Re: [PHP] Session data lost in Firefox
On Fri, Oct 26, 2012 at 8:49 AM, John Boy serv...@greenholdings.co.ukwrote: Hi I have a wesite where PHP session data is passed page to page then shells out to Paypal for payment then back to my website for completion of transaction and update of mysql file. When using Firefox our session data and POST data from Paypal is lost. This has happend only recently and has worked happily in the past. Works in other browsers too. Anyone heard of same problems? mywebpage - session data-mywebpage2-session data-paypal page-POST data + session data-mywebpage3 -- Johniboy Just a thought - does this depend on using third party cookies between your site and PayPal? If so, do you have them disabled in Firefox? Andrew
Re: [PHP] Session data lost in Firefox
Looks like it was a corrupted Paypal cookie lurking about on my test machine. Clearing all Paypal cookies cured the problem. Hours can be spent looking for needles like this in a very complex haystack and it turns out to be the simplest solution that's not even related directly to the programming. Thanks, Andrew for the prompting! However if this happened on a punter's computer the same would happen - so is there a way of coding the removal of third party cookies to avoid this problem? Andrew Ballard aball...@gmail.com wrote in message news:cac1b6rsbydmopeulin0fjmax-vap_uas_1w6e-nr-1shwm+...@mail.gmail.com... On Fri, Oct 26, 2012 at 8:49 AM, John Boy serv...@greenholdings.co.ukwrote: Hi I have a wesite where PHP session data is passed page to page then shells out to Paypal for payment then back to my website for completion of transaction and update of mysql file. When using Firefox our session data and POST data from Paypal is lost. This has happend only recently and has worked happily in the past. Works in other browsers too. Anyone heard of same problems? mywebpage - session data-mywebpage2-session data-paypal page-POST data + session data-mywebpage3 -- Johniboy Just a thought - does this depend on using third party cookies between your site and PayPal? If so, do you have them disabled in Firefox? Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data lost in Firefox
On Fri, Oct 26, 2012 at 12:12 PM, John Boy serv...@greenholdings.co.ukwrote: Looks like it was a corrupted Paypal cookie lurking about on my test machine. Clearing all Paypal cookies cured the problem. Hours can be spent looking for needles like this in a very complex haystack and it turns out to be the simplest solution that's not even related directly to the programming. Thanks, Andrew for the prompting! However if this happened on a punter's computer the same would happen - so is there a way of coding the removal of third party cookies to avoid this problem? As far as I know, if you can set a cookie you can also clear it. I don't like the approach, though. I have 3rd party cookies disabled on purpose. Andrew
Re: [PHP] session data
On Tue, 2010-06-01 at 21:54 +0100, Colin Finnis wrote: I'm having a problem with session data. I have a login setup which holds the user ID and password in the session data once the user has initially logged in. When the user goes to a new page or accesses a pop up window the users session data is validated against a list of IDs and passwords held on the system rather than forcing them to log in each time. As far as I can work out this is fairly standard stuff for this sort of process. It works fine in Firefox but is very inconsistent when used in IE 7. On occasions when a new page is accessed the users is forced to login again. The reason for this appears to be that the variables in which the ID and password are stored don't exist. I have a whole load of trace code which gives me various information and session ID is apparently being picked up correctly. The weird thing is that if you reload the page it will then work correctly. I have tried adding session_write_close as I thought the data was not being written out correctly during the initial login. This code has been developed in eclipse using an Apache web serve and works just fine in this environment. I am trying to deploy it to an IIS serve to which I only have limited access and cant debug it in this environment. Do you have an example of the code you're using, like a bare bones script? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Session data files
Thanks, Tom - - On May 8, 2009, at 12:37 PM, Tom Worster wrote: On 5/8/09 11:09 AM, phphelp -- kbk phph...@comcast.net wrote: Just something I'm curious about: When I run PHP on my development box (W2K), I just get one session file per connection which gets deleted (usually) after the session expires. When I look at the session files on the client server (linux/apache), there seems to be one session file per page click. I needed to clear them a few minutes ago, and there are already 80+ files, and this is just from one user (a tester -- this is in late-late-late beta). Now, there is nothing wrong -- everything is working fine -- I am just curious if Apache does this differently, or if there is a configuration setting that governs this (I haven't found -- but only did a cursory look). Anybody willing to take the time to enlighten me? have you satisfied yourself that what you're seeing is not just an artifact of how the session garbage collector works? http://us.php.net/manual/en/session.configuration.php maybe compare the gc parameters on the two different machines? phpinfo() displays the values. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data files
On 5/8/09 11:09 AM, phphelp -- kbk phph...@comcast.net wrote: Just something I'm curious about: When I run PHP on my development box (W2K), I just get one session file per connection which gets deleted (usually) after the session expires. When I look at the session files on the client server (linux/apache), there seems to be one session file per page click. I needed to clear them a few minutes ago, and there are already 80+ files, and this is just from one user (a tester -- this is in late-late-late beta). Now, there is nothing wrong -- everything is working fine -- I am just curious if Apache does this differently, or if there is a configuration setting that governs this (I haven't found -- but only did a cursory look). Anybody willing to take the time to enlighten me? have you satisfied yourself that what you're seeing is not just an artifact of how the session garbage collector works? http://us.php.net/manual/en/session.configuration.php maybe compare the gc parameters on the two different machines? phpinfo() displays the values. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data disappearing?
In edit_schedule.phps: if (isset($_POST['add_available'])){ $year = $_POST['year']; $year = $year['NULL']; $month = $_POST['month']; $month = $month['NULL']; $day = $_POST['day']; $day = $day['NULL']; $time = $_POST['time']; $time = $time['NULL']; ... } after this is done.. $year, $month, $day, and $time should all be arrays with a single 'null' (not the keyword null though) item with no value. ie. array(NULL=); what ARE you trying to do, you are making the POST vars global: $day = $_POST['day']; OK. (why do you even need to do this? whatever, matter of taste i guess..) But then you over write their values, making them arrays with that single element 'NULL' $day = $day['NULL']; Not seeing the logic here... Overall, and not to mean offence, but your code is kinda sloppy and has syntax and logic errors. ?=$slot, ($taken ? ' FONT COLOR=REDTAKEN/FONT' : '')? SHOULD be erroring up (if you have errors turned on, please say you do for development) try: ?php echo $slot; if ($taken) echo 'FONT COLOR=REDTAKEN/FONT'; ? and btw, the short conditional syntax is: (condition) ? true : false; // ie. (note the empty string... you gotta have SOMETHING there [right?i think so] echo ($taken) ? 'FONT COLOR=REDTAKEN/FONT' : '' ; Colin On Mon, 28 Mar 2005 20:27:00 -0800 (PST), Richard Lynch [EMAIL PROTECTED] wrote: Can anybody 'splain under what conditions $_SESSION values would turn into NULL for no reason I can figure out? It happens consistently on this one FORM submission, but works fine on others. PHP 5.0.3 FreeBSD 5.3-RELEASE Tried with Cookies and with trans_sid No difference. Tried altering the session.name and no difference. Naturally, I can't pare it down to a smaller example yet. :-( I'm calling session_start(), for sure. I'm dumping out session_id() and it has the same 32-character value as before. But one page has $_SESSION data, and the next, poof all the string(#)=# values turn into NULL Actually only two out of three values was disappearing for awhile. This worked fine under Windows XP on my laptop, so I'm reasonably certain it's not my code at fault, at least not totally. Working versions: PHP 4.3.9 Windows XP Home Edition I've searched bugs.php.net, and found nothing that matched up in any obvious way to what I'm experiencing, though maybe I just missed it. H. Maybe I can blame the CSS somehow. That always seems to screw me up. :-v Anybody willing to poke at it can email me off list for a username/password and I'll set it up for you to see it in action. Source code (kinda long, sorry): http://acousticdemo.com/edit_schedule.phps http://acousticdemo.com/globals.phps http://acousticdemo.com/client_id.phps http://acousticdemo.com/global.phps (CSS) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data disappearing?
Colin Ross wrote: In edit_schedule.phps: if (isset($_POST['add_available'])){ $year = $_POST['year']; $year = $year['NULL']; $month = $_POST['month']; $month = $month['NULL']; $day = $_POST['day']; $day = $day['NULL']; $time = $_POST['time']; $time = $time['NULL']; ... } after this is done.. $year, $month, $day, and $time should all be arrays with a single 'null' (not the keyword null though) item with no value. ie. array(NULL=); what ARE you trying to do, you are making the POST vars global: $day = $_POST['day']; OK. (why do you even need to do this? whatever, matter of taste i guess..) But then you over write their values, making them arrays with that single element 'NULL' $day = $day['NULL']; Not seeing the logic here... didn't spot this yet. will take another look - maybe this is the prob? hmm. Overall, and not to mean offence, but your code is kinda sloppy and has syntax and logic errors. Richards style is just different to yours, me thinks. ?=$slot, ($taken ? ' FONT COLOR=REDTAKEN/FONT' : '')? SHOULD be erroring up (if you have errors turned on, please say you do for development) Richard aint no noob :-) ...the syntax you point out as being bad is completely legal. try: ?php echo $slot; if ($taken) echo 'FONT COLOR=REDTAKEN/FONT'; ? and btw, the short conditional syntax is: (condition) ? true : false; // ie. (note the empty string... you gotta have SOMETHING there [right?i think so] echo ($taken) ? 'FONT COLOR=REDTAKEN/FONT' : '' ; Colin On Mon, 28 Mar 2005 20:27:00 -0800 (PST), Richard Lynch [EMAIL PROTECTED] wrote: Can anybody 'splain under what conditions $_SESSION values would turn into NULL for no reason I can figure out? It happens consistently on this one FORM submission, but works fine on others. PHP 5.0.3 FreeBSD 5.3-RELEASE Tried with Cookies and with trans_sid No difference. Tried altering the session.name and no difference. Naturally, I can't pare it down to a smaller example yet. :-( I'm calling session_start(), for sure. I'm dumping out session_id() and it has the same 32-character value as before. But one page has $_SESSION data, and the next, poof all the string(#)=# values turn into NULL Actually only two out of three values was disappearing for awhile. This worked fine under Windows XP on my laptop, so I'm reasonably certain it's not my code at fault, at least not totally. Working versions: PHP 4.3.9 Windows XP Home Edition I've searched bugs.php.net, and found nothing that matched up in any obvious way to what I'm experiencing, though maybe I just missed it. H. Maybe I can blame the CSS somehow. That always seems to screw me up. :-v Anybody willing to poke at it can email me off list for a username/password and I'll set it up for you to see it in action. Source code (kinda long, sorry): http://acousticdemo.com/edit_schedule.phps http://acousticdemo.com/globals.phps http://acousticdemo.com/client_id.phps http://acousticdemo.com/global.phps (CSS) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data disappearing?
On Tue, March 29, 2005 3:06 am, Colin Ross said: In edit_schedule.phps: if (isset($_POST['add_available'])){ $year = $_POST['year']; $year = $year['NULL']; $month = $_POST['month']; $month = $month['NULL']; $day = $_POST['day']; $day = $day['NULL']; $time = $_POST['time']; $time = $time['NULL']; ... } after this is done.. $year, $month, $day, and $time should all be arrays with a single 'null' (not the keyword null though) item with no value. ie. array(NULL=); No. what ARE you trying to do, you are making the POST vars global: $day = $_POST['day']; OK. (why do you even need to do this? whatever, matter of taste i guess..) But then you over write their values, making them arrays with that single element 'NULL' $day = $day['NULL']; Not seeing the logic here... All of those $_POST elements *ARE* arrays because the HTML has NAME=year[...] For pre-existing slots, they have a valid slot_id in the array index. For the one NEW item to be inserted, I used the key [NULL] which in HTTP turns into 'NULL' as an index into the array. In other words, if there were 3 pre-exsiting slots, and the user fills in the NEW date to add, and I did: var_dump($_POST['date']); I'd get something not unlike: array('1'='2005-04-01', '2'='2005-04-04', '3'='2005-04-05', 'NULL'='2005-04-06'); Thus, $year = $_POST['year']; gets me the whole array, and then $year = $year['NULL'] gets me the NEW year they are asking me to insert. I dunno why this seemed so confusing, but it makes perfect sense to me. [shrug] Overall, and not to mean offence, but your code is kinda sloppy and has syntax and logic errors. ?=$slot, ($taken ? ' FONT COLOR=REDTAKEN/FONT' : '')? SHOULD be erroring up (if you have errors turned on, please say you do for development) try: ?php echo $slot; if ($taken) echo 'FONT COLOR=REDTAKEN/FONT'; ? and btw, the short conditional syntax is: (condition) ? true : false; // ie. (note the empty string... you gotta have SOMETHING there [right?i think so] echo ($taken) ? 'FONT COLOR=REDTAKEN/FONT' : '' ; Yes, ?= is not portable to a site that doesn't have short_tags ON. No, I don't care, since I'll NEVER move this code to another host/server. Note that echo takes multiple arguments. Note that the parens I use are to group the second argument to the echo statement. The second argument being a valid ternary operater statement. So there are no error messages because it *IS* syntactically (and logically) valid. The FIRST thing I do on any new server/site is crank up E_ALL for the errors. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data disappearing?
On Tue, March 29, 2005 2:52 am, Colin Ross said: a couple points on your code... if something makes it to the session scope, $_SESSION[], it should be valid/verified, so why copy them all to a global var? i.e. $name = $_SESSION['name']; I don't want to litter my later code with $_SESSION['name'], basically. [shrug] I'm still used to the old register_globals being ON so I basically import the variables I want to use from there they should come from, and add scrubbing after the logic is right. I'll be wiping the database and starting fresh from my SQL script after that, so an SQL injection over the next couple days won't do much. why not just type true instead of a var that gets looked up everytime. $valid = true; secondly... any auth scheme using something like if ($_SESSION['valid_user']) is not very strong, and prolly has a big hole somewhere... ie. // $_REQUEST, i.e anything a user can type in the url $username = $_REQUEST['username']; $password = $_REQUEST['password']; $query = select client_id, password = password('$password'), name, access from client where username = '$username'; // this is beggin for a sql injection attack here (although you may have magic quotes on, which i don't suggest... do you own escaping...) Magic quotes is on. I'll add more scrubbing later. // check your SQL syntax, i'd be suprised if that runs like that... should be: $query = SELECT client_id, password, name, access FROM `client` WHERE `username` = '$username' AND `password` = password($password); The SQL is correct, and works just fine. STYLE?php require 'global.css'?/STYLE -- just use an external style sheet with either an @import or LINK No, thank you. I don't trust browsers to cache or not cache style sheets correctly, nor do I feel the need for the extra HTTP connection to get the style sheet. ?=date('Y')? -- avoid short open tags, and use a semicolon after every statement i.e. ?php echo date('Y' ); ? Again, I don't care about short open tags not being ON on your server. They're on for mine, and always will be, and this code is not intended to ever be ported anywhere. The semi-colon is optional -- That is a documented feature. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data is lost
From: Harald Kürsten [EMAIL PROTECTED] In my script I start a session, register certain variables and redirect to the next page. The session file is written to /tmp, but contains no data ! Does a simple session example from the Manual work? Some actual code would help here, but try using session_write_close() before you redirect. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data is lost
--- CPT John W. Holmes [EMAIL PROTECTED] wrote: From: Harald Kürsten [EMAIL PROTECTED] In my script I start a session, register certain variables and redirect to the next page. The session file is written to /tmp, but contains no data ! Does a simple session example from the Manual work? Some actual code would help here, but try using session_write_close() before you redirect. Yes, some code or information of some sort would be helpful, but here is a wild guess: http://marc.theaimsgroup.com/?l=php-generalm=102929828515647w=2 Hope that helps. Chris = HTTP Developer's Handbook http://shiflett.org/books/http-developers-handbook My Blog http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
* Thus wrote Rich Gray ([EMAIL PROTECTED]): Well a functon that doesn't work under certain conditions should be deprecated IMO ... I haven't used it for a long time now... this makes absolutly no sense. So if I use a function improperly, it should become deprecated? Er ...I'm not using it improperly I'm just not using it at all. Why? Because it behaves differently in different operating conditions. Sure I could write extra code to detect the operating conditions but what's the point? If globals are off you can't use it as it doesn't work... The manual seems to make it pretty obvious to me that it should be avoided and even mentions the function is deprecated in a code example... session_register() is used in cases where you haver register_globals on; it is not useed when it is off. So are you happy to use session_register() in your code? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
* Thus wrote Rich Gray ([EMAIL PROTECTED]): So your telling me that all variables defined in the global scope are automatically added to the $_SESSION array...? Not true I think no. read the documentation, in full. you're right - I'm sorry I hadn't read it in full... The soluction to your problem was resolved from the first reply (by Chris Shiflett), but you rejected it because of it not making sense to you, which seems to be the problem. Yes, however I was simply asking Chris to explain to me more as it didn't make sense to me (because I hadn't read the manual fully). I mistakenly expected the $_SESSION array to hold copies of assigned data not references to the global namespace variable ... my expectations were based on PHP's current default behaviour of pass by copy rather than by reference. It seems with globals on it can become a minefield eg below where a script happens to define and use a variable with the same name as an entry in the $_SESSION array... ? // script_a.php - developed by dev A session_start(); $_SESSION['test'] = 'dev A saves some data'; header('Location : script_b.php'); ? ? // script_b.php - developed by dev B session_start(); $test = 'I am another variable in the global scope that happens to have the same name as a $_SESSION array entry'; print_r($_SESSION); // dev B has just trashed dev A's saved data... ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data getting lost
Hi, Rich Gray [EMAIL PROTECTED] wrote: Well a functon that doesn't work under certain conditions should be deprecated IMO Interesting comment... However, there are TONS of functions that wouldn't work unless the module/extension were enabled during compilation/runtime. A couple of examples: http://www.php.net/xslt http://www.php.net/mbstring So, just because *those* functions don't work on certain conditions doesn't mean they should be deprecated. ;) Or, maybe I just missed your point :) - E - ...[snip]... __ Do You Yahoo!? Yahoo! BB is Broadband by Yahoo! http://bb.yahoo.co.jp/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
You have to put session_start(); at the VERY TOP of your code. even before alle the html tags. Hope that helps! Jan -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. September 2003 20:17 To: Rich Gray; [EMAIL PROTECTED] Php. Net Subject: Re: [PHP] Session data getting lost --- Rich Gray [EMAIL PROTECTED] wrote: I'm running v4.2.3 on RedHat v7.0 and am getting some strange behaviour with the $_SESSION superglobal... ... It works fine on Win2K albeit v4.3.0 of PHP. Maybe you have register_globals enabled on your Linux server and not on your Windows PC? Compare php.ini files before giving it too much thought. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
Chris Thanks for your answer which I'm sorry to say makes no sense to me given the code example I supplied ... can you explain to me why you think register globals being set to on for the Linux server will cause the $_SESSION superglobal array to lose data? Am I missing something obvious here? Thx Rich --- Rich Gray [EMAIL PROTECTED] wrote: I'm running v4.2.3 on RedHat v7.0 and am getting some strange behaviour with the $_SESSION superglobal... ... It works fine on Win2K albeit v4.3.0 of PHP. Maybe you have register_globals enabled on your Linux server and not on your Windows PC? Compare php.ini files before giving it too much thought. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
Jan Sorry - no that doesn't help - as you can see from the code snippet I posted the session_start() is at the very top of the code... Thx anyway. Rich You have to put session_start(); at the VERY TOP of your code. even before alle the html tags. Hope that helps! Jan --- Rich Gray [EMAIL PROTECTED] wrote: I'm running v4.2.3 on RedHat v7.0 and am getting some strange behaviour with the $_SESSION superglobal... ... It works fine on Win2K albeit v4.3.0 of PHP. Maybe you have register_globals enabled on your Linux server and not on your Windows PC? Compare php.ini files before giving it too much thought. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
[snip] ?php session_start(); $test = -1; . [/snip] I think you need to register test http://us3.php.net/session_register HTH! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
Jay Thanks, but no I don't think so ... session_register() is deprecated ... Quote PHP manual: Caution: If you want your script to work regardless of register_globals, you need to instead use the $_SESSION array as $_SESSION entries are automatically registered. If your script uses session_register(), it will not work in environments where the PHP directive register_globals is disabled. Cheers Rich [snip] ?php session_start(); $test = -1; . [/snip] I think you need to register test http://us3.php.net/session_register HTH! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
[snip] Thanks, but no I don't think so ... session_register() is deprecated ... [/snip] Not depricated, just doesn't work when register_globals is off in the .ini Have you done a print_r($_SESSION) to see if in fact the $test variable is contained? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
Well a functon that doesn't work under certain conditions should be deprecated IMO ... I haven't used it for a long time now... To answer your question ... yep I've used print_r() and after the 1st form submission the entry is set to -1 however at no time do I ever set $_SESSION['test'] to -1 in my code example ... Rich [snip] Thanks, but no I don't think so ... session_register() is deprecated ... [/snip] Not depricated, just doesn't work when register_globals is off in the .ini Have you done a print_r($_SESSION) to see if in fact the $test variable is contained? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
[snip] Well a functon that doesn't work under certain conditions should be deprecated IMO ... I haven't used it for a long time now... To answer your question ... yep I've used print_r() and after the 1st form submission the entry is set to -1 however at no time do I ever set $_SESSION['test'] to -1 in my code example ... [/snip] Nope, but $test is a GLOBAL variable, and therefore would be set to -1 within $_SESSION as all GLOBALS are, as you pointed out earlier, registerd with $_SESSION. If $test is within a function it is a PRIVATE variable, local to the function only, unless declared as a GLOBAL. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
So your telling me that all variables defined in the global scope are automatically added to the $_SESSION array...? Not true I think [snip] Well a functon that doesn't work under certain conditions should be deprecated IMO ... I haven't used it for a long time now... To answer your question ... yep I've used print_r() and after the 1st form submission the entry is set to -1 however at no time do I ever set $_SESSION['test'] to -1 in my code example ... [/snip] Nope, but $test is a GLOBAL variable, and therefore would be set to -1 within $_SESSION as all GLOBALS are, as you pointed out earlier, registerd with $_SESSION. If $test is within a function it is a PRIVATE variable, local to the function only, unless declared as a GLOBAL. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data getting lost
* Thus wrote Rich Gray ([EMAIL PROTECTED]): Chris Thanks for your answer which I'm sorry to say makes no sense to me given the code example I supplied ... can you explain to me why you think register globals being set to on for the Linux server will cause the $_SESSION superglobal array to lose data? Am I missing something obvious here? This makes perfect sense (see below for what makes sense since you top posted.) This is all explained if you read the session documentation. http://php.net/session snip for the lazy If register_globals is enabled, then the global variables and the $_SESSION entries will automatically reference the same values which were registered in the prior session instance. /snip --- Rich Gray [EMAIL PROTECTED] wrote: I'm running v4.2.3 on RedHat v7.0 and am getting some strange behaviour with the $_SESSION superglobal... ... It works fine on Win2K albeit v4.3.0 of PHP. Maybe you have register_globals enabled on your Linux server and not on your Windows PC? Compare php.ini files before giving it too much thought. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session data getting lost
[snip] So your telling me that all variables defined in the global scope are automatically added to the $_SESSION array...? Not true I think [/snip] You're right of course. I went back to your original code and stripped it back some ?php session_start(); $test = -1; echo $_SESSION['test'].\n; $test = 999; $_SESSION['test'] = $test; echo $_SESSION['test'].\n; ? The logic is incorrect, when you reload the page $test gets set to -1 before your echo statement. After your echo statement it gets set to 999. On reload it again gets set to -1 before your echo. The second echo is always right (for what you want). If you comment out $test = -1; both echos come back correctly. Since you have declared $_SESSION['test'] once and the session is still in effect on the reload the first echo comes back -1 since that is what the declared variable is now worth. Make sense? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data getting lost
* Thus wrote Rich Gray ([EMAIL PROTECTED]): So your telling me that all variables defined in the global scope are automatically added to the $_SESSION array...? Not true I think no. read the documentation, in full. The soluction to your problem was resolved from the first reply (by Chris Shiflett), but you rejected it because of it not making sense to you, which seems to be the problem. [snip] Well a functon that doesn't work under certain conditions should be deprecated IMO ... I haven't used it for a long time now... To answer your question ... yep I've used print_r() and after the 1st form submission the entry is set to -1 however at no time do I ever set $_SESSION['test'] to -1 in my code example ... [/snip] Nope, but $test is a GLOBAL variable, and therefore would be set to -1 within $_SESSION as all GLOBALS are, as you pointed out earlier, registerd with $_SESSION. If $test is within a function it is a PRIVATE variable, local to the function only, unless declared as a GLOBAL. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data getting lost
* Thus wrote Rich Gray ([EMAIL PROTECTED]): Well a functon that doesn't work under certain conditions should be deprecated IMO ... I haven't used it for a long time now... this makes absolutly no sense. So if I use a function improperly, it should become deprecated? session_register() is used in cases where you haver register_globals on; it is not useed when it is off. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session data getting lost
--- Rich Gray [EMAIL PROTECTED] wrote: I'm running v4.2.3 on RedHat v7.0 and am getting some strange behaviour with the $_SESSION superglobal... ... It works fine on Win2K albeit v4.3.0 of PHP. Maybe you have register_globals enabled on your Linux server and not on your Windows PC? Compare php.ini files before giving it too much thought. Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session data missing
-Original Message- From: ulf sundin [mailto:[EMAIL PROTECTED] Sent: 13 July 2003 23:37 I'm not the admin on the server, so I'll have to manage with the software provided. And that is php 4.0.6. Ah, right. Me, too, actually, which is why I still have the 4.0.6 manual on my PC! I've tried a number of ways to store variables in the session file. This works: session_start(); $foo = 'bar'; session_register('foo'); then after session_write_close(); or end of script: echo $HTTP_SESSION_VARS['foo']; will output 'bar'. just adding variables directly into the HTTP_SESSION_VARS array won't make them stick in the session file. No, I wouldn't expect them to as the manual explicitly says they won't. Use of session_register() seems to be required. Yes. I'd expect that too -- the 4.0.6 manual is again quite clear that you can only get variables into your session with session_register(). What it's not so clear about is whether session_register('foo'); $HTTP_SESSION_VARS['foo'] = 'bar'; will set the session variable foo to 'bar' under all circumstances -- it im-plies that it should when register_globals is off, but is very ambiguous about exactly what happens when register_globals is on. Thanks for the heads-up on this topic -- I'm just about to start writing some code which will make heavy use of sessions, and initially it will have to work for version 4.0.6 (until my site admin decides to upgrade), so I guess I've got some heavy testing in prospect on my test server to work out exactly what all the combinations do -- I need to write stuff that will work regardless of register_globals, and will continue to work unchanged when the eventual upgrade to 4.3.x comes along. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session data missing
I'm not the admin on the server, so I'll have to manage with the software provided. And that is php 4.0.6. I've tried a number of ways to store variables in the session file. This works: session_start(); $foo = 'bar'; session_register('foo'); then after session_write_close(); or end of script: echo $HTTP_SESSION_VARS['foo']; will output 'bar'. just adding variables directly into the HTTP_SESSION_VARS array won't make them stick in the session file. Use of session_register() seems to be required. Ulf Mike Ford [EMAIL PROTECTED] skrev i meddelandet news:[EMAIL PROTECTED] -Original Message- From: Kevin Stone [mailto:[EMAIL PROTECTED] Sent: 09 July 2003 20:30 - Original Message - From: ulf sundin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 1:00 PM Subject: Re: [PHP] session data missing ok, so now the variable names are registred and stored in the file. But without values. check this: --firstpage.php session_start() session_register('foo'); $HTTP_SESSION_VARS['foo'] = 'bar'; echo $HTTP_SESSION_VARS['foo']; //outputs bar; transport by a href to: secondpage.php session_start(); echo $HTTP_SESSION_VARS['foo']; //outputs nothing --- checking the contents of the file called /tmp/sess_{session_id}: !foo| (snip) Make a choice here.. = session_register('foo'); = $HTTP_SESSION_VARS['foo'] = 'bar'; Use either the session_register() function or the session global array. Not both. Not true -- $HTTP_SESSION_VARS is *not* like $_SESSION, and its values are *not* auto-registered. In fact, I still have my copy of the 4.0.6 manual around, and it specifically gives this as an example: Example 1. Registering a variable ?php session_register(count); $HTTP_SESSION_VARS[count]++; ? However, it's a little unclear on whether this should still work regardless of the register_globals setting, as it also gives this as an example: Example 2. Registering a variable with register_globals enabled ?php session_register(count); $count++; ? I guess I'd have to go away and try it to be sure of what behaviour occurs for each setting of register_globals -- but there seems little point given that using $_SESSION has been much the best option for several versions now! Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session data missing
-Original Message- From: Kevin Stone [mailto:[EMAIL PROTECTED] Sent: 09 July 2003 20:30 - Original Message - From: ulf sundin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 1:00 PM Subject: Re: [PHP] session data missing ok, so now the variable names are registred and stored in the file. But without values. check this: --firstpage.php session_start() session_register('foo'); $HTTP_SESSION_VARS['foo'] = 'bar'; echo $HTTP_SESSION_VARS['foo']; //outputs bar; transport by a href to: secondpage.php session_start(); echo $HTTP_SESSION_VARS['foo']; //outputs nothing --- checking the contents of the file called /tmp/sess_{session_id}: !foo| (snip) Make a choice here.. = session_register('foo'); = $HTTP_SESSION_VARS['foo'] = 'bar'; Use either the session_register() function or the session global array. Not both. Not true -- $HTTP_SESSION_VARS is *not* like $_SESSION, and its values are *not* auto-registered. In fact, I still have my copy of the 4.0.6 manual around, and it specifically gives this as an example: Example 1. Registering a variable ?php session_register(count); $HTTP_SESSION_VARS[count]++; ? However, it's a little unclear on whether this should still work regardless of the register_globals setting, as it also gives this as an example: Example 2. Registering a variable with register_globals enabled ?php session_register(count); $count++; ? I guess I'd have to go away and try it to be sure of what behaviour occurs for each setting of register_globals -- but there seems little point given that using $_SESSION has been much the best option for several versions now! Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session data missing
-Original Message- From: ulf sundin [mailto:[EMAIL PROTECTED] Sent: 09 July 2003 01:01 After creating a new session with session_start() and inserting a few values e.g $HTTP_SESSION_VARS['foo'] = 'bar'; a file /tmp/sess_{session_id} is created. The problem is that this file is empty! 0 bytes. no data is stored. I'm using php 4.0.6 on linux with apache 1.3 something. Just doing session_start() will create the file. Are you also session_register()-ing your session vars? The $HTTP_SESSION_VARS array isn't like the $_SESSION array introduced in PHP 4.1 -- it's values are not automatically registered. You still have to use session_register(), thus: session_start(); session_register('foo'); $HTTP_SESSION_VARS['foo'] = 'bar'; HTH Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session data missing
After creating a new session with session_start() and inserting a few values e.g $HTTP_SESSION_VARS['foo'] = 'bar'; a file /tmp/sess_{session_id} is created. The problem is that this file is empty! 0 bytes. no data is stored. I'm using php 4.0.6 on linux with apache 1.3 something. Check the register_globals setting in php.ini. If it is set to On, then code like this: session_start(); $foo = 'bar'; session_register('foo'); echo $foo; If register_globals is set to Off, then code as you are already doing: session_start(); $HTTP_SESSION_VARS['foo'] = 'bar'; echo {$HTTP_SESSION_VARS['foo']}; Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session data missing
ok, so now the variable names are registred and stored in the file. But without values. check this: --firstpage.php session_start() session_register('foo'); $HTTP_SESSION_VARS['foo'] = 'bar'; echo $HTTP_SESSION_VARS['foo']; //outputs bar; transport by a href to: secondpage.php session_start(); echo $HTTP_SESSION_VARS['foo']; //outputs nothing --- checking the contents of the file called /tmp/sess_{session_id}: !foo| I guess it should be something like !foo=bar| but, as I said, the values doesnt seem to stick in the file, just the names of the variables. I must be doing something wrong. Regards Ulf Mike Ford [EMAIL PROTECTED] skrev i meddelandet news:[EMAIL PROTECTED] -Original Message- From: ulf sundin [mailto:[EMAIL PROTECTED] Sent: 09 July 2003 01:01 After creating a new session with session_start() and inserting a few values e.g $HTTP_SESSION_VARS['foo'] = 'bar'; a file /tmp/sess_{session_id} is created. The problem is that this file is empty! 0 bytes. no data is stored. I'm using php 4.0.6 on linux with apache 1.3 something. Just doing session_start() will create the file. Are you also session_register()-ing your session vars? The $HTTP_SESSION_VARS array isn't like the $_SESSION array introduced in PHP 4.1 -- it's values are not automatically registered. You still have to use session_register(), thus: session_start(); session_register('foo'); $HTTP_SESSION_VARS['foo'] = 'bar'; HTH Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session data missing
- Original Message - From: ulf sundin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 1:00 PM Subject: Re: [PHP] session data missing ok, so now the variable names are registred and stored in the file. But without values. check this: --firstpage.php session_start() session_register('foo'); $HTTP_SESSION_VARS['foo'] = 'bar'; echo $HTTP_SESSION_VARS['foo']; //outputs bar; transport by a href to: secondpage.php session_start(); echo $HTTP_SESSION_VARS['foo']; //outputs nothing --- checking the contents of the file called /tmp/sess_{session_id}: !foo| (snip) Make a choice here.. = session_register('foo'); = $HTTP_SESSION_VARS['foo'] = 'bar'; Use either the session_register() function or the session global array. Not both. - Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session data missing
ok. now I get it. first set the session-variables like any other: $foo = 'bar'; then register them in the sessionfile: session_register('foo'); that makes sense. But it's not at all what the manual says. I guess my php version has passed its expiration date. thanks for the help, anyway. It seems to be working the way I wanted it to. Regards Ulf Kevin Stone [EMAIL PROTECTED] skrev i meddelandet news:[EMAIL PROTECTED] - Original Message - From: ulf sundin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 1:00 PM Subject: Re: [PHP] session data missing ok, so now the variable names are registred and stored in the file. But without values. check this: --firstpage.php session_start() session_register('foo'); $HTTP_SESSION_VARS['foo'] = 'bar'; echo $HTTP_SESSION_VARS['foo']; //outputs bar; transport by a href to: secondpage.php session_start(); echo $HTTP_SESSION_VARS['foo']; //outputs nothing --- checking the contents of the file called /tmp/sess_{session_id}: !foo| (snip) Make a choice here.. = session_register('foo'); = $HTTP_SESSION_VARS['foo'] = 'bar'; Use either the session_register() function or the session global array. Not both. - Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Data
If your session id is not stored in a cookie (if url rewriting is on), then the $url page may not be getting your session id, and thus is starting a new, empty one? Tony Bibbs wrote: I'm wrapping up an MVC implementation for PHP. Everything is working splendidly except that redirects seem to be loosing session data. Here is the basic logic 1) on a form, user enters data hits submit 2) data validates OK, data is saved and $_SESSION['MVC_message'] is set to 'Save was successful' 3) After setting session data in step 2 above, a redirect is issued: header('Location: ' . $url); 4) The URL represented by $url within same app doesn't have any data in $_SESSION and I'm positive a session_destroy() isn't being called explicitly. The ideas here is to show a page with context information for the user. Any ideas why this isn't working? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session data
Joseph Bannon wrote: 1) How long does session data remain on the server? 2) Is there a place I can set the expiration? this is controled by session.gc_maxlifetime 3) Will php automatically delete the old session data or do I have to do it? previous aswer implies yes, automatically Thanks, Joseph = RisingMusic.com 450,000 registered users. 14,000 registered bands and artists. __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session data
this is controled by session.gc_maxlifetime Is the number by second, minutes, etc? Thanks, J. __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session data
If I remember my reading correctly...the php manual (or the notes in the ini file) specifies how the garbage collection is done on unix versus windows and under what situations. I remember that there were some situations where the system doesn't clean out the expired sessions! Hope that helps a little! Dickon... - Original Message - From: Joseph Bannon [EMAIL PROTECTED] To: Marek Kilimajer [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 11:17 AM Subject: Re: [PHP] session data this is controled by session.gc_maxlifetime Is the number by second, minutes, etc? Thanks, J. __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session data
Is the number by second, minutes, etc? session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up. http://www.php.net/manual/en/ref.session.php Bryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session Data Not Saving
On Tuesday 19 March 2002 23:29, you wrote: Should I change session.save_path? I have no idea of the ramifications of doing that, therefore I am not touching it unless someone says so. The error message is quite explicit. As a quick fix and to confirm whether that is the problem: Check what session.save_path is set to and set whatever directory that is to be world read/writeable. As for permission denied, I am barely wet around the ears (or something) when it comes to permission setting. I am not sure what to set to allow who to access what. I'm not sure how W2K (that's what you're using?) runs the webserver. In Linux one would set the directory to be accessible by the user running the webserver. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk /* When the going gets tough, the tough get empirical. -- Jon Carroll */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] session data vs cookie data
-Original Message- From: Erik Price [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 30, 2002 3:30 PM To: PHP Subject: [PHP] session data vs cookie data I have read elsewhere that depending on Cookie data for site authentication is false economy, because Cookie data can be spoofed. True I'm designing a login that auto-fills a person's name into a field for authentication (based on their $user_id, which is stored in the cookie), then they enter a password below that name and the fields are checked against data stored in MySQL. Standard authentication system. But from that point onward, I'd like to use a session variable that establishes the user's legitimacy as having logged in, using the cookie to store the SESSID. Barring the user spoofing the SESSID in the cookie, could someone easily fake legitimacy? I would think not, since the session data ($logged_in = 1 or something similar) is not stored in the cookie but rather on the server. But I just want to confirm. It is possible to steal a session because a session_id is usually based on a cookie. So I always store the IP, HTTP_X_FORWARD and USER_AGENT in the session. And check them every page. kind regards, Jerry I should mention that I have register_globals = off in php.ini (4.1.0 on Linux). Thanks, Erik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] The information contained in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, production, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. The content of the email is not legally binding unless confirmed by letter bearing two authorized signatures. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session data vs cookie data
Jerry Verhoef wrote: It is possible to steal a session because a session_id is usually based on a cookie. So I always store the IP, HTTP_X_FORWARD and USER_AGENT in the session. And check them every page. kind regards, Jerry Do you null the user if the IP changes? IPs can change during a user's session, so I wouldn't base the validity of the session solely based on IP. Michael Kimsal -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] session data vs cookie data
When that happens a user has to relogin. No data will be lost. Jerry -Original Message- From: Michael Kimsal [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 30, 2002 3:53 PM To: Jerry Verhoef Cc: PHP Subject: Re: [PHP] session data vs cookie data Jerry Verhoef wrote: It is possible to steal a session because a session_id is usually based on a cookie. So I always store the IP, HTTP_X_FORWARD and USER_AGENT in the session. And check them every page. kind regards, Jerry Do you null the user if the IP changes? IPs can change during a user's session, so I wouldn't base the validity of the session solely based on IP. Michael Kimsal -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] The information contained in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, production, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. The content of the email is not legally binding unless confirmed by letter bearing two authorized signatures. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session data vs cookie data
Maybe you haven't had this experience, but we've regularly seen AOL users get switched between IPs during the same session on our sites. They'd had to start over and relogin every 5-10 minutes sometimes under that method. Do you not get any complaints? Michael Kimsal Jerry Verhoef wrote: When that happens a user has to relogin. No data will be lost. Jerry Do you null the user if the IP changes? IPs can change during a user's session, so I wouldn't base the validity of the session solely based on IP. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session data vs cookie data
Do you null the user if the IP changes? IPs can change during a user's session, so I wouldn't base the validity of the session solely based on IP. When that happens a user has to relogin. No data will be lost. Relogin? Huh, I'd never visit a site where I have to login on every twice click. For some reason our company share 5 ip adresses for it's employees with NAT. We don't ever know what is our *current* request's ip, it's always changes by chance. It could be that I use one ip while I'm visiting a site (it's not likely), but it could be that my 5 requests get to the site sitting on 5 different ips. So I don't recommend using the visitors ip address for anything. Arpi -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session data vs cookie data
HTTP_REFERRER is another good way to check. This allows users to access the page ONLY from a specific set of referring pages. However, if you have a gigantic site this can be cumbersome and can create a rather large array of referring pages, so you may want to put the value through a reg-ex that checks for the hosts on your domain (like www.domain.com, subdomain.domain.com, etc). That locks out all other domains, at least. Don't use this as your sole method of verification, but you can certainly include it. Mike Frazer Jerry Verhoef [EMAIL PROTECTED] wrote in message 1CDA86C6527BD311B91F0008C784121003D55205@ugbiex1">news:1CDA86C6527BD311B91F0008C784121003D55205@ugbiex1... -Original Message- From: Erik Price [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 30, 2002 3:30 PM To: PHP Subject: [PHP] session data vs cookie data I have read elsewhere that depending on Cookie data for site authentication is false economy, because Cookie data can be spoofed. True I'm designing a login that auto-fills a person's name into a field for authentication (based on their $user_id, which is stored in the cookie), then they enter a password below that name and the fields are checked against data stored in MySQL. Standard authentication system. But from that point onward, I'd like to use a session variable that establishes the user's legitimacy as having logged in, using the cookie to store the SESSID. Barring the user spoofing the SESSID in the cookie, could someone easily fake legitimacy? I would think not, since the session data ($logged_in = 1 or something similar) is not stored in the cookie but rather on the server. But I just want to confirm. It is possible to steal a session because a session_id is usually based on a cookie. So I always store the IP, HTTP_X_FORWARD and USER_AGENT in the session. And check them every page. kind regards, Jerry I should mention that I have register_globals = off in php.ini (4.1.0 on Linux). Thanks, Erik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] The information contained in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, production, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. The content of the email is not legally binding unless confirmed by letter bearing two authorized signatures. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session data vs cookie data
On Wed, 30 Jan 2002, Michael Kimsal wrote: a cookie. So I always store the IP, HTTP_X_FORWARD and USER_AGENT in the Do you null the user if the IP changes? IPs can change during a user's session, so I wouldn't base the validity of the session solely based on IP. Also, sometimes there are issues with caches (despite of the HTTP_X_FORWARD)... Regards. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] session data vs cookie data
On Wednesday, January 30, 2002, at 09:55 AM, Jerry Verhoef (UGBI) wrote: When that happens a user has to relogin. No data will be lost. Jerry So then, do you include a re-login script at the top of every page (for when the session authentication fails)? Or do you have some advanced remember algorithm for what the user was doing at that point in their session? Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]