[PHP] Some questions.
Hello I'm a Chinese university student,I want to ask some questions about session. These days I'm build a website for my university with PHP, But I meet a question when I develop the part of User Management: After I have log out from a user page(I use "session_unset()" and "session_destroy()"),I can return to the page again by click the button "Back"to that pagea and refresh it, the user page can be shown again. This is unsafe. So I want to ask that the function "session_unset" and "session_destroy()" will destroy session immediately or there is a life-time for session. In my memory, I think that there is a life-time for session and the life-time can be configured. Another question: If the user log page is "main.php",the page for authenticate the user is "login.php" I use session to store the infomation of user such as : session_register($userid); But if the variables in the session are unfortunately be known by somebody else. and he can visit others' information bye the url:"login.php?userid=***",how can solve these problem? use a ugly but difficult session varable? Just two questions. Thanks a lot. Wish back soon! Best wishes
[PHP] Questions
Thanks a lot. The other day I have talked with one of my classmates and say that there is nearly no essential differences between session and url variables, after I read your answer I know that it does have. I have tried your way of using session, it does make sense in differentiate between session and url variables. I still can't find whether there is a life-time for session. Could you help me? Best Wishes! - Original Message - From: "SHEETS,JASON (Non-HP-Boise,ex1)" <[EMAIL PROTECTED]> To: "'mintbaggio'" <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 3:27 AM Subject: RE: [PHP] Some questions. > Turn off register globals and use the superglobals, if this doesn't make > sense refer to the PHP manual available at http://www.php.net/manual. > > Basically as of PHP 4.1 all session variables are accessible by using > $_SESSION['name'] for example. > > Example1.php > > session_start(); // start session using session start > $_SESSION['name'] = 'Jason Sheets'; // create and register a > variable > ?> > > Example2.php (this file accesses the variable from example1) > > session_start(); // start session using session start > print 'Your name is: ' . $_SESSION['name'] . ''; // print line > containing variable > > > When you have register globals off or you use superglobals post and get > information will not be propagated to the session array, meaning that even > if the user sets loggedin=1 in their url when you check if > $_SESSION['loggedin'] == 1 it will be false unless they logged in. > > Jason > > > > -Original Message- > From: mintbaggio [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 12, 2002 11:43 AM > To: [EMAIL PROTECTED] > Subject: [PHP] Some questions. > > Hello > I'm a Chinese university student,I want to ask some questions about session. > These days I'm build a website for my university with PHP, But I meet a > question when I develop the part of User Management: After I have log out > from a user page(I use "session_unset()" and "session_destroy()"),I can > return to the page again by click the button "Back"to that pagea and refresh > > it, the user page can be shown again. This is unsafe. > So I want to ask that the function "session_unset" and "session_destroy()" > will > destroy session immediately or there is a life-time for session. In my > memory, > I think that there is a life-time for session and the life-time can be > configured. > > Another question: > If the user log page is "main.php",the page for authenticate the user is > "login.php" > I use session to store the infomation of user such as : > session_register($userid); > But if the variables in the session are unfortunately be known by somebody > else. > and he can visit others' information bye the url:"login.php?userid=***",how > can solve > these problem? use a ugly but difficult session varable? > > Just two questions. > Thanks a lot. > Wish back soon! > Best wishes >
[PHP] Another Questions
Thanks for Email to me so soon!
1. Before I sent you Emails I read the function "session_destroy()" and function
"session_unset()" again
I use session in this sequence:
session_start();
//after user has been authenticated (using database authentication)
$userid = $txtUser; //txtUser is the text input in the log page;
session_register("userid");
//after user log out
session_unset;
session_destroy();
I wonder whether this is a right sequence in using session. Could you give me some
advice?
2. I know the session is stored on the SERVER.
But I am develop a Homepage Administration System for my university. This system
is used to manage the users and store all the users' own homepage. User need to
register
before he/she can store his/her own homepage on the SERVER.
All the users id are listed out for others' visit. So all the users id are known.
I mean the url:"login.php" is known. But if one person know my session variable
and he use "login.php?userid=mintbaggio"(mintbaggio is a user in this system).
Now I use 3 variables in session to store the use's information. Before somebody
enter the user's
own page(Not the user's homepage,but the user's information like name,age,etc) ,
these 3 variables
are examined whether they are all valid. Is this safer?
- Original Message -
From: "Justin French" <[EMAIL PROTECTED]>
To: "mintbaggio" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, August 13, 2002 10:21 AM
Subject: Re: [PHP] Some questions.
> on 13/08/02 3:42 AM, mintbaggio ([EMAIL PROTECTED]) wrote:
>
> > I'm a Chinese university student,I want to ask some questions about session.
> > These days I'm build a website for my university with PHP, But I meet a
> > question when I develop the part of User Management: After I have log out
> > from a user page(I use "session_unset()" and "session_destroy()"),I can
> > return to the page again by click the button "Back"to that pagea and refresh
> > it, the user page can be shown again. This is unsafe.
> > So I want to ask that the function "session_unset" and "session_destroy()"
> > will
> > destroy session immediately or there is a life-time for session. In my memory,
> > I think that there is a life-time for session and the life-time can be
> > configured.
>
> Firstly, make sure you've read the page at php.net/session_destroy and
> php.net/session_unset, because it supplies perfect code for destroying a
> session.
>
> Make sure your code matches either example 1 or 2, depending on your code.
> If you're unsure, test with both.
>
> If you've named your session somewhere, you need to unset and destroy it
> WITH that name, I think (never had to do it).
>
>
>
> > Another question:
> > If the user log page is "main.php",the page for authenticate the user is
> > "login.php"
> > I use session to store the infomation of user such as :
> > session_register($userid);
> > But if the variables in the session are unfortunately be known by somebody
> > else.
> > and he can visit others' information bye the url:"login.php?userid=***",how
> > can solve
> > these problem? use a ugly but difficult session varable?
>
> When you store the the username as a session variable, it's stored on the
> SERVER, not on the client. Hence, there is less chance of the session
> variables being disclosed. Better still, if you NEVER store both the
> password and username in the session, then the "hacker" will not be able to
> do anything without the password.
>
> The only thing stored on the browser or transmitted in clear view when
> running a session is the session id (a long number), NOT the variables
> assigned to the session... that's the whole point.
>
>
> FWIW, if you really want to make things more secure, you should turn off
> register globals, learn about the new super global arrays like $_POST,
> $_SESSION, $_GET, etc etc.
>
> In short, you'd register a new session variable as $_SESSION['var'] =
> "value"; rather than $var="value"; session_register($var);
>
>
> Justin French
[PHP] A Question about PHP upload file
Is there is a volume limitted for PHP upload file using HTTP? I heard of there is a 8-9Mb limitted,is it true? Is there a method to solve it?
