Q: http://www.dxkj.org/nextstep.php
When to you that you send back to the login page, because there is no valid session yet with a certain variable set.
Once you register, please go to this page and displays information (or eventually) 0.
Is this the right way to safety with a login in php?
1) Login
2) session
3 start) Set Session variable
4) check whether the session variable exists on each page, as it doesnt rise to login.
Re:Using just a session variable is fine, however, it is possible that someone hijacks another users's sessionid and goes from there.
What I would advise is creating a database entry when someone logs in that records: sessionid, ip address, logintime, endtime, username. Then on each page, check to make sure that the session variable is set, and if it is ok, then update the "endtime" to be the current time + 10 minutes.
This way after 10 minutes of inactivity, the user is automatically forced out of the system with a garbage cleanup, and you can also check to see who's logged in just by dumping the table.
You can also do ip checking on the sessionid also so that if they don't match up, just reject the user.
If any of this doesn't make sense, let me know and I can clarify, I'm a bit tired :>
-Ankur
Re:Originally posted by: guy
Originally posted by: guy
There's two ways the session can end:
1. The session times out. This is tweakable in php.ini. My default seems to garbage collect data after 1440 seconds, and expire pages after 180 minutes.
2. The user closes their browser. When they do this, the temporary cookie for that session goes away, and they have to start a new session.
#2 is also kinda touchy, because sometimes the session id is propogated through the url ( ?PHPSESSID=owjfj23fjjf92j3rh2h etc), so it's possible they could bookmark it and come back later. But that's why it expires after so many minutes. 
Thanks alot…is there anyway to end a session on command, like session_end() or a meta refresh or something…how do you handle someone loging out?
session_destroy()
http://us4.php.net/manual/en/ref.session.php
Re:Originally posted by: guy
There's two ways the session can end:
1. The session times out. This is tweakable in php.ini. My default seems to garbage collect data after 1440 seconds, and expire pages after 180 minutes.
2. The user closes their browser. When they do this, the temporary cookie for that session goes away, and they have to start a new session.
#2 is also kinda touchy, because sometimes the session id is propogated through the url ( ?PHPSESSID=owjfj23fjjf92j3rh2h etc), so it's possible they could bookmark it and come back later. But that's why it expires after so many minutes.
Thanks alot…is there anyway to end a session on command, like session_end() or a meta refresh or something…how do you handle someone loging out?
Re:There's two ways the session can end:
1. The session times out. This is tweakable in php.ini. My default seems to garbage collect data after 1440 seconds, and expire pages after 180 minutes.
2. The user closes their browser. When they do this, the temporary cookie for that session goes away, and they have to start a new session.
#2 is also kinda touchy, because sometimes the session id is propogated through the url ( ?PHPSESSID=owjfj23fjjf92j3rh2h etc), so it's possible they could bookmark it and come back later. But that's why it expires after so many minutes.
Re:haveing never messed with PHP session variables, does the session variable ever time out, and if so when, can you set that?
Re:Seems secure to me. The page only lets you view if the session variable is set, and only the scripts running on the server can set this variable, and there's no way for the user to manipulate that.
0 Comments.