Ok, I'm new to sessions and have a few questions...
Here is my plan. I'm running a news type web site where subscribers
have different privileges on what they can view and download. The
privileges are stored in a mySQL DB. My plan is to make users login
(thereby starting a session with all their permission data). We will
also allow the users to save their login and password as a cookie,
thereby starting a new session every time they visit the web site.
Using sessions to serve as a logged on status I'm pretty sure I can
do authentication for PHP pages. However my worry is when someone
types in a URL to get a PDF file. So what I was thinking of doing was
writing an apache module that did the following:
When a file with .pdf is asked for it looks to see if the user is
currently in a session (aka 'logged on'). I'm guessing the module can
know this by using the HTTP headers. Figuring we can look to see if
its giving a cookie with the sid or its part of the URL.
Ok, question 1: If I compile with -enable-trans-sid is the sid
included as part of the HTTP header? Also my understanding is if i
complied with this I don't have put the SID in each URL, if so and
cookies are available on the client side which will PHP use?
Once the module has the sid it can read the cookie like file related
to that SID in the /tmp dir and figure out what the user's privileges
are.
Question 2: I was looking at the values in the php.ini file
[Session]
session.save_handler = files ; handler used to store/retrieve data
session.save_path = /tmp ; argument passed to save_handler
; in the case of files, this is the
; path where data files are stored
session.use_cookies = 1 ; whether to use cookies
session.name = PHPSESSID
; name of the session
; is used as cookie name
session.auto_start = 0 ; initialize session on request startup
session.cookie_lifetime = 0 ; lifetime in seconds of cookie
; or if 0, until browser is restarted
session.cookie_path = / ; the path the cookie is valid for
session.cookie_domain = ; the domain the cookie is valid for
session.serialize_handler = php ; handler used to serialize data
; php is the standard serializer of PHP
session.gc_probability = 1 ; percentual probability that the
; 'garbage collection' process is started
; on every session initialization
session.gc_maxlifetime = 1440 ; after this number of seconds, stored
; data will be seen as 'garbage' and
; cleaned up by the gc process
session.referer_check = ; check HTTP Referer to invalidate
; externally stored URLs containing ids
session.entropy_length = 0 ; how many bytes to read from the file
session.entropy_file = ; specified here to create the session id
; session.entropy_length = 16
; session.entropy_file = /dev/urandom
session.cache_limiter = nocache ; set to {nocache,private,public} to
; determine HTTP caching aspects
session.cache_expire = 180 ; document expires after n minutes
session.use_trans_sid = 1 ; use transient sid support if enabled
; by compiling with --enable-trans-sid
Now according to this the cookie like files should be deleted after
1440 seconds, but on my machine their not. Any reason why?
Thanks for you help ahead of time the few of you out there who might
dare to tacle these questions.
If anyone out there can point me to some good copy on PHP sessions
and how they work under the hood please do so.
thanks
Mike
