Also, This may be unrelated, but something I'll throw in just in case as there was much hair pulling on my part.
I recently discovered a problem with using sessions on Apache 1.3.2.23 and PHP the two latest versions of PHP (excluding the most recent version which was not available at the time). This problem was only with sessions (without sessions, the pages worked fine). I'd find that when you logged in, the first time you updated the mysql database, the results were displayed fine on the results page. However, upon making another change (editing a field, deleting an entire entry etc), the results page showed the results of the previous update and continued to do so even though the database had been updated. The only way to see the new results was to log out of the browser completely and log back in. This problem was ONLY with IE, netscape/mozilla did not have this problem. Solution: upgrade to Apache: 1.3.26 and the problem hasn't been seen since. However, we are seeing a few little issues using sessions on PHP that are utterly unexplainable (it will log you out for no reason on pages that previously worked perfectly). We're hoping the newest PHP revision will solve this (haven't got around to installing it). Best Regards Bob Irwin Server Admin & Web Programmer Planet Netcom ----- Original Message ----- From: "Justin French" <[EMAIL PROTECTED]> To: "mintbaggio" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 12:21 PM Subject: Re: [PHP] Some questions. > on 13/08/02 3:42 AM, mintbaggio ([EMAIL PROTECTED]) wrote: > > > I'm a Chinese university student,I want to ask some questions about session. > > These days I'm build a website for my university with PHP, But I meet a > > question when I develop the part of User Management: After I have log out > > from a user page(I use "session_unset()" and "session_destroy()"),I can > > return to the page again by click the button "Back"to that pagea and refresh > > it, the user page can be shown again. This is unsafe. > > So I want to ask that the function "session_unset" and "session_destroy()" > > will > > destroy session immediately or there is a life-time for session. In my memory, > > I think that there is a life-time for session and the life-time can be > > configured. > > Firstly, make sure you've read the page at php.net/session_destroy and > php.net/session_unset, because it supplies perfect code for destroying a > session. > > Make sure your code matches either example 1 or 2, depending on your code. > If you're unsure, test with both. > > If you've named your session somewhere, you need to unset and destroy it > WITH that name, I think (never had to do it). > > > > > Another question: > > If the user log page is "main.php",the page for authenticate the user is > > "login.php" > > I use session to store the infomation of user such as : > > session_register($userid); > > But if the variables in the session are unfortunately be known by somebody > > else. > > and he can visit others' information bye the url:"login.php?userid=***",how > > can solve > > these problem? use a ugly but difficult session varable? > > When you store the the username as a session variable, it's stored on the > SERVER, not on the client. Hence, there is less chance of the session > variables being disclosed. Better still, if you NEVER store both the > password and username in the session, then the "hacker" will not be able to > do anything without the password. > > The only thing stored on the browser or transmitted in clear view when > running a session is the session id (a long number), NOT the variables > assigned to the session... that's the whole point. > > > FWIW, if you really want to make things more secure, you should turn off > register globals, learn about the new super global arrays like $_POST, > $_SESSION, $_GET, etc etc. > > In short, you'd register a new session variable as $_SESSION['var'] = > "value"; rather than $var="value"; session_register($var); > > > Justin French > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > Scanned by PeNiCillin http://safe-t-net.pnc.com.au/ > > Scanned by PeNiCillin http://safe-t-net.pnc.com.au/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
