 7c6cd5d1f965de3f134442600f60565a Stage:1 SessionID: 7c6cd5d1f965de3f134442600f60565a Request: Array ( [PHPSESSID] => 86cc1b0a4dee900f85981e93bcc855b2 [field] => foo ) GET: Array ( [PHPSESSID] => 86cc1b0a4dee900f85981e93bcc855b2 ) POST: Array ( [field] => foo ) COOKIE: Array ( ) = type bar, hit submit. Note same session IDs = Stage:1 SessionID: 7c6cd5d1f965de3f134442600f60565a Stage:1 SessionID: 7c6cd5d1f965de3f134442600f60565a Request: Array ( [PHPSESSID] => 7c6cd5d1f965de3f134442600f60565a [field] => bar ) GET: Array ( [PHPSESSID] => 7c6cd5d1f965de3f134442600f60565a ) POST: Array ( [field] => bar ) COOKIE: Array ( ) PHP Test page Stage:1 SessionID: 7c6cd5d1f965de3f134442600f60565a Stage:1 SessionID: 7c6cd5d1f965de3f134442600f60565a Request: Array ( [PHPSESSID] => 7c6cd5d1f965de3f134442600f60565a [field] => bar ) GET: Array ( [PHPSESSID] => 7c6cd5d1f965de3f134442600f60565a ) POST: Array ( [field] => bar ) COOKIE: Array ( ) php code: PHP Test page GET: "; print_r($_GET); echo " POST: "; print_r($_POST); echo " COOKIE: "; print_r($_COOKIE); ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions simply do not work?
Michael R. Wayne wrote: In my continuing efforts to actually get sessions to work, I upgraded to PHP 4.3.6 and apache 1.3.31. This did not make the slighest difference. So, does ANYone have ideas of how to debug this? Or is PHP simply broken and no longer able to maintain sessions? /\/\ \/\/ I've just been debugging some session problems. Successfully, but there is something rather brittle in there somewhere and almost zero portability between mod_php and PHP CGI with anything but the simplest code. Perl develops a rosy glow under such circumstances. It would have been quicker for me to set cookies explicitly and manage my own sessions. However... Have you tried a trivially simple sessions script? There's one in the manual to increment a counter. Assuming mod_php: "; echo $_SESSION['count']; echo ""; ?> If this doesn't work, there's a problem with your computer setup. If it does, there's a problem with your code. But then it would give you a base from which to build complexity, heading back to your code as is now, until something breaks... PWR. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions simply do not work?
I've never had a problem using sessions. Do you have a sample piece of
simple session code that isn't working? You also need to have cookies
enabled on your client if you are using the default session management
technique. Your very first line of code, before you do anything else,
should be session_start(). Actually, it can be in and "include" file,
but I recall having problems if I did other stuff first. For instance,
all my php files, except the logion, begin like this:
require('sessionInit.php');
That file checks for an existing session and retrieves session
variables or redirects to a login screen if no session was found. Also,
check your php configuration for sessions. You can use phpinfo() to
check your configuration, there is a section on sessions. You might
even have session support disabled.
On May 24, 2004, at 5:57 PM, Michael R. Wayne wrote:
In my continuing efforts to actually get sessions to work, I upgraded
to PHP 4.3.6 and apache 1.3.31. This did not make the slighest
difference.
So, does ANYone have ideas of how to debug this? Or is PHP simply
broken and no longer able to maintain sessions?
/\/\ \/\/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Brent Baisley
Systems Architect
Landover Associates, Inc.
Search & Advisory Services for Advanced Technology Environments
p: 212.759.6400/800.759.0577
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions simply do not work?
On Tue, May 25, 2004 at 07:37:47AM +0100, Peter Risdon wrote: > Michael R. Wayne wrote: > > >In my continuing efforts to actually get sessions to work, I upgraded > >to PHP 4.3.6 and apache 1.3.31. This did not make the slighest > >difference. > > > >So, does ANYone have ideas of how to debug this? Or is PHP simply > >broken and no longer able to maintain sessions? > > I've just been debugging some session problems. Successfully, but there > is something rather brittle in there somewhere It seems that people have forgotten last week's postings. To recap: Session support worked fine in 4.1.2. It's broken in 4.3.4 and 4.3.6. The relevant session variables are: Session Support enabled (as per phpinfo) session.auto_start On or Off (makes no difference) session.use_cookies Off <- not using cookies session.name PHPSESSID session.use_trans_sidOff (trans_sid worked with forms in 4.1.2) session.gc_maxlifetime 1440 Other things people have asked about: url_rewriter.tagsa=href,area=href,frame=src,input=src,form=fakeentry Environment FreeBSD 4.8, Apache/1.3.31 (Unix) PHP/4.3.6 mod_ssl/2.8.17 OpenSSL/0.9.7d The session directory is writable and the files are getting properly written to that directory as shown below. I invoke the script from a browser and see the following: Stage:0 SessionID: 509012dd5633cba355c270f3934d1201 ___ [Submit] Stage:1 SessionID: 509012dd5633cba355c270f3934d1201 Request: Array ( ) GET: Array ( ) POST: Array ( [field] => ) COOKIE: Array ( ) Checking the session directory, I see an appropriately named file: -rw--- 1 nobody msen 10 May 25 12:00 sess_509012dd5633cba355c270f3934d1201 containing stage|i:1; The Apache log contains two lines. The first does not contain the browser version and the second one does: "GET /g/xxx.php HTTP/1.0" "GET /g/xxx.php HTTP/1.0" 200 476 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows 98) Opera 7.02 [en]" So I enter foo in the form and hit Submit. The browser screen shows that the script failed to use the session variable, but it remembers it: Stage:0 SessionID: d7002911afdc01a5218e06af2b8f02ad foo [Submit] Stage:1 SessionID: d7002911afdc01a5218e06af2b8f02ad Request: Array ( [PHPSESSID] => 509012dd5633cba355c270f3934d1201 [field] => foo ) GET: Array ( [PHPSESSID] => 509012dd5633cba355c270f3934d1201 ) POST: Array ( [field] => foo ) COOKIE: Array ( ) The session directory now contains TWO files: -rw--- 1 nobody msen 10 May 25 12:00 sess_509012dd5633cba355c270f3934d1201 -rw--- 1 nobody msen 10 May 25 12:03 sess_d7002911afdc01a5218e06af2b8f02ad each containing: stage|i:1; and the Apache log once again has two lines. The browser has passed back the original session ID but PHP has ignored it and assigned a new one. "POST /g/xxx.php?PHPSESSID=509012dd5633cba355c270f3934d1201 HTTP/1.0" 200 605 "POST /g/xxx.php?PHPSESSID=509012dd5633cba355c270f3934d1201 HTTP/1.0" 200 605 "http://SERVER/xxx.php"; "Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.05 [en]" Now, I hit Submit once more and PHP does manage to re-use the session! And it will continue to do so until the script is re-invoked by another browser: Stage:1 SessionID: d7002911afdc01a5218e06af2b8f02ad foo [Submit] Stage:1 SessionID: d7002911afdc01a5218e06af2b8f02ad Request: Array ( [PHPSESSID] => d7002911afdc01a5218e06af2b8f02ad [field] => foo ) GET: Array ( [PHPSESSID] => d7002911afdc01a5218e06af2b8f02ad ) POST: Array ( [field] => foo ) COOKIE: Array ( ) the session directory remains unchanged other than access time on the reused session: -rw--- 1 nobody msen 10 May 25 12:00 sess_509012dd5633cba355c270f3934d1201 -rw--- 1 nobody msen 10 May 25 12:13 sess_d7002911afdc01a5218e06af2b8f02ad each containing: stage|i:1; The Apache log once again contains two lines: "POST /g/xxx.php?PHPSESSID=d7002911afdc01a5218e06af2b8f02ad HTTP/1.0" 200 605 "POST /g/xxx.php?PHPSESSID=d7002911afdc01a5218e06af2b8f02ad HTTP/1.0" 200 605 "http://SERVER/xxx.php?PHPSESSID=509012dd5633cba355c270f3934d1201"; "Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.05 [en]" And, finally, here is the test script. Install it as xxx.php if you want to test it: PHP Test page "; echo " Request: "; print_r($_REQUEST); echo "GET: "; print_r($_GET); echo " POST: "; print_r($_POST); echo " COOKIE: "; print_r($_COOKIE); ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions simply do not work?
Michael R. Wayne wrote: It seems that people have forgotten last week's postings. To recap: Session support worked fine in 4.1.2. It's broken in 4.3.4 and 4.3.6 What doesn't work in 4.3.6? I'm running 4.3.6 w/ Apache 1.3.31 on both a Fedora Core 1 and Mac OS X box, and haven't had a problem with sessions. Does this only seem to be a FreeBSD problem? -- John C. Nichel KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions simply do not work?
Sessions do not work properly for me. Thanks to other people on this list, we've proven that the test script I am using works fine for other people. So, something is wrong with PHP on all of my systems since the same script fails (see previous posts) on multiple servers for me. So, I am now seeking information on how to debug PHP (not my script but PHP itself) to determine where the failure lies. Help?? /\/\ \/\/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions simply do not work?
"Michael R. Wayne" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Sessions do not work properly for me. Thanks to other people on > this list, we've proven that the test script I am using works fine > for other people. So, something is wrong with PHP on all of my > systems since the same script fails (see previous posts) on multiple > servers for me. > > So, I am now seeking information on how to debug PHP (not my > script but PHP itself) to determine where the failure lies. > > Help?? > > /\/\ \/\/ Before you're diving into the PHP core, have you tried using a DB (MySQL) as the container for your session data? You could easily set up a test script with PEAR's DB and HTTP_Session. I'm using this configuration and my provider just upgraded to 4.3.6 - no problems at all. http://pear.php.net/package/DB http://pear.php.net/package/HTTP_Session Regards, Torsten Roehr -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions or db for shopping cart
Hello Matthew, (MD == "Matthew Delmarter") [EMAIL PROTECTED] steered: MD> 1. Using arrays stored in a PHP4 session vs. a database for MD> storing cart details. Bad idea, if you're dealing with cookies, as any user can manipulate the data on the client side and have your server gleefully accept the cookie. Store cart data in a database, and access it based on a session ID. MD> 2. What is the best method of passing session data if cookies MD> disabled. In the query string. -Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] sessions and data missing browser message
Mensaje citado por: Evelio Martinez <[EMAIL PROTECTED]>: > > Hi! > > is there any relation between use of sessions (php 4.0.4) and the > following browser message ? > > Data Missing > > This document resulted from a POST operation and has expired from the > cache. If you wish you can repost the form > data to recreate the document by pressing the reload button. Whta does the error file say (error_log in apache)? > I am having this message since I include session handling in the code. Change the expire time? > Is there any way to avoid this? Martin Marques -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] sessions and data missing browser message
"Martin A. Marques" escribió: > Mensaje citado por: Evelio Martinez <[EMAIL PROTECTED]>: > > > > > Hi! > > > > is there any relation between use of sessions (php 4.0.4) and the > > following browser message ? > > > > Data Missing > > > > This document resulted from a POST operation and has expired from the > > cache. If you wish you can repost the form > > data to recreate the document by pressing the reload button. > > Whta does the error file say (error_log in apache)? Nothing at all > > > > I am having this message since I include session handling in the code. > > Change the expire time? Do you mean php.ini session.cache_expire ? Now it contains 180. The funny thing is that the pages that provoke it do not have anything related with expire time, just the first login page. I have done some test with GET instead of POST and now it seems to work ok. Any explanation? > > > > Is there any way to avoid this? > > Martin Marques Thanks -- Evelio Martínez
RE: [PHP] SESSIONS: What does this error mean
This error occurrs when you start a session that recreates an object
variable but does not know the class definition for it.
You need to make sure you include the class source before you start the
session.
-Stewart
-Original Message-
From: Davor Pleskina [mailto:[EMAIL PROTECTED]]
Sent: 10 May 2001 08:18
To: [EMAIL PROTECTED]
Subject: [PHP] SESSIONS: What does this error mean
Fatal error: The script tried to execute a method or access a property of an
incomplete object. Please ensure that the class definition cl_korisnik_data
of the object you are trying to operate on was loaded _before_ the session
was started in user_info.php on line 72
I declared class like following in the first script file:
class cl_korisnik_data {
var $kname, $ime, $kid, $prezime, $jmbg, $klevel;
};
session_register("korisnik_data");
$korisnik_data = new cl_korisnik_data;
// Then loaded some data into $korisnik_data, all passed OK
In called script user_info.php i wrote code:
ime);
?>
... and got upper error. Now, what is wrong?
Just to make better question,
do classes also need to be registered within a session?
If so, how?
TIA,
Davor
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] SESSIONS: What does this error mean
Thanks, Stewart, I will check for that! ""Taylor, Stewart"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > This error occurrs when you start a session that recreates an object > variable but does not know the class definition for it. > You need to make sure you include the class source before you start the > session. > > -Stewart > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Sessions php and flash5, cookies disabled
* Jan Grafström ([EMAIL PROTECTED]) [Dec 25. 2001 10:41]:
> The url string looks like this on php-page (sent from flash5):
> mypage.php3?SID=PHPSESSID=193a33f9b7421c17302d1bd58478b20b?.
> >From mypage.php3 I pass sid using ".SID." than on second page the string is
> changed to:
> second.php3?SID=PHPSESSID%3D193a33f9b7421c17302d1bd58478b20b&var3=1.
> "=" has changed to "%3D". and php does not recognice the session.
> part of code on mypage.php3:
> http://myserver.com/second.php3?\"; method=\"get\">
>
I'm sure you meant for that line to be:
Right? (note the $) Eventhough I don't think that has anything to do
with your problem.
> Thanks for any help.
Why are you using SID=PHPSESSID= instead of just SID=? If you
absolutely have to leave it the way you have it, you could always
explode('%3D',$SID); to get the correct session ID.
--
Brian Clark | Avoiding the general public since 1805!
Fingerprint: 07CE FA37 8DF6 A109 8119 076B B5A2 E5FB E4D0 C7C8
If your life is a hard drive, Christ can be your backup.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Sessions php and flash5, cookies disabled
Thanks Brian!
There is no differens using only ".SID." or ".$SID."
and this line :
automatically givs this responsestring in the urlfield of your browser
(IE6):
second.php3?SID=PHPSESSID%3D193a33f9b7421c17302d1bd58478b20b&var3=1
I will try to manipulate the string
Regards,
Jan
"Brian Clark" <[EMAIL PROTECTED]> skrev i meddelandet
20011225165631.GF8638@ganymede">news:20011225165631.GF8638@ganymede...
* Jan Grafström ([EMAIL PROTECTED]) [Dec 25. 2001 10:41]:
> The url string looks like this on php-page (sent from flash5):
> mypage.php3?SID=PHPSESSID=193a33f9b7421c17302d1bd58478b20b?.
> >From mypage.php3 I pass sid using ".SID." than on second page the string
is
> changed to:
> second.php3?SID=PHPSESSID%3D193a33f9b7421c17302d1bd58478b20b&var3=1.
> "=" has changed to "%3D". and php does not recognice the session.
> part of code on mypage.php3:
> http://myserver.com/second.php3?\"; method=\"get\">
>
I'm sure you meant for that line to be:
Right? (note the $) Eventhough I don't think that has anything to do
with your problem.
> Thanks for any help.
Why are you using SID=PHPSESSID= instead of just SID=? If you
absolutely have to leave it the way you have it, you could always
explode('%3D',$SID); to get the correct session ID.
--
Brian Clark | Avoiding the general public since 1805!
Fingerprint: 07CE FA37 8DF6 A109 8119 076B B5A2 E5FB E4D0 C7C8
If your life is a hard drive, Christ can be your backup.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] sessions and trans-sid problem/question
on 22/11/02 4:57 PM, Jean-Christian Imbeault ([EMAIL PROTECTED]) wrote: > I've made a site in PHP and on some pages a user needs to log in first > before gaining access to the page. (i.e. there is a log in page). > > Once the user has logged in I keep that fact in a session variable so > that he doesn't need to log in again. > > However I have found out that if: > > 1- the user logs in > 2- bookmarks the page > 3- closes the browser > 4- opens the browser > 5- goes to the saved bookmark page > > He has access to the page. I.e. the session did not close/terminate when > he closed his browser ... I know that for IE Mac users (not sure about NN7) it's not until you QUIT the application that the session is "terminated"... this is because one application (IE or NN) may have multiple browser windows attached to it. I *think* you'll find something similar in Windows... perhaps when ALL open browser windows are closed and/or the browser app is QUIT, the session will end? Adding a logout feature will help people who are worried about security, because it can kill the cookies on the browser. Justin > In Netscape 7 I have checked the stored cookie and it is set to expire > at the end of the session (which is the default I think), so I don't > understand why the PHP thinks the session is still opened ... Justin French http://Indent.com.au Web Developent & Graphic Design -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Justin French wrote: I know that for IE Mac users (not sure about NN7) it's not until you QUIT the application that the session is "terminated"... I *think* you'll find something similar in Windows... perhaps when ALL open browser windows are closed and/or the browser app is QUIT, the session will end? I exited all apps and restarted the browser. Didn't help. I also copy-pasted the URL (http://192.168.254.14/my_account.html?step=order_list&PHPSESSID=b6f60469a3a67b677cf9c13e34b17072) from my Netscape 7 browser into an IE browser and the sessions was still valid ... Is it because I am putting the SID in the URL? I haven't tested with cookies yet as I want to get my site working without cookies first. Adding a logout feature will help people who are worried about security, because it can kill the cookies on the browser. I agree! The problem I have now is that a user can bookmark a page with the SID in the URL and then come back later and the session is still active ... the session should close when the browser is closed. I have set session.auto_start = 1 so I would think that after closing the browser and going to the bookmarked paged a new session would be started, killing the SID passed in from the URL no? Thanks! Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
PHP cannot possibly know when a user closes a window... PHP regularly "cleans out the garbage" of old abandoned sessions, but you cannot expect this instantly... the only way to kill a session is to kill it on the server with session_destroy(), which will require the user to access a "logout" script, or some javascript trickery... If you access that URL tomorrow, I doubt the session will STILL be valid... You should do some reading up in the manual & php.ini, making sure what session destroy means, what session.auto_start means, etc. Justin on 22/11/02 6:02 PM, Jean-Christian Imbeault ([EMAIL PROTECTED]) wrote: > Justin French wrote: >> >> I know that for IE Mac users (not sure about NN7) it's not until you QUIT >> the application that the session is "terminated"... >> >> I *think* you'll find something similar in Windows... perhaps when ALL open >> browser windows are closed and/or the browser app is QUIT, the session will >> end? > > I exited all apps and restarted the browser. Didn't help. I also > copy-pasted the URL > (http://192.168.254.14/my_account.html?step=order_list&PHPSESSID=b6f60469a3a67 > b677cf9c13e34b17072) > from my Netscape 7 browser into an IE browser and the sessions was > still valid ... > > Is it because I am putting the SID in the URL? I haven't tested with > cookies yet as I want to get my site working without cookies first. > >> Adding a logout feature will help people who are worried about security, >> because it can kill the cookies on the browser. > > I agree! The problem I have now is that a user can bookmark a page with > the SID in the URL and then come back later and the session is still > active ... the session should close when the browser is closed. > > I have set session.auto_start = 1 so I would think that after closing > the browser and going to the bookmarked paged a new session would be > started, killing the SID passed in from the URL no? > > Thanks! > > Jc > Justin French http://Indent.com.au Web Developent & Graphic Design -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 08:02 22.11.2002, Jean-Christian Imbeault said: [snip] >Is it because I am putting the SID in the URL? I haven't tested with >cookies yet as I want to get my site working without cookies first. Definetely yes. The PHP session is (with the default setup) nuthing more than a hash that's used to construct a file name. So the session ID "0ee410a57762be937d6d277b4ff642c8" will render the filename "/tmp/sess_0ee410a57762be937d6d277b4ff642c8" which will subsequently used by PHP as the session storage. >> Adding a logout feature will help people who are worried about security, >> because it can kill the cookies on the browser. > >I agree! The problem I have now is that a user can bookmark a page with >the SID in the URL and then come back later and the session is still >active ... the session should close when the browser is closed. You cannot really control if the user is logging out or not - I saw a "solution" once where they had a JavaScript for "onUnload" where they warned the user that the next time he should log out - I believe the actual action was to use the onUnload handler to redirect the browser to the logout screen. However this wouldn't work if the user has JavaScript switched off. What I usually do (I also have session cookies switched off) is to send the user a session cookie when he logs in. This way I can use cookieless sessions, but when it comes to sensitive areas I can be sure that bookmarking or giving away the SID wouldn't automatically transfer the login session... >I have set session.auto_start = 1 so I would think that after closing >the browser and going to the bookmarked paged a new session would be >started, killing the SID passed in from the URL no? I always recomment NOT using session.auto_start. It effectively disables making objects session-persistent as any class file needed for the objects must be loaded BEFORE objects gets reconstructed. When the browser requests an URL with a SID you have no control if this stems from a link or from a bookmark (maybe you could go and analyze $_SERVER['HTTP_REFERER'], but not all browsers tranmit it. What you can do is to have a timestamp of the last access recorded in your session so you can always check against your own timeout requirements. Personally I believe it's a good thing not to enable automatic session cookies. Relying on a session cookie effectively disables having two browser windows open with the same application but running in different contexts, since both would transmit the same session cookie. -- >O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Justin French wrote: PHP cannot possibly know when a user closes a window... PHP regularly "cleans out the garbage" of old abandoned sessions, but you cannot expect this instantly... True ... but the browser does. I think I would not have this problem using cookies since the cookie would expire after the browser is closed. The reason I am seeing this problem is that I am passing the SID in the URL and hence PHP does not know that the browser was closed. If you access that URL tomorrow, I doubt the session will STILL be valid... True. I guess I should set the gc to clean up sessions more often than it does now. Maybe 30 minutes ... You should do some reading up in the manual & php.ini, making sure what session destroy means, what session.auto_start means, etc. I know what they mean. I got very confused until you pointed a very obvious thing out. It's passing the SID in the URL that is causing the problem and as you pointed out there is no work-around. I'll just have to live with the fact that by passing the SID in the URL the session will be alive until the session gc cleans up. Thanks, Jc PS If I got any of this wrong please let me know. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 08:56 22.11.2002, Justin French said: [snip] >PHP cannot possibly know when a user closes a window... PHP regularly >"cleans out the garbage" of old abandoned sessions, but you cannot expect >this instantly... This is controlled by the session.gc_probability value in your INI file which is set to 1 by default. This means that every 100th access to any PHP script on your server will initiate the session garbage routine which might kill your outdated session file. Increasing this value will make this process more often, setting it to 100 will have PHP run the garbage collector every time a PHP script gets executed (you shouldn't do this - think in concurrency terms...) -- >O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Ernest E Vogelsinger wrote: Definetely yes. After reading Justin's post I realized that. What I usually do (I also have session cookies switched off) is to send the user a session cookie when he logs in. This way I can use cookieless sessions, but when it comes to sensitive areas I can be sure that bookmarking or giving away the SID wouldn't automatically transfer the login session... I don't get what you mean here. Can you explain a bit more? Sounds like what I need but I don't understand. You say you have cookies switched off but send the user a cookie ... a contradiction. I always recomment NOT using session.auto_start. It effectively disables making objects session-persistent I didn't know that but it doesn't matter as I don't do OO in PHP. Being also a Java programmer I can't wrap my brain around how PHP does pseudo-OO. Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Ernest E Vogelsinger wrote: This is controlled by the session.gc_probability value in your INI file I know I can probably find this in the documentation somewhere but ... how do I set the expire time on a session? Increasing this value will make this process more often, setting it to 100 will have PHP run the garbage collector every time a PHP script gets executed (you shouldn't do this - think in concurrency terms...) Again, why would congruency be affected by the gc? If the session hasn't timed-out then the gc won't clean it up. If it has then it's ok to clean it up. I obviously am missing something has what you say seems to make sense but I can see it just yet :) Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
On Friday 22 November 2002 16:28, Jean-Christian Imbeault wrote: > Ernest E Vogelsinger wrote: > > This is controlled by the session.gc_probability value in your INI file > > I know I can probably find this in the documentation somewhere but ... > how do I set the expire time on a session? > > > Increasing this value will make this > > process more often, setting it to 100 will have PHP run the garbage > > collector every time a PHP script gets executed (you shouldn't do this - > > think in concurrency terms...) > > Again, why would congruency be affected by the gc? If the session hasn't > timed-out then the gc won't clean it up. If it has then it's ok to clean > it up. I obviously am missing something has what you say seems to make > sense but I can see it just yet :) If you set it 100, then _every_ request in which sessions are used, PHP has to go through all the session files (by default stored in /tmp) and check whether they have expired. If you have a busy server you could have thousands of session files. Checking thousands of files at each request is very time consuming. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* Traffic jam on the Information Superhighway. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Jason Wong wrote: If you set it 100, then _every_ request in which sessions are used, PHP has to go through all the session files (by default stored in /tmp) and check whether they have expired. If you have a busy server you could have thousands of session files. Checking thousands of files at each request is very time consuming. *That* I understand and agree with. What I was more interested in was the "concurrency" aspect. Why setting gc to 100 might cause problems with concurrency. Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 09:28 22.11.2002, Jean-Christian Imbeault said: [snip] >> This is controlled by the session.gc_probability value in your INI file > >I know I can probably find this in the documentation somewhere but ... >how do I set the expire time on a session? The session.gc_probability value is an overall value that you cannot escape as to my knowledge. If you want a finer granularity you need to run this from within your application. For example, when a iser accesses your script, record the current timestamp in session storage. On the next access, compare the current timestamp with the recorded one and act accordingly. >> Increasing this value will make this >> process more often, setting it to 100 will have PHP run the garbage >> collector every time a PHP script gets executed (you shouldn't do this - >> think in concurrency terms...) > >Again, why would congruency be affected by the gc? If the session hasn't >timed-out then the gc won't clean it up. If it has then it's ok to clean >it up. I obviously am missing something has what you say seems to make >sense but I can see it just yet :) If it hasn't timed out it won't be touched, that's clear - but _if_ it has timed out it's not guaranteed that the gc has already removed the session file. Note that there is no expiry check when the session storage is accessed by session_start(); only the gc process itself checks if it should remove the session file. In another message, Jean-Christian Imbeault said: [snip] >*That* I understand and agree with. What I was more interested in was >the "concurrency" aspect. Why setting gc to 100 might cause problems >with concurrency. Setting this to 100 means that _any_ script access will start the gc. Which means that even on a moderately busy server a multitude of gc's will check the session files, possibly interfering with each other as one gc removes a file that's being checked by another gc. Might be painless (I haven't looked at the implementation); but I'd avoid this as far as I could :) -- >O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 09:25 22.11.2002, Jean-Christian Imbeault said:
[snip]
>> What I usually do (I also have session cookies switched off) is to send the
>> user a session cookie when he logs in. This way I can use cookieless
>> sessions, but when it comes to sensitive areas I can be sure that
>> bookmarking or giving away the SID wouldn't automatically transfer the
>> login session...
>
>I don't get what you mean here. Can you explain a bit more? Sounds like
>what I need but I don't understand. You say you have cookies switched
>off but send the user a cookie ... a contradiction.
My php.ini has session.use_cookies set to 0, so no (automatic) session
cookies get transmitted. Thie however doesn't stop me from programmatically
sending a cookie to the client...
So that's what I do, basically: I might be using a session for a lot of
stuff that's not related to user login; but when a user logs in this happens:
a) Create a unique cookie name and remember it:
$cookie_name = md5(date('YmdHis'));
$_SESSION['cookie_name'] = $cookie_name;
b) Create a random value for the cookie:
$cookie_token = rand();
$_SESSION['cookie_token'] = $cookie_token;
c) Transmit this cookie to the client (lifetime=session):
setcookie($cookie_name, $cookie_token);
From now on, the login-check tests for the random session cookie to match
the token:
if ($_COOKIE[$_SESSION['cookie_name']] == $_SESSION['cookie_token']) {
// valid cookie found, so generate a new value
$_SESSION['cookie_token'] = rand();
setcookie($_SESSION['cookie_name'], $_SESSION['cookie_token']);
}
else {
// no cookie set, or token doesn't match - take the appropriate action
}
This helps me to allow multiple sessions at the same client computer, since
every session has its own unique cookie. Giving away a link containing a
SID wouldn't harm security since you cannot pass or bookmark session cookies.
>> I always recomment NOT using session.auto_start. It effectively disables
>> making objects session-persistent
>
>I didn't know that but it doesn't matter as I don't do OO in PHP. Being
>also a Java programmer I can't wrap my brain around how PHP does pseudo-OO.
It's not pseudo-OO - it's some kind of "back-to-the-roots" OO :) You _do_
have (single) inheritance, you _do_ have class abstraction, you _do_ have
polymorphism (although you need to go a lot by hand), but you _don't_ have
protected and private storage.
You can always put an object into session storage, like this:
class A {
function A() {}
}
session_start();
if (!is_object($a))
$a = new A();
$_SESSION['a'] =& $a;
This will give you the same object of class A anytime you access the page
with the same session. Note however that the session handler needs the
class definition to be able to reconstruct the saved object - only the
class name, and the instance data, gets stored in session data.
--
>O Ernest E. Vogelsinger
(\)ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 09:28 22.11.2002, Jean-Christian Imbeault said: [snip] >> This is controlled by the session.gc_probability value in your INI file > >I know I can probably find this in the documentation somewhere but ... Forgot to add this (sorry): http://www.php.net/manual/en/ref.session.php -- >O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
On Friday 22 November 2002 16:44, Jean-Christian Imbeault wrote: > Jason Wong wrote: > > If you set it 100, then _every_ request in which sessions are used, PHP > > has to go through all the session files (by default stored in /tmp) and > > check whether they have expired. If you have a busy server you could have > > thousands of session files. Checking thousands of files at each request > > is very time consuming. > > *That* I understand and agree with. What I was more interested in was > the "concurrency" aspect. Why setting gc to 100 might cause problems > with concurrency. Well if you have a few requests per second, then each of those requests will want to check through your thousands of session files meaning you will have tens of thousands of disk accesses? -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* Never raise your hand to your children -- it leaves your midsection unprotected. -- Robert Orben */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
On Fri, 22 Nov 2002 14:57:23 +0900, you wrote: [...] >1- the user logs in >2- bookmarks the page >3- closes the browser >4- opens the browser >5- goes to the saved bookmark page > >He has access to the page. I.e. the session did not close/terminate when >he closed his browser ... I 'm not where I can test this right now, but if a session is older than session.gc_maxlifetime, isn't it invalid anyway? I.E. if I bookmark a page on your site and then come back 3 hours later passing an old SID, shouldn't that session have expired on the server by that time, in which case the session vars would be empty and you could kick me back to your login page? I personally use a custom session handler (MySql based, which I got from www.phpbuilder.com) and I believe this is how my site behaves, but I'm not for certain. I'll try to test it out and see... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 15:08 22.11.2002, Michael Sims spoke out and said: [snip] >I 'm not where I can test this right now, but if a session is older >than session.gc_maxlifetime, isn't it invalid anyway? I.E. if I >bookmark a page on your site and then come back 3 hours later passing >an old SID, shouldn't that session have expired on the server by that >time, in which case the session vars would be empty and you could kick >me back to your login page? [snip] I don't think the session handler checks session expiry - only gc does. I haven't checked the PHP sources yet, but I found out that on my development server (where we definetely don't have a lot of traffic ;->) session files can persist over night, and the session is still available in the morning... only when the gc_probability is hit (i.e. at the 100th access), the file gets removed. At least with my PHP (4.2.2, RH 7.2). -- >O Ernest E. Vogelsinger (\) ICQ #13394035 ^ http://www.vogelsinger.at/
Re: [PHP] sessions and trans-sid problem/question
Jean, This is a common challenge with a pretty easy solution. First, in case you are curious why the session can be reestablished, the bookmarked page likely has the session identifier in the query string. Thus, it is unnecessary for the browser to send a cookie, because it is sending the session identifier as a GET variable. This is what PHP is using to identify the client. It is a bad idea to depend on the timeout of a cookie or the session cleanup process to maintain a session timeout mechanism. Instead, you should keep a timestamp stored as a session variable that you use to make any time-based decisions for that session. For example: $_SESSION["last_access"] = gmmktime(); To use this value to enforce a timeout, you would make a check similar to the following to make sure it hasn't been too long since the last access: $seconds_idle = gmmktime() - $_SESSION["last_access"]; If the number of seconds they have been idle is too long for you, force them to reenter their password or even completely reauthenticate to continue. If the idle time is acceptable to you, reset the session variable to the current time. Chris --- Jean-Christian Imbeault <[EMAIL PROTECTED]> wrote: > I've made a site in PHP and on some pages a user needs to log > in first before gaining access to the page. (i.e. there is a > log in page). > > Once the user has logged in I keep that fact in a session > variable so that he doesn't need to log in again. > > However I have found out that if: > > 1- the user logs in > 2- bookmarks the page > 3- closes the browser > 4- opens the browser > 5- goes to the saved bookmark page > > He has access to the page. I.e. the session did not > close/terminate when he closed his browser ... > > In Netscape 7 I have checked the stored cookie and it is set > to expire at the end of the session (which is the default I > think), so I don't understand why the PHP thinks the session > is still opened ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
On Fri, 22 Nov 2002 15:08:31 +0100, you wrote: >I don't think the session handler checks session expiry - only gc does. I >haven't checked the PHP sources yet, but I found out that on my development >server (where we definetely don't have a lot of traffic ;->) session files >can persist over night, and the session is still available in the >morning... only when the gc_probability is hit (i.e. at the 100th access), >the file gets removed. At least with my PHP (4.2.2, RH 7.2). Then I suppose it's just an added feature of the session handler I am using. Maybe the OP should give it a shot, as I use it and I definitely don't have a problem with expired sessions being reactivated. That's not to say that you cannot pass a SID that was given to you the day before, but all of the data that was associated with it will be gone using this custom session handler, and it will effectively be a new session with the same name. I'm using the MySQL based session handler which is available here: http://www.phpbuilder.com/columns/ying2602.php3 FWIW... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Ernest E Vogelsinger wrote:
>
if ($_COOKIE[$_SESSION['cookie_name']] == $_SESSION['cookie_token']) {
Ok, please forgive my ignorance, but in PHP isn't $_COOKIES the same as
$_SESSION?. I thought it was if the user had cookies turned off (and
even if the user had cookies turned on come to think of it) ... If not
I'm in trouble.
I was always under the impression that $_SESSION vars were passed as
cookies ...
Hc
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Michael Sims wrote: I 'm not where I can test this right now, but if a session is older than session.gc_maxlifetime, isn't it invalid anyway? I.E. if I bookmark a page on your site and then come back 3 hours later passing an old SID, shouldn't that session have expired on the server by that time, in which case the session vars would be empty and you could kick me back to your login page? If my understanding of sessions is correct, no. session.gc_maxlifetime does set the lifetime of a session, but a session will not be cleaned by PHP until session.gc_probability has been hit. Again, if my understanding is correct, PHP doesn't automatically check to see if a session has expired before accessing it. It pre-supposes that any session file lying around is till active. And those session file will stay there until session.gc_probability has been hit. I might be wrong though ... Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Michael Sims wrote: Then I suppose it's just an added feature of the session handler I am using. Maybe the OP should give it a shot, as I use it and I definitely don't have a problem with expired sessions I'll think about writing my own session handler as it can be quite useful. However I need to evaluate the amount of extra disk read/writes it would add. Using a DB vs the file system does add some overhead ... Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 08:47 24.11.2002, Jean-Christian Imbeault said:
[snip]
>Ernest E Vogelsinger wrote:
> >
>> if ($_COOKIE[$_SESSION['cookie_name']] == $_SESSION['cookie_token']) {
>
>Ok, please forgive my ignorance, but in PHP isn't $_COOKIES the same as
>$_SESSION?. I thought it was if the user had cookies turned off (and
>even if the user had cookies turned on come to think of it) ... If not
>I'm in trouble.
>
>I was always under the impression that $_SESSION vars were passed as
>cookies ...
[snip]
No, that's a misunderstanding. Session var's are never passed to and from
the client, only the session _name_ is passed, either via a cookie
(PHPSESSIONID) or via trans-sid href encoding.
Session vars are kept server-side in session storage, which is (by default)
a file located in the directory where session.save_path is pointing to. The
default file name is sess_. The client only transmits
the session identifier so the server is able to correlate a session to a
particular request.
What I did for this particular application was to extend the system with a
cookie that's programmatically sent, using a random cookie name and a
random cookie content. Thus I am able to distinguish between multiple
logical sessions using the same session identifier, a scenario that could
happen when a URL containing a trans-sid has been bookmarked or transfered,
or when the client had opened a new window within the same session and
continued in "split mode".
Whatever the client passes to PHP as a cookie you can access in the
$_COOKIES array. Whatever PHP has stored in session storage can be accessed
in the $_SESSION array. They are quite different.
--
>O Ernest E. Vogelsinger
(\)ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 08:56 24.11.2002, Jean-Christian Imbeault said: [snip] >session.gc_maxlifetime does set the lifetime of a session, but a session >will not be cleaned by PHP until session.gc_probability has been hit. >Again, if my understanding is correct, PHP doesn't automatically check >to see if a session has expired before accessing it. It pre-supposes >that any session file lying around is till active. And those session >file will stay there until session.gc_probability has been hit. > >I might be wrong though ... [snip] You're quite right := -- >O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Ernest E Vogelsinger wrote: No, that's a misunderstanding. Session var's are never passed to and from the client, only the session _name_ is passed, either via a cookie (PHPSESSIONID) or via trans-sid href encoding. Thanks for clearing that up! I hadn't realized that only the session name was passed around. I thought all the session data was too. This now hands me a dilemma ... I was building my site conservatively, i.e. assuming the user would have cookies turned off. And so I am making heavy use of session variables. *But* I had thought that if the user had cookies enabled then the variables would be saved as cookie information, hence saving my server a lot of disk reads and writes. Now you have shown me the err of my ways ... I have to consider rewriting my scripts so that if cookies *are* enabled the session information is sent has cookie data. Hum ... I hate re-writes Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
on 24/11/02 11:10 PM, Jean-Christian Imbeault ([EMAIL PROTECTED]) wrote: > This now hands me a dilemma ... I was building my site conservatively, > i.e. assuming the user would have cookies turned off. And so I am making > heavy use of session variables. *But* I had thought that if the user had > cookies enabled then the variables would be saved as cookie information, > hence saving my server a lot of disk reads and writes. Now you have > shown me the err of my ways ... > > I have to consider rewriting my scripts so that if cookies *are* enabled > the session information is sent has cookie data. Hum ... I hate > re-writes I'd leave it as is... this ensures that ALL users can use the site, because the session id can be passed around in either the URL or cookies... and enabling trans sid means you don't even have to worry about it... PHP will use cookies if possible, or else append it to the URLs. What sort of stuff are you storing in the session that your are worried about with too many writes? Justin French http://Indent.com.au Web Development & Graphic Design -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
Justin French wrote: What sort of stuff are you storing in the session that your are worried about with too many writes? Oh, this site is just your regular, run-of-the-mill, amazon.com copy. For each open session I store up to 20 variables. It's not a lot, but each access to a script means a disk read/write so they will eventually add up if there are enough users. Of course this problem goes away if you throw enough money at the hardware ... Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 13:10 24.11.2002, Jean-Christian Imbeault said: [snip] >This now hands me a dilemma ... I was building my site conservatively, >i.e. assuming the user would have cookies turned off. And so I am making >heavy use of session variables. *But* I had thought that if the user had >cookies enabled then the variables would be saved as cookie information, >hence saving my server a lot of disk reads and writes. Now you have >shown me the err of my ways ... > >I have to consider rewriting my scripts so that if cookies *are* enabled >the session information is sent has cookie data. Hum ... I hate >re-writes [snip] Why would you do that? session data is read and decoded once from a LOCAL file, while transmitting all session data over a REMOTE line would be much slower. Further it's MORE than insecure to hand possibly sensitive session data to the client where any bad guy might tamper with it and harm your application. Lastly cookies are limited to a certain size of data (I believe it's 1k but I don't know exactly). Use sessions as intended, it's a very well tested and very fast way to create a persistent state across multiple subsequent connections. If you don't like the file approach you can always invent your own session handling system, be it database-driven (which would be even slower), or some kind of session-server process that runs locally and gets contacted by the applications, or even some shared memory... choose your ways, but keep your data at the server's. -- >O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
At 14:15 24.11.2002, Jean-Christian Imbeault said: [snip] >Oh, this site is just your regular, run-of-the-mill, amazon.com copy. > >For each open session I store up to 20 variables. It's not a lot, but >each access to a script means a disk read/write so they will eventually >add up if there are enough users. > >Of course this problem goes away if you throw enough money at the >hardware ... [snip] Assuming you're running a server operating system (either Linux, or other X, or even Win2K _server_) disk i/o gets already greatly reduced by the OS. Any server OS implements its own decent file i/o cache that leverages repeated disk i/o transparently. I wouldn't bother about that too much. What you should keep in mind that the OS needs enough memory to build up its decent cache. Which would mean that you plug in more memory banks the more users you have. If you suspect your server is slowing down because of disk i/o why not run a realtime performance log to see where bottlenecks are, and to act accordingly then? My experience shows that file session storage is the very last bottleneck that ever would occur; the database times add up much quicker than any session file i/o would ever be able to. -- >O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
On Sun, 24 Nov 2002 17:01:21 +0900, you wrote: >Michael Sims wrote: >> >> Then I suppose it's just an added feature of the session handler I am >> using. Maybe the OP should give it a shot, as I use it and I >> definitely don't have a problem with expired sessions > >I'll think about writing my own session handler as it can be quite >useful. However I need to evaluate the amount of extra disk read/writes >it would add. Using a DB vs the file system does add some overhead ... Experience has taught me that the additional overhead is negligible, especially if the database is running locally on the web server... Having a DB based session handler comes in very handy when you are troubleshooting a new session-based application. It's much easier to run queries against active sessions that to mess around with files, IMHO. Good luck... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and trans-sid problem/question
--- Jean-Christian Imbeault <[EMAIL PROTECTED]> wrote: > This now hands me a dilemma ... I was building my site > conservatively, i.e. assuming the user would have > cookies turned off. And so I am making heavy use of > session variables. *But* I had thought that if the > user had cookies enabled then the variables would be > saved as cookie information, hence saving my server a > lot of disk reads and writes. > > Now you have shown me the err of my ways ... > > I have to consider rewriting my scripts so that if > cookies *are* enabled the session information is sent > has cookie data. There are two reasons why you should not consider such a rewrite: 1. performance 2. security You say you want to pass data as cookies to save your server the latency of disk access. Think about that for a moment, and you will see that it makes no sense. This is similar to making a decision to store all of your data on a remote FTP server rather than your local disk, thinking that this somehow saves you time. Regardless of how much bandwidth your network has and how slow your disk is, there is no way transmitting this data to/from the client across the Internet is going to be faster than local disk access. Floppy access is probably not even as slow as what you are considering. A more important reason to avoid the rewrite you are considering is security. A cookie is sent by the client. The client can be anyone using your site. What if the client is trying to circumvent your site's security in some way? Do you really want to trust everyone who visits to be honest? When you set a cookie, you are asking the client to send that cookie (value unchanged of course) in future requests. There is nothing aside from honesty that keeps a client from changing the cookie. Also, cookies are intended as a mechanism for maintaining state. This means that they are well-suited for helping you identify a client (the Web browser). Session management requires a little bit more, and this is where PHP sessions come into play. Cookies are a poor choice for session management (state management + maintaining client data), and this is what it seems like you are considering. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions and Query String Variable Handling
$page = $_SERVER["SERVER_NAME"] . $_SERVER["SCRIPT_NAME"] .
$_SERVER["QUERY_STRING"];
That will recreate the URL that the user clicked on. Save that to a
variable before you check for a session. Once you start a session or
verify that one exists, use header() to send them back to that page.
---John Holmes.
-Original Message-
From: Dennis Moore [mailto:[EMAIL PROTECTED]]
Sent: Saturday, April 27, 2002 2:37 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Sessions and Query String Variable Handling
Env: Apache 1.3.x/php4.0.6/mysql3.23.x
Scenario: I have built a system that uses PHP sessions for user access.
Within the system I send user notifications via email. Within the
email are links to certain pages with variables. For example.
http://mysite.com/view_page.htm?id=6
My system checks to see if the session is valid. Since the user is
coming from an email. There is no session. So the user is prompted for
the user and password. They enter and click submit. The authentication
passes the user to right page, but losses the variables in the query
string. Thus causing errors.
Here is the authentication code...
set session settings from login form
if (!session_is_registered("valid_user") && $session_login=="proc") {
if ($userid && $password) {
// if the user has just tried to log in
$db_conn = mysql_connect("localhost");
mysql_select_db("$dbname", $db_conn);
$query = "select * from auth_users "
."where auth_username='$userid' "
." and auth_password='$password' ";
$result = mysql_query($query, $db_conn);
if (mysql_num_rows($result) >0 ) {
// if they are in the database register the user id
$valid_user = $userid;
$valid_group=mysql_result($result,0,"auth_group");
$valid_perms=mysql_result($result,0,"auth_perms");
$valid_auth_id=mysql_result($result,0,"auth_id");
session_register("valid_user");
session_register("valid_group");
session_register("valid_perms");
session_register("valid_auth_id");
} else {
$invalid_login= "Invalid login: Could not log you in...
";
}
}
}
Any Ideas on how to pass the query string variables through the
authentication process?
RE: [PHP] Sessions and Query String Variable Handling
You'll have to add an http:// to that string, too.
---John Holmes...
> -Original Message-
> From: John Holmes [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, April 27, 2002 5:50 PM
> To: 'Dennis Moore'; [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions and Query String Variable Handling
>
> $page = $_SERVER["SERVER_NAME"] . $_SERVER["SCRIPT_NAME"] .
> $_SERVER["QUERY_STRING"];
>
> That will recreate the URL that the user clicked on. Save that to a
> variable before you check for a session. Once you start a session or
> verify that one exists, use header() to send them back to that page.
>
> ---John Holmes.
>
> -Original Message-
> From: Dennis Moore [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, April 27, 2002 2:37 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Sessions and Query String Variable Handling
>
> Env: Apache 1.3.x/php4.0.6/mysql3.23.x
>
> Scenario: I have built a system that uses PHP sessions for user
access.
> Within the system I send user notifications via email. Within the
> email are links to certain pages with variables. For example.
>
> http://mysite.com/view_page.htm?id=6
>
> My system checks to see if the session is valid. Since the user is
> coming from an email. There is no session. So the user is prompted
for
> the user and password. They enter and click submit. The
authentication
> passes the user to right page, but losses the variables in the query
> string. Thus causing errors.
>
> Here is the authentication code...
> set session settings from login form
> if (!session_is_registered("valid_user") && $session_login=="proc") {
> if ($userid && $password) {
> // if the user has just tried to log in
>
> $db_conn = mysql_connect("localhost");
> mysql_select_db("$dbname", $db_conn);
> $query = "select * from auth_users "
>."where auth_username='$userid' "
>." and auth_password='$password' ";
> $result = mysql_query($query, $db_conn);
> if (mysql_num_rows($result) >0 ) {
> // if they are in the database register the user id
> $valid_user = $userid;
> $valid_group=mysql_result($result,0,"auth_group");
>$valid_perms=mysql_result($result,0,"auth_perms");
>$valid_auth_id=mysql_result($result,0,"auth_id");
> session_register("valid_user");
>session_register("valid_group");
>session_register("valid_perms");
>session_register("valid_auth_id");
> } else {
>$invalid_login= "Invalid login: Could not log you in...
>";
> }
> }
> }
>
> Any Ideas on how to pass the query string variables through the
> authentication process?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Query String Variable Handling
You can also use
$page = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
- Original Message -
From: "John Holmes" <[EMAIL PROTECTED]>
To: "'Dennis Moore'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, April 27, 2002 8:49 PM
Subject: RE: [PHP] Sessions and Query String Variable Handling
> $page = $_SERVER["SERVER_NAME"] . $_SERVER["SCRIPT_NAME"] .
> $_SERVER["QUERY_STRING"];
>
> That will recreate the URL that the user clicked on. Save that to a
> variable before you check for a session. Once you start a session or
> verify that one exists, use header() to send them back to that page.
>
> ---John Holmes.
>
> -Original Message-
> From: Dennis Moore [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, April 27, 2002 2:37 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Sessions and Query String Variable Handling
>
> Env: Apache 1.3.x/php4.0.6/mysql3.23.x
>
> Scenario: I have built a system that uses PHP sessions for user access.
> Within the system I send user notifications via email. Within the
> email are links to certain pages with variables. For example.
>
> http://mysite.com/view_page.htm?id=6
>
> My system checks to see if the session is valid. Since the user is
> coming from an email. There is no session. So the user is prompted for
> the user and password. They enter and click submit. The authentication
> passes the user to right page, but losses the variables in the query
> string. Thus causing errors.
>
> Here is the authentication code...
> set session settings from login form
> if (!session_is_registered("valid_user") && $session_login=="proc") {
> if ($userid && $password) {
> // if the user has just tried to log in
>
> $db_conn = mysql_connect("localhost");
> mysql_select_db("$dbname", $db_conn);
> $query = "select * from auth_users "
>."where auth_username='$userid' "
>." and auth_password='$password' ";
> $result = mysql_query($query, $db_conn);
> if (mysql_num_rows($result) >0 ) {
> // if they are in the database register the user id
> $valid_user = $userid;
> $valid_group=mysql_result($result,0,"auth_group");
>$valid_perms=mysql_result($result,0,"auth_perms");
>$valid_auth_id=mysql_result($result,0,"auth_id");
> session_register("valid_user");
>session_register("valid_group");
>session_register("valid_perms");
>session_register("valid_auth_id");
> } else {
>$invalid_login= "Invalid login: Could not log you in...
>";
> }
> }
> }
>
> Any Ideas on how to pass the query string variables through the
> authentication process?
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Query String Variable Handling
Thanks,
Is there any way of doing this without using the header() to redirect? I
have some functions that get executed before the sessions stuff. I am
trying to avoid using output buffering or re-writing my code.
/dkm
- Original Message -
From: "John Holmes" <[EMAIL PROTECTED]>
To: "'Dennis Moore'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, April 27, 2002 8:49 PM
Subject: RE: [PHP] Sessions and Query String Variable Handling
> $page = $_SERVER["SERVER_NAME"] . $_SERVER["SCRIPT_NAME"] .
> $_SERVER["QUERY_STRING"];
>
> That will recreate the URL that the user clicked on. Save that to a
> variable before you check for a session. Once you start a session or
> verify that one exists, use header() to send them back to that page.
>
> ---John Holmes.
>
> -Original Message-
> From: Dennis Moore [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, April 27, 2002 2:37 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Sessions and Query String Variable Handling
>
> Env: Apache 1.3.x/php4.0.6/mysql3.23.x
>
> Scenario: I have built a system that uses PHP sessions for user access.
> Within the system I send user notifications via email. Within the
> email are links to certain pages with variables. For example.
>
> http://mysite.com/view_page.htm?id=6
>
> My system checks to see if the session is valid. Since the user is
> coming from an email. There is no session. So the user is prompted for
> the user and password. They enter and click submit. The authentication
> passes the user to right page, but losses the variables in the query
> string. Thus causing errors.
>
> Here is the authentication code...
> set session settings from login form
> if (!session_is_registered("valid_user") && $session_login=="proc") {
> if ($userid && $password) {
> // if the user has just tried to log in
>
> $db_conn = mysql_connect("localhost");
> mysql_select_db("$dbname", $db_conn);
> $query = "select * from auth_users "
>."where auth_username='$userid' "
>." and auth_password='$password' ";
> $result = mysql_query($query, $db_conn);
> if (mysql_num_rows($result) >0 ) {
> // if they are in the database register the user id
> $valid_user = $userid;
> $valid_group=mysql_result($result,0,"auth_group");
>$valid_perms=mysql_result($result,0,"auth_perms");
>$valid_auth_id=mysql_result($result,0,"auth_id");
> session_register("valid_user");
>session_register("valid_group");
>session_register("valid_perms");
>session_register("valid_auth_id");
> } else {
>$invalid_login= "Invalid login: Could not log you in...
>";
> }
> }
> }
>
> Any Ideas on how to pass the query string variables through the
> authentication process?
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions and Query String Variable Handling
Not for server side. You can use a META REFRESH on the client side, but
I personally find that ugly.
This is why I always write my functions so that they don't output
anything. They just assign the output to a variable and return it. That
way, I can call the function anywhere, save the result, and just echo
that variable where ever I need to.
---John Holmes...
> -Original Message-
> From: Dennis Moore [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, April 27, 2002 5:24 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [PHP] Sessions and Query String Variable Handling
>
> Thanks,
>
> Is there any way of doing this without using the header() to redirect?
I
> have some functions that get executed before the sessions stuff. I
am
> trying to avoid using output buffering or re-writing my code.
>
> /dkm
>
>
>
>
> - Original Message -
> From: "John Holmes" <[EMAIL PROTECTED]>
> To: "'Dennis Moore'" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
> Sent: Saturday, April 27, 2002 8:49 PM
> Subject: RE: [PHP] Sessions and Query String Variable Handling
>
>
> > $page = $_SERVER["SERVER_NAME"] . $_SERVER["SCRIPT_NAME"] .
> > $_SERVER["QUERY_STRING"];
> >
> > That will recreate the URL that the user clicked on. Save that to a
> > variable before you check for a session. Once you start a session or
> > verify that one exists, use header() to send them back to that page.
> >
> > ---John Holmes.
> >
> > -Original Message-
> > From: Dennis Moore [mailto:[EMAIL PROTECTED]]
> > Sent: Saturday, April 27, 2002 2:37 PM
> > To: [EMAIL PROTECTED]
> > Subject: [PHP] Sessions and Query String Variable Handling
> >
> > Env: Apache 1.3.x/php4.0.6/mysql3.23.x
> >
> > Scenario: I have built a system that uses PHP sessions for user
access.
> > Within the system I send user notifications via email. Within the
> > email are links to certain pages with variables. For example.
> >
> > http://mysite.com/view_page.htm?id=6
> >
> > My system checks to see if the session is valid. Since the user is
> > coming from an email. There is no session. So the user is prompted
for
> > the user and password. They enter and click submit. The
authentication
> > passes the user to right page, but losses the variables in the query
> > string. Thus causing errors.
> >
> > Here is the authentication code...
> > set session settings from login form
> > if (!session_is_registered("valid_user") && $session_login=="proc")
{
> > if ($userid && $password) {
> > // if the user has just tried to log in
> >
> > $db_conn = mysql_connect("localhost");
> > mysql_select_db("$dbname", $db_conn);
> > $query = "select * from auth_users "
> >."where auth_username='$userid' "
> >." and auth_password='$password' ";
> > $result = mysql_query($query, $db_conn);
> > if (mysql_num_rows($result) >0 ) {
> > // if they are in the database register the user id
> > $valid_user = $userid;
> > $valid_group=mysql_result($result,0,"auth_group");
> >$valid_perms=mysql_result($result,0,"auth_perms");
> >$valid_auth_id=mysql_result($result,0,"auth_id");
> > session_register("valid_user");
> >session_register("valid_group");
> >session_register("valid_perms");
> >session_register("valid_auth_id");
> > } else {
> >$invalid_login= "Invalid login: Could not log you in...
> >";
> > }
> > }
> > }
> >
> > Any Ideas on how to pass the query string variables through the
> > authentication process?
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions and Query String Variable Handling
Thanks for your assistance... I found three small errors that caused me
the problem.
1. I had an extra line or space in my include file that defines all my
functions after the '?>'
2. I didn't realize that session_start returns an output. I assigned a
variable to it.
3. I needed to passed the REQUEST_URI string in a hidden variable within my
login form.
Voila!!! Everything worked fine.
I just wasn't seeing it yesterday. I was just too close to the code...
- Original Message -
From: "John Holmes" <[EMAIL PROTECTED]>
To: "'Dennis Moore'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, April 27, 2002 11:33 PM
Subject: RE: [PHP] Sessions and Query String Variable Handling
> Not for server side. You can use a META REFRESH on the client side, but
> I personally find that ugly.
>
> This is why I always write my functions so that they don't output
> anything. They just assign the output to a variable and return it. That
> way, I can call the function anywhere, save the result, and just echo
> that variable where ever I need to.
>
> ---John Holmes...
>
> > -Original Message-
> > From: Dennis Moore [mailto:[EMAIL PROTECTED]]
> > Sent: Saturday, April 27, 2002 5:24 PM
> > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: Re: [PHP] Sessions and Query String Variable Handling
> >
> > Thanks,
> >
> > Is there any way of doing this without using the header() to redirect?
> I
> > have some functions that get executed before the sessions stuff. I
> am
> > trying to avoid using output buffering or re-writing my code.
> >
> > /dkm
> >
> >
> >
> >
> > - Original Message -
> > From: "John Holmes" <[EMAIL PROTECTED]>
> > To: "'Dennis Moore'" <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> > Sent: Saturday, April 27, 2002 8:49 PM
> > Subject: RE: [PHP] Sessions and Query String Variable Handling
> >
> >
> > > $page = $_SERVER["SERVER_NAME"] . $_SERVER["SCRIPT_NAME"] .
> > > $_SERVER["QUERY_STRING"];
> > >
> > > That will recreate the URL that the user clicked on. Save that to a
> > > variable before you check for a session. Once you start a session or
> > > verify that one exists, use header() to send them back to that page.
> > >
> > > ---John Holmes.
> > >
> > > -Original Message-
> > > From: Dennis Moore [mailto:[EMAIL PROTECTED]]
> > > Sent: Saturday, April 27, 2002 2:37 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [PHP] Sessions and Query String Variable Handling
> > >
> > > Env: Apache 1.3.x/php4.0.6/mysql3.23.x
> > >
> > > Scenario: I have built a system that uses PHP sessions for user
> access.
> > > Within the system I send user notifications via email. Within the
> > > email are links to certain pages with variables. For example.
> > >
> > > http://mysite.com/view_page.htm?id=6
> > >
> > > My system checks to see if the session is valid. Since the user is
> > > coming from an email. There is no session. So the user is prompted
> for
> > > the user and password. They enter and click submit. The
> authentication
> > > passes the user to right page, but losses the variables in the query
> > > string. Thus causing errors.
> > >
> > > Here is the authentication code...
> > > set session settings from login form
> > > if (!session_is_registered("valid_user") && $session_login=="proc")
> {
> > > if ($userid && $password) {
> > > // if the user has just tried to log in
> > >
> > > $db_conn = mysql_connect("localhost");
> > > mysql_select_db("$dbname", $db_conn);
> > > $query = "select * from auth_users "
> > >."where auth_username='$userid' "
> > >." and auth_password='$password' ";
> > > $result = mysql_query($query, $db_conn);
> > > if (mysql_num_rows($result) >0 ) {
> > > // if they are in the database register the user id
> > > $valid_user = $userid;
> > > $valid_group=mysql_result($result,0,"auth_group");
> > >$valid_perms=mysql_result($result,0,"auth_perms");
> > >$valid_auth_id=mysql_result($result,0,"auth_id");
> > > session_register("valid_user");
> > >session_register("valid_group");
> > >session_register("valid_perms");
> > >session_register("valid_auth_id");
> > > } else {
> > >$invalid_login= "Invalid login: Could not log you in...
> > >";
> > > }
> > > }
> > > }
> > >
> > > Any Ideas on how to pass the query string variables through the
> > > authentication process?
> > >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Without Cookies or SID Passing...
Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: > We have a shopping cart product we're developing in PHP, and I've > recently come across I dilemma that I need to find a reliable solution > to. > > Many of the people who will be shopping on our sites have cookies > disabled, which presents a problem when using sessions. Now, I am aware > of the fact that we could append the SID constant to every URL, but this > will not work for us. None of our sites are dynamic, and updating them > is out of the question (We have over 100 sites). As well, someday we > intend to sell this software, and we don't want to require that people > make their sites fully dynamic to accommodate it. > > So, is there any reliable way to emulate sessions without requiring a > cookie, or a variable passed in every URL? > > Matthew Walker > Senior Software Engineer > ePliant Marketing > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions Without Cookies or SID Passing...
On Tue, 14 May 2002, Matthew Walker wrote: > Many of the people who will be shopping on our sites have cookies > disabled, which presents a problem when using sessions. Now, I am aware > of the fact that we could append the SID constant to every URL, but this > will not work for us. None of our sites are dynamic, and updating them > is out of the question (We have over 100 sites). As well, someday we > intend to sell this software, and we don't want to require that people > make their sites fully dynamic to accommodate it. I don't entirely understand. If your site is not dynamic, then what do you need sessions for? miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
The sites are not dynamic, but the shopping cart /is/. The problem is, if people don't have cookies on, when they return to the site to order more products, they loose the SID that has been appended to the links inside the cart, and thus loose the contents of their shopping cart. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Miguel Cruz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:48 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... On Tue, 14 May 2002, Matthew Walker wrote: > Many of the people who will be shopping on our sites have cookies > disabled, which presents a problem when using sessions. Now, I am aware > of the fact that we could append the SID constant to every URL, but this > will not work for us. None of our sites are dynamic, and updating them > is out of the question (We have over 100 sites). As well, someday we > intend to sell this software, and we don't want to require that people > make their sites fully dynamic to accommodate it. I don't entirely understand. If your site is not dynamic, then what do you need sessions for? miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
You're not understanding the problem. This is not an authentication situation. We are using sessions to track information about what a customer's OrderID is, and other related information. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:42 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Sessions Without Cookies or SID Passing... Use standard HTTP authentication over SSL - that's the only other way. On Tue, 14 May 2002, Matthew Walker wrote: > We have a shopping cart product we're developing in PHP, and I've > recently come across I dilemma that I need to find a reliable solution > to. > > Many of the people who will be shopping on our sites have cookies > disabled, which presents a problem when using sessions. Now, I am aware > of the fact that we could append the SID constant to every URL, but this > will not work for us. None of our sites are dynamic, and updating them > is out of the question (We have over 100 sites). As well, someday we > intend to sell this software, and we don't want to require that people > make their sites fully dynamic to accommodate it. > > So, is there any reliable way to emulate sessions without requiring a > cookie, or a variable passed in every URL? > > Matthew Walker > Senior Software Engineer > ePliant Marketing > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: > You're not understanding the problem. This is not an authentication > situation. We are using sessions to track information about what a > customer's OrderID is, and other related information. > > Matthew Walker > Senior Software Engineer > ePliant Marketing > > > -Original Message- > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 14, 2002 5:42 PM > To: Matthew Walker > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Sessions Without Cookies or SID Passing... > > Use standard HTTP authentication over SSL - that's the only other way. > > On Tue, 14 May 2002, Matthew Walker wrote: > > > We have a shopping cart product we're developing in PHP, and I've > > recently come across I dilemma that I need to find a reliable solution > > to. > > > > Many of the people who will be shopping on our sites have cookies > > disabled, which presents a problem when using sessions. Now, I am > aware > > of the fact that we could append the SID constant to every URL, but > this > > will not work for us. None of our sites are dynamic, and updating them > > is out of the question (We have over 100 sites). As well, someday we > > intend to sell this software, and we don't want to require that people > > make their sites fully dynamic to accommodate it. > > > > So, is there any reliable way to emulate sessions without requiring a > > cookie, or a variable passed in every URL? > > > > Matthew Walker > > Senior Software Engineer > > ePliant Marketing > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
On Tue, 14 May 2002, Matthew Walker wrote: > The sites are not dynamic, but the shopping cart /is/. The problem is, > if people don't have cookies on, when they return to the site to order > more products, they loose the SID that has been appended to the links > inside the cart, and thus loose the contents of their shopping cart. I think you are running into facts of life here. You can only keep track of people using a limited set of mechanisms (which Rasmus has listed). Perhaps with cunning design you could use frames and JavaScript to handle this but it's outside the scope of PHP. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 10:04 AM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: > You're not understanding the problem. This is not an authentication > situation. We are using sessions to track information about what a > customer's OrderID is, and other related information. > > Matthew Walker > Senior Software Engineer > ePliant Marketing > > > -Original Message- > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 14, 2002 5:42 PM > To: Matthew Walker > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Sessions Without Cookies or SID Passing... > > Use standard HTTP authentication over SSL - that's the only other way. > > On Tue, 14 May 2002, Matthew Walker wrote: > > > We have a shopping cart product we're developing in PHP, and I've > > recently come across I dilemma that I need to find a reliable solution > > to. > > > > Many of the people who will be shopping on our sites have cookies > > disabled, which presents a problem when using sessions. Now, I am > aware > > of the fact that we could append the SID constant to every URL, but > this > > will not work for us. None of our sites are dynamic, and updating them > > is out of the question (We have over 100 sites). As well, someday we > > intend to sell this software, and we don't want to require that people > > make their sites fully dynamic to accommodate it. > > > > So, is there any reliable way to emulate sessions without requiring a > > cookie, or a variable passed in every URL? > > > > Matthew Walker > > Senior Software Engineer > > ePliant Marketing > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Could you explain how this could be accomplished, because I'm not understanding how to do it. As I understand HTTP Authentication (correct me if I'm wrong), the user's computer still has to send a 'username/password' pair to perform the authentication. I can't see how this could be used to maintain session data. But maybe my mind is just trapped in a rut. Please enlighten me. Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 6:04 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... I am understanding the problem perfectly. HTTP is stateless. You want to maintain state accross requests. This is done in 3 different ways. 1. Cookies 2. URL Mangling 3. HTTP Authentication You said you did not want to do 1 or 2. That only leaves you with HTTP Authentication. HTTP Authentication is really just like a cookie that can't be disabled when it comes down to it. -Rasmus On Tue, 14 May 2002, Matthew Walker wrote: > You're not understanding the problem. This is not an authentication > situation. We are using sessions to track information about what a > customer's OrderID is, and other related information. > > Matthew Walker > Senior Software Engineer > ePliant Marketing > > > -Original Message- > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 14, 2002 5:42 PM > To: Matthew Walker > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Sessions Without Cookies or SID Passing... > > Use standard HTTP authentication over SSL - that's the only other way. > > On Tue, 14 May 2002, Matthew Walker wrote: > > > We have a shopping cart product we're developing in PHP, and I've > > recently come across I dilemma that I need to find a reliable solution > > to. > > > > Many of the people who will be shopping on our sites have cookies > > disabled, which presents a problem when using sessions. Now, I am > aware > > of the fact that we could append the SID constant to every URL, but > this > > will not work for us. None of our sites are dynamic, and updating them > > is out of the question (We have over 100 sites). As well, someday we > > intend to sell this software, and we don't want to require that people > > make their sites fully dynamic to accommodate it. > > > > So, is there any reliable way to emulate sessions without requiring a > > cookie, or a variable passed in every URL? > > > > Matthew Walker > > Senior Software Engineer > > ePliant Marketing > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
No, it doesn't work at all. All sorts of people are behind proxies. Every AOL user, for example. All these people end up showing up as the same, or at least one of a pool of a few dozen ips. If you use this methods millions of users will end up sharing the same shopping cart. That's probably not a good idea. -Rasmus On Wed, 15 May 2002, Martin Towell wrote: > You're missing one method - using the user's IP address > It's not a guaranteed fool-proof method, but if you don't want to use > cookies or the URL, then this sorta works. > > -Original Message- > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 15, 2002 10:04 AM > To: Matthew Walker > Cc: [EMAIL PROTECTED] > Subject: RE: [PHP] Sessions Without Cookies or SID Passing... > > > I am understanding the problem perfectly. HTTP is stateless. You want to > maintain state accross requests. This is done in 3 different ways. > > 1. Cookies > 2. URL Mangling > 3. HTTP Authentication > > You said you did not want to do 1 or 2. That only leaves you with HTTP > Authentication. HTTP Authentication is really just like a cookie that > can't be disabled when it comes down to it. > > -Rasmus > > On Tue, 14 May 2002, Matthew Walker wrote: > > > You're not understanding the problem. This is not an authentication > > situation. We are using sessions to track information about what a > > customer's OrderID is, and other related information. > > > > Matthew Walker > > Senior Software Engineer > > ePliant Marketing > > > > > > -----Original Message- > > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, May 14, 2002 5:42 PM > > To: Matthew Walker > > Cc: [EMAIL PROTECTED] > > Subject: Re: [PHP] Sessions Without Cookies or SID Passing... > > > > Use standard HTTP authentication over SSL - that's the only other way. > > > > On Tue, 14 May 2002, Matthew Walker wrote: > > > > > We have a shopping cart product we're developing in PHP, and I've > > > recently come across I dilemma that I need to find a reliable solution > > > to. > > > > > > Many of the people who will be shopping on our sites have cookies > > > disabled, which presents a problem when using sessions. Now, I am > > aware > > > of the fact that we could append the SID constant to every URL, but > > this > > > will not work for us. None of our sites are dynamic, and updating them > > > is out of the question (We have over 100 sites). As well, someday we > > > intend to sell this software, and we don't want to require that people > > > make their sites fully dynamic to accommodate it. > > > > > > So, is there any reliable way to emulate sessions without requiring a > > > cookie, or a variable passed in every URL? > > > > > > Matthew Walker > > > Senior Software Engineer > > > ePliant Marketing > > > > > > > > > > > > --- > > > Outgoing mail is certified Virus Free. > > > Checked by AVG anti-virus system (http://www.grisoft.com). > > > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
> Could you explain how this could be accomplished, because I'm not > understanding how to do it. > > As I understand HTTP Authentication (correct me if I'm wrong), the > user's computer still has to send a 'username/password' pair to perform > the authentication. I can't see how this could be used to maintain > session data. > > But maybe my mind is just trapped in a rut. Please enlighten me. The problem here is not where to store the session data. That's obvious. You store the session data on your server. The real problem is linking the session data (ie. the contents of a shopping cart) to a specific user so when that same user is surfing through your site, on every request you know which cart is his. And if he goes away and comes back later, you again can go find his cart and you know what is in it. Ergo, therefore, if you are able to uniquely identify the user you have solved your session problem. HTTP Authentication does this brilliantly. The only difference between cookies and http auth is that with a cookie you send the remote user a unique identifier that is then sent back to you whenever that specific user visits your site. Because this happens automatically and people don't like that, some people turn this off. With HTTP authentication, instead of doing this automatically you have the user create a profile on your site where part of this will include a unique identifier and a password. Each time the user visits your site this information will be sent exactly like a cookie. Depending on how users configure their browsers they may have to log in at the beginning of a session although these days most browsers have these password managers that make this login procedure trivial. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
If it ain't foolproof then only a fool would use it ... IP addresses are just about the worst way to identify anyone. -Original Message- From: Martin Towell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 8:17 PM To: 'Rasmus Lerdorf'; Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Especially if they come through a gateway, or use internet connection sharing, you can't tell them apart using IP Addresses. Warren Vail Tools, Metrics & Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 -Original Message- From: Mark Charette [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 5:30 PM Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... If it ain't foolproof then only a fool would use it ... IP addresses are just about the worst way to identify anyone. -Original Message- From: Martin Towell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 8:17 PM To: 'Rasmus Lerdorf'; Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... You're missing one method - using the user's IP address It's not a guaranteed fool-proof method, but if you don't want to use cookies or the URL, then this sorta works. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
Blah. That's a really ugly choice, but I suppose we may end up having to do that. I'd give my kingdom for always-on cookies. Ah well. I'll look into this some more once my current project is finished. Thanks for your advice. (And thanks to everyone else too) Matthew Walker Senior Software Engineer ePliant Marketing -Original Message- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 6:26 PM To: Matthew Walker Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Sessions Without Cookies or SID Passing... > Could you explain how this could be accomplished, because I'm not > understanding how to do it. > > As I understand HTTP Authentication (correct me if I'm wrong), the > user's computer still has to send a 'username/password' pair to perform > the authentication. I can't see how this could be used to maintain > session data. > > But maybe my mind is just trapped in a rut. Please enlighten me. The problem here is not where to store the session data. That's obvious. You store the session data on your server. The real problem is linking the session data (ie. the contents of a shopping cart) to a specific user so when that same user is surfing through your site, on every request you know which cart is his. And if he goes away and comes back later, you again can go find his cart and you know what is in it. Ergo, therefore, if you are able to uniquely identify the user you have solved your session problem. HTTP Authentication does this brilliantly. The only difference between cookies and http auth is that with a cookie you send the remote user a unique identifier that is then sent back to you whenever that specific user visits your site. Because this happens automatically and people don't like that, some people turn this off. With HTTP authentication, instead of doing this automatically you have the user create a profile on your site where part of this will include a unique identifier and a password. Each time the user visits your site this information will be sent exactly like a cookie. Depending on how users configure their browsers they may have to log in at the beginning of a session although these days most browsers have these password managers that make this login procedure trivial. -Rasmus --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
> You're missing one method - using the user's IP address > It's not a guaranteed fool-proof method, but if you don't > want to use cookies or the URL, then this sorta works. Unless there's a firewall using NAT or a proxy cache involved. I know for a fact that our internal network only ever reports the address of our firewall. We run an Internet kiosk of sorts so if two or three people hit your site from inside our firewall they will all look like the same person. We're not alone in doing this sort of thing. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions Without Cookies or SID Passing...
> maintain state accross requests. This is done in 3 different ways. > 1. Cookies > 2. URL Mangling > 3. HTTP Authentication #4 Passing a SID/Session info in hidden fields, but it means you must push every page move through a submit (which can be done with Javascript, image buttons, etc), depending on what you are trying to do it might be alright... -GED -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions : see also "Tracking file downloads"
You can do whatever you want, of course. Sessions just make your code easier and portable and more people will be able to understand what you're talking about. Sessions are just a way to pass a variable between pages. You assign a variable to the session, and you retrieve it on any other page that has a session. that's it. You can use regular variables or arrays... ---John Holmes... - Original Message - From: "PHPCoder" <[EMAIL PROTECTED]> To: "php-general" <[EMAIL PROTECTED]> Sent: Tuesday, June 18, 2002 8:12 AM Subject: [PHP] Sessions : see also "Tracking file downloads" > HI > While waiting for responses on my first question, I've done some reading > on sessions, and came up with the following questions: > First, I have been coding with PHP for a while without knowing about > sessions, and have completed a couple of rather large projects without > using sessions as such, yet, much of what I have read on sessions, I > have done "manually" already by creating my own unique "id's" and > passing them on via url to the subsequent pages. > So, here is my question. > Is sessions basically just that, made "easier" , or are there > fundamental differences/advantages. I know (now after reading a bit) > about the use of cookies etc if availale when using sessions, and that > you cannot "overwrite" a session variable by passing it via url, but are > those the only differences? So, basically, do you really HAVE to use > sessions, or is it like most other things in life; "there are more than > one way to skin a cat". Are there set "rules" or guidelines to when one > would definately absolutely have to use sessions? > > Thanks > Hope I make sense... > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions, how they exist and die
Hi Matt,
The user's browser will retain the session cookie as long as it is open
unless "session.cookie_lifetime" is set to something other than zero in the
php.ini or you can also set it in your script like this:
// set session cookie to expire in 30 minutes.
ini_set("session.cookie_lifetime","1800");
If they don't close their browser they can leave and come back to your site
and still have the same session. In I.E. you can even pop a new browser and
the child browser will have the same session cookie as the parent
feature or bug??? who knows.
As far as the files in /tmp are concerned... There are two variables that
control them in the php.ini
1) session.gc_maxlifetime
2) session.gc_probability
if session.gc_maxlifetime is set to 1800 then php will see any files left in
/tmp as garbage after 30 minutes. session.gc_probability is a percentual
probability that any "garbage" will be deleted. Since any files left in /tmp
will be useless to a browser that exceeded our 30 minutes they are not
harmful but will need to be culled eventually to keep it from growing
forever. If session.gc_probability was set 100 then every single time there
was session activity the "garbage" files would be deleted. This could get to
be too much extra overhead on a busy server so you could set it to something
like 1 so that only every 1 out of a hundred times there was session
activity the "garbage" files would be deleted.
NOTE: if session.gc_maxlifetime is set to something less than
session.cookie_lifetime and gc_probability is high (or you just get unlucky
and the number comes up) session data on the server could be deleted and the
user's browser would still have the old session cookie to a session that no
longer exists. This means that the user will not be able to get another
session and can make a mess of an ecommerce deal. I believe all three ini
variables can be set by user via ini_set and I would strongly recommend
taking advantage of that if you are on a shared server and cannot control
what's in php.ini.
http://www.php.net/manual/en/function.ini-set.php
Sorry for the book. But sessions can be difficult to grasp if your new and I
thought this was important.
Jim Grill
Support
Web-1 Hosting
http://www.web-1hosting.net
- Original Message -
From: "Matt Babineau" <[EMAIL PROTECTED]>
To: "'PHP'" <[EMAIL PROTECTED]>
Sent: Thursday, July 25, 2002 9:15 AM
Subject: [PHP] Sessions, how they exist and die
> My question is, if I have a user on my web site, and they leave and come
> back does their session still exist? the file in the /tmp folder exists
> until it is deleted by the OS? If the user comes back will they get
> assigned the same session they had before? I know the questions are
> pretty newbish but I have had experiences in other languages in the past
> where this is the case. The session cookie stayed in the users browser,
> so they kept getting the same session and not a new session if they left
> and came back a day later.
>
> Matt Babineau
> MCWD / CCFD
> -
> e: [EMAIL PROTECTED]
> p: 603.943.4237
> w:
RE: [PHP] Sessions, Is this behavior by design?
> apparently, session_is_registered and isset return null if > they evaluate to > false. I was expecting boolean true and false return values, What you were expecting is correct, boolean true/false. However, it appears that PHP converts these values to strings during the echo. true converts to the string 1, while a false string is the empty (null) string. "; $a = false; echo "a is $a "; ?> Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
