At 09:25 22.11.2002, Jean-Christian Imbeault said:
--------------------[snip]--------------------
>> What I usually do (I also have session cookies switched off) is to send the
>> user a session cookie when he logs in. This way I can use cookieless
>> sessions, but when it comes to sensitive areas I can be sure that
>> bookmarking or giving away the SID wouldn't automatically transfer the
>> login session...
>
>I don't get what you mean here. Can you explain a bit more? Sounds like
>what I need but I don't understand. You say you have cookies switched
>off but send the user a cookie ... a contradiction.
My php.ini has session.use_cookies set to 0, so no (automatic) session
cookies get transmitted. Thie however doesn't stop me from programmatically
sending a cookie to the client...
So that's what I do, basically: I might be using a session for a lot of
stuff that's not related to user login; but when a user logs in this happens:
a) Create a unique cookie name and remember it:
$cookie_name = md5(date('YmdHis'));
$_SESSION['cookie_name'] = $cookie_name;
b) Create a random value for the cookie:
$cookie_token = rand();
$_SESSION['cookie_token'] = $cookie_token;
c) Transmit this cookie to the client (lifetime=session):
setcookie($cookie_name, $cookie_token);
From now on, the login-check tests for the random session cookie to match
the token:
if ($_COOKIE[$_SESSION['cookie_name']] == $_SESSION['cookie_token']) {
// valid cookie found, so generate a new value
$_SESSION['cookie_token'] = rand();
setcookie($_SESSION['cookie_name'], $_SESSION['cookie_token']);
}
else {
// no cookie set, or token doesn't match - take the appropriate action
}
This helps me to allow multiple sessions at the same client computer, since
every session has its own unique cookie. Giving away a link containing a
SID wouldn't harm security since you cannot pass or bookmark session cookies.
>> I always recomment NOT using session.auto_start. It effectively disables
>> making objects session-persistent
>
>I didn't know that but it doesn't matter as I don't do OO in PHP. Being
>also a Java programmer I can't wrap my brain around how PHP does pseudo-OO.
It's not pseudo-OO - it's some kind of "back-to-the-roots" OO :) You _do_
have (single) inheritance, you _do_ have class abstraction, you _do_ have
polymorphism (although you need to go a lot by hand), but you _don't_ have
protected and private storage.
You can always put an object into session storage, like this:
class A {
function A() {}
}
session_start();
if (!is_object($a))
$a = new A();
$_SESSION['a'] =& $a;
This will give you the same object of class A anytime you access the page
with the same session. Note however that the session handler needs the
class definition to be able to reconstruct the saved object - only the
class name, and the instance data, gets stored in session data.
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
