Re: [PHP] sessions...how to use not clear?
From: Andy B [EMAIL PROTECTED] From what I understand about sessions you can give a session a particular name like doing: session_start(SessionName); You can give it a name, but you don't have to. PHP will use the default name if you don't and you'll just need to use session_start(); So in practicle means I can do this: ?php /*file #1*/ session_start($name); $_SESSION[name]=$name; $_SESSION[email]=$email; /*.*/ ? now my question is this: will i have to declare session_start($name); at the top of every file that needs to use that session name? If you give the session a custom name, then, yes, you'll have to use that name on every page. $name can be something that in an include file or a constant, etc, though. Again, you don't _have_ to give a name, though. There's no real advantage to using another name, though, as it's going to be sent to the user in a cookie or the URL, anyhow. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] RE:[PHP] sessions...how to use not clear?
[snip] If you give the session a custom name, then, yes, you'll have to use that name on every page. $name can be something that in an include file or a constant, etc, though. Again, you don't _have_ to give a name, though. There's no real advantage to using another name, though, as it's going to be sent to the user in a cookie or the URL, anyhow. [end snip] well this is true but in the event that the server creates a default name for that particular session (very large random strings). I am trying to avoid running into the same session being used twice by 2 seperate people at the same time. so the theory is: if i require that the session be named after the persons login name there is probably 1 out of 2 million chances that it will mess up the names and get confused (specially if there are only a few users allowed)... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] RE:[PHP] sessions...how to use not clear?
Andy B mailto:[EMAIL PROTECTED] on Monday, March 22, 2004 3:19 PM said: so the theory is: if i require that the session be named after the persons login name there is probably 1 out of 2 million chances that it will mess up the names and get confused (specially if there are only a few users allowed)... as long as your usernames are unique you should never have a problem. (assuming everything else works as planned.) chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE:[PHP] sessions...how to use not clear?
What are the chances of two people getting the same session number in a thousends of day operation? When you down the size of that to a couple hundeed a day... WHy do we need to have a session name for that? Vamp Chris W. Parker [EMAIL PROTECTED] escribió en el mensaje news:[EMAIL PROTECTED] Andy B mailto:[EMAIL PROTECTED] on Monday, March 22, 2004 3:19 PM said: so the theory is: if i require that the session be named after the persons login name there is probably 1 out of 2 million chances that it will mess up the names and get confused (specially if there are only a few users allowed)... as long as your usernames are unique you should never have a problem. (assuming everything else works as planned.) chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] RE:[PHP] sessions...how to use not clear?
as long as your usernames are unique you should never have a problem. (assuming everything else works as planned.) it should... i want to use sessions for a login system and stuff too but i want it to check to see if the person is logged in before going to the login section... if the session isnt valid then require a login... is this code valid?? ?php if(session_start($name)) {/*do whatever if person is logged in already*/ } else { /*do whatever if session doesnt exist*/ } if that does work then all i need to do is figure out how to do a session_distroy() to delete it after logged out... any ideas? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] RE:[PHP] sessions...how to use not clear?
What are the chances of two people getting the same session number in a thousends of day operation? When you down the size of that to a couple hundeed a day... WHy do we need to have a session name for that? because eventually i want to take the user name (session name/variables/user info) and create a preferences section of the website im doing and that would require a constant session name from visit to visit -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] RE:[PHP] sessions...how to use not clear?
Elliot J. Balanza mailto:[EMAIL PROTECTED] on Monday, March 22, 2004 3:43 PM said: What are the chances of two people getting the same session number in a thousends of day operation? When you down the size of that to a couple hundeed a day... WHy do we need to have a session name for that? gah. what i was trying to say (although maybe i should have elaborated a little) is that if within his database his usernames are unique, he won't have any problems at all. i don't think the op should be concerned with duplicating session id's as there are an almost infinite number of them. much more than 2mil. chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] RE:[PHP] sessions...how to use not clear?
Andy B mailto:[EMAIL PROTECTED] on Monday, March 22, 2004 3:43 PM said: as long as your usernames are unique you should never have a problem. (assuming everything else works as planned.) it should... it will. a unique value is a unique value. is this code valid?? ?php if(session_start($name)) {/*do whatever if person is logged in already*/ } else { /*do whatever if session doesnt exist*/ } if that does work then all i need to do is figure out how to do a session_distroy() to delete it after logged out... any ideas? personally i've never named a session (let alone knew that it was possible) so i don't know if that code is valid as i don't know what, if anything, session_start returns. that code assumes session_start() returns a value at all. i suggest you read the manual. try www.php.net/session_start and it will tell you what that function returns if anything. you can work from there. chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] RE:[PHP] sessions...how to use not clear?
Andy B mailto:[EMAIL PROTECTED] on Monday, March 22, 2004 3:49 PM said: because eventually i want to take the user name (session name/variables/user info) and create a preferences section of the website im doing and that would require a constant session name from visit to visit yeah you're right. except that you're missing a key point. you've already got that unique identifier. it's the username. the username will stay unique visit to visit, therefore you don't need to go against the design of the session id. the session id is not meant to keep uniqueness across multiple visits, only the current visit. are we/me misunderstanding you? chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] RE:[PHP] sessions...how to use not clear?
you've already got that unique identifier. it's the username. the username will stay unique visit to visit, therefore you don't need to go against the design of the session id. the session id is not meant to keep uniqueness across multiple visits, only the current visit. are we/me misunderstanding you? yes the username is a thing different from anybody elses login but how will you collect preferences and the like in variables and dump them into a sql table without using a session to define them from everybody elses?? figure this: 1. if you just used a login page and sql table to verify the existance of a username/pwd and once logged in you had this code: ?php $color=green; $show_time=0; /*dont show the time on the page*/ now somebody else logges in: $color=yellow; $show_time=1; (both users are logged in at the same time)?? theory is the variables will conflict with each other... 2. using sessions: ?php session_name($user); session_start(); $_SESSION[color]=green; $_SESSION[show_time]=0; now they cant get messed up because: ?php session_name($user); /*user2 now logged in*/ will be totally different from user1. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE:[PHP] sessions...how to use not clear?
Andy B wrote: as long as your usernames are unique you should never have a problem. (assuming everything else works as planned.) it should... i want to use sessions for a login system and stuff too but i want it to check to see if the person is logged in before going to the login section... if the session isnt valid then require a login... is this code valid?? ?php if(session_start($name)) {/*do whatever if person is logged in already*/ } else { /*do whatever if session doesnt exist*/ } if that does work then all i need to do is figure out how to do a session_distroy() to delete it after logged out... You shouldn't rely on whether a valid session exists to determine if user is logged in. You should depend upon a certain variable within the session. session_start(), with or without $name, is going to be TRUE because it just starts a session. If a session did not exist, it'll start one. When a use logs in correctly, start a session and set a $_SESSION['loggedin'] = TRUE, variable. Then on any page you want protected, simply check for the variable if(isset($_SESSION['loggedin'])) { //person is logged in } else { //person is not logged in } When the person wants to log out, simply unset() or set to FALSE the $_SESSION['loggedin'] variable. Now you force them to log in again. Even if they keep the same session name, it doesn't matter b/c that variable is not set. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE:[PHP] sessions...how to use not clear?
Andy B wrote: WHy do we need to have a session name for that? because eventually i want to take the user name (session name/variables/user info) and create a preferences section of the website im doing and that would require a constant session name from visit to visit Ummm... that's why you set a $_SESSION['username'] value. You really don't need to worry about the name or id of the session (other than resetting it upon login to prevent Session Fixation Attacks). Sessions are for the current visit, page to page, not to remember things across multiple visits. Cookies are used for that (but be aware of security issues there, also, depending on how you implement them). -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE:[PHP] sessions...how to use not clear?
Andy B wrote: [snip] If you give the session a custom name, then, yes, you'll have to use that name on every page. $name can be something that in an include file or a constant, etc, though. Again, you don't _have_ to give a name, though. There's no real advantage to using another name, though, as it's going to be sent to the user in a cookie or the URL, anyhow. [end snip] well this is true but in the event that the server creates a default name for that particular session (very large random strings). I am trying to avoid running into the same session being used twice by 2 seperate people at the same time. I think you're confusing session_name and session_id. session_name is (generally) the same for everyone and is the name PHP uses in the cookie or URL to store the session_id. The session_id is a 128 bit, 32 character code that uniquely (sp?) identifies your individual session. You do not have to worry about two users getting the same session_id unless you just have a tremendous amount of traffic or have extended the session life. so the theory is: if i require that the session be named after the persons login name there is probably 1 out of 2 million chances that it will mess up the names and get confused (specially if there are only a few users allowed)... I think I get what you're saying here. In the very remote chance that two people get the same session_id, you're saying that at least they'll have different session_names, so there won't be any contention? I don't think so, though, as the default session handler for PHP bases the name of the file to hold the session data on the session_id. It doesn't use the session_name for anything knowing what cookie or URL variable to retrieve the session_id from. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE:[PHP] sessions...how to use not clear?
Andy B wrote: you've already got that unique identifier. it's the username. the username will stay unique visit to visit, therefore you don't need to go against the design of the session id. the session id is not meant to keep uniqueness across multiple visits, only the current visit. are we/me misunderstanding you? Please quote your messages or put a divider between the original content (above) and what you write (below). yes the username is a thing different from anybody elses login but how will you collect preferences and the like in variables and dump them into a sql table without using a session to define them from everybody elses?? figure this: 1. if you just used a login page and sql table to verify the existance of a username/pwd and once logged in you had this code: ?php $color=green; $show_time=0; /*dont show the time on the page*/ now somebody else logges in: $color=yellow; $show_time=1; (both users are logged in at the same time)?? theory is the variables will conflict with each other... You're confused here. $color loaded from a database in one script is not going to change when another script is run and $color is loaded for another user. The variable is unique to the request. 2. using sessions: ?php session_name($user); session_start(); $_SESSION[color]=green; $_SESSION[show_time]=0; now they cant get messed up because: ?php session_name($user); /*user2 now logged in*/ will be totally different from user1. This is true and how you want to do it, but using $user inside of session_name() is unecessary. They'll be different because each user has a different session_id by design and that's what's used to identify one users $_SESSION['color'] from anther user's $_SESSION['color']. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] RE:[PHP] sessions...how to use not clear?
On 22 Mar 2004 Andy B wrote: so the theory is: if i require that the session be named after the persons login name there is probably 1 out of 2 million chances that it will mess up the names and get confused (specially if there are only a few users allowed)... If the login name is unique and you don't allow multiple simultaneous logins then the chanve of a mixup is exactly zero. If you are talking about session IDs, I believe they are 128 bits which translates to a chance of duplication of 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456 [the result from bcpow(2, 128, 0)]. Should be good enough :-). -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php