www.webdeveloper.com
Results 1 to 11 of 11

Thread: <?php echo SID;?>

  1. #1
    Join Date
    Sep 2003
    Posts
    95

    Exclamation <?php echo SID;?>

    Hello,

    I have a problem with session.

    when i createa a session and try to sent it to the next page in the url using SID it doesn't work.

    can anybody help?
    Code:
    [Session]
    ; Handler used to store/retrieve data.
    session.save_handler = files
    
    ; Argument passed to save_handler.  In the case of files, this is the path
    ; where data files are stored. Note: Windows users have to change this 
    ; variable in order to use PHP's session functions.
    session.save_path ="F:\AppServ\php\session"
    
    ; Whether to use cookies.
    session.use_cookies = 0
    
    ; This option enables administrators to make their users invulnerable to 
    ; attacks which involve passing session ids in URLs; defaults to 0.
    ; session.use_only_cookies = 1
    
    ; Name of the session (used as cookie name).
    session.name = PHPSESSID
    
    ; Initialize session on request startup.
    session.auto_start = 1
    
    ; Lifetime in seconds of cookie or, if 0, until browser is restarted.
    session.cookie_lifetime = 0
    
    ; The path for which the cookie is valid.
    session.cookie_path = /
    
    ; The domain for which the cookie is valid.
    session.cookie_domain =
    
    ; Handler used to serialize data.  php is the standard serializer of PHP.
    session.serialize_handler = php
    
    ; Define the probability that the 'garbage collection' process is started
    ; on every session initialization.
    ; The probability is calculated by using gc_probability/gc_divisor,
    ; e.g. 1/100 means there is a 1% chance that the GC process starts
    ; on each request.
    
    session.gc_probability = 1
    session.gc_divisor     = 1000
    
    ; After this number of seconds, stored data will be seen as 'garbage' and
    ; cleaned up by the garbage collection process.
    session.gc_maxlifetime = 1440
    
    ; PHP 4.2 and less have an undocumented feature/bug that allows you to
    ; to initialize a session variable in the global scope, albeit register_globals
    ; is disabled.  PHP 4.3 and later will warn you, if this feature is used.
    ; You can disable the feature and the warning seperately. At this time,
    ; the warning is only displayed, if bug_compat_42 is enabled.
    
    session.bug_compat_42 = 0
    session.bug_compat_warn = 1
    
    ; Check HTTP Referer to invalidate externally stored URLs containing ids.
    ; HTTP_REFERER has to contain this substring for the session to be
    ; considered as valid.
    session.referer_check =
    
    ; How many bytes to read from the file.
    session.entropy_length = 0
    
    ; Specified here to create the session id.
    session.entropy_file =
    
    ;session.entropy_length = 16
    
    ;session.entropy_file = /dev/urandom
    
    ; Set to {nocache,private,public,} to determine HTTP caching aspects.
    ; or leave this empty to avoid sending anti-caching headers.
    session.cache_limiter = nocache
    
    ; Document expires after n minutes.
    session.cache_expire = 180
    
    ; trans sid support is disabled by default.
    ; Use of trans sid may risk your users security.
    ; Use this option with caution.
    ; - User may send URL contains active session ID
    ;   to other person via. email/irc/etc.
    ; - URL that contains active session ID may be stored
    ;   in publically accessible computer. 
    ; - User may access your site with the same session ID
    ;   always using URL stored in browser's history or bookmarks.
    session.use_trans_sid = 0
    
    ; The URL rewriter will look for URLs in a defined set of HTML tags.
    ; form/fieldset are special; if you include them here, the rewriter will
    ; add a hidden <input> field with the info which is otherwise appended
    ; to URLs.  If you want XHTML conformity, remove the form entry.
    ; Note that all valid entries require a "=", even if no value follows.
    url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
    i have started the session and i have put data into it.

  2. #2
    Join Date
    Aug 2005
    Location
    The Garden State
    Posts
    5,634
    Show us your script(s), not your config files.

    You don't need to use SID to send your session across.

    A couple of tips

    1) Always start your sessions on every page.
    2) Start your sessions before you do anything else.

  3. #3
    Join Date
    Dec 2002
    Location
    Seattle, WA
    Posts
    1,843
    example
    PHP Code:
    <?php
    session_start
    ();

    if(!
    defined('SID'))
    {
        
    define('SID'session_id());
    }
    // ...
    ?>

  4. #4
    Join Date
    Aug 2005
    Location
    The Garden State
    Posts
    5,634
    please, show more.

    all of my pages start like this...

    PHP Code:
    <?php
    session_start
    ();
    header("Cache-control: private"); // IE 6 Fix.
    i use this login function:
    PHP Code:
    function process_login($username,$password){
        
    $crpass crypt_pass($username,$password);
        
    $results mysql_query("SELECT password FROM USERS WHERE username='".$username."'");
        
    $respass mysql_fetch_array($results,MYSQL_NUM);
            
    //printf("Crpass: ".$crpass." and respass: ".$respass[0].".");
            //commented for error checking...
        
    if ($crpass == $respass[0]){
            return 
    true;
        }
        else{
            return 
    false;
            }

    using a hash string variable that i've defined, allows for one way encryption and unique keys for each username.

    my login page includes this code, for setting the session variables
    PHP Code:
    $_SESSION['username'] = $_POST['username'];
    $_SESSION['started'] = date('U');
    $login='Y'
    and finally to check if a session is valid or not, i do this:
    PHP Code:
    if(!isset($_SESSION['username']) and $login !== 'Y'){
        
    printf("<script language=\"javascript\">document.location=\"index.php\";</script>");

    If we're not on a login page and the username is null, then refresh the location to the login page (index.php)

    Let me know if this helps you at all or confuses you.

    Notice how I never use SID....

  5. #5
    Join Date
    Sep 2003
    Posts
    95
    you wanted my script. here it is.

    index.php
    HTML Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <title>[home intranet] [please login]</title>
    </head>
    
    <body>
    <form action="login.php" method="post" name="login" id="login">
      <input name="username" type="text" id="username">
      <input name="password" type="password" id="password" maxlength="20">
      <input type="submit" name="Submit" id="submit" value="Submit">
    </form>
    </body>
    </html>
    login.php
    PHP Code:
    <?php
    session_start
    ();
    if (
    $_POST['username'] == "") {
        echo 
    "username must be enterd";
        } else { 
            if (
    $_POST['password'] == "") {
            echo 
    "password must be enterd";
            } else {
    /*        require '\inc\db.php';*/ // cant get include to work add info from include
            
    $conn mysql_connect("localhost""daniel""******");
            
    mysql_select_db("intranet"$conn);
            
    $sql "SELECT * FROM users WHERE username = '" $_POST['username'] . "'";
            
    $results mysql_query($sql$conn);
            
    $numrows mysql_numrows($results);
                if (
    $numrows == 1) {
                        while (
    $newArray mysql_fetch_array($results)) {
                        
    $username $newArray['username'];
                        
    $password_db $newArray['password'];
                        
    $name $newArray['name'];
                        }
                            if (
    md5($_POST['password']) == $password_db) {
                            
    $_SESSION['username'] = $_POST['username'];
                            echo 
    "valid";
                            
    ?>
                            <a href="intranet/index.php?<?php echo SID ?>">about:blank</a>    <? } else {
                            echo 
    "invalid user";
                            }
                    } else {
                                    echo 
    "user not found or to many users found";
                    }
            }
        }
    // this is temporary
        
    echo SID;
        
    ?>
        <br>
        <?php
        
    echo session_id();
    ?>

  6. #6
    Join Date
    Sep 2003
    Posts
    95
    Quote Originally Posted by chazzy
    please, show more.

    all of my pages start like this...
    PHP Code:
     removed for space
    see above but one post 
    i use this login function:
    PHP Code:
     removed for space
    see above but one post 
    If we're not on a login page and the username is null, then refresh the location to the login page (index.php)
    PHP Code:
     removed for space
    see above but one post 
    Let me know if this helps you at all or confuses you.

    Notice how I never use SID....
    Yep i am confused can you explain it a bit.

    what i want to do. as you can guess is log users in and log them out automaticly when they leave the site. or if they click log out.
    Last edited by spinnyscripter; 10-14-2005 at 05:34 AM.

  7. #7
    Join Date
    Aug 2005
    Location
    The Garden State
    Posts
    5,634
    spinny:

    What you are doing is not much different than what I am doing. I just have everything in functions, and have slightly tighter security.

    You don't need <a href="intranet/index.php?<?php echo SID ?>">about:blank</a>
    What does your index.php look like. most likely that is where the problem is.

    To check that your sessions are working, try this.

    Add
    $_SESSION['username'] = $username;
    to this page
    so that when they go to index.php you can print out:
    printf("Username: ".$_SESSION['username']."\n");

  8. #8
    Join Date
    Sep 2003
    Posts
    95
    so what you are saying is dont use SID and rely on it being sent from page to page automaticly.

  9. #9
    Join Date
    Sep 2003
    Posts
    95
    it's just a project for a home intranet so we can leave messages and phone messages etc.... before we forget them... my computer is only accessable from the one downstairs so we don't realy need to rely to much on security.

    but i have the database connection script in a separate folder included for security.

  10. #10
    Join Date
    Aug 2005
    Location
    The Garden State
    Posts
    5,634
    You would need to send the session if you closed it on every page, which makes no sense.

    There is no feasible way that i've seen by passing the session via get, since in order to pull info from a get, the session must have been started already and as per the php website, once a session is started you can't rename it. however, as long as it is active, it is there as part of your connection to the server. destroying a session forces a new one to start. does that make sense?

    i tried using SID notation originally. didn't work. you just need to verify that each page begins with <?php session_start(); header("Cache-control: private");

    what I don't get is that you are putting up a link to your login form once they have authenticated. I'm assuming that is just there until the other pages are up?

    That's a little backwards from how i usually work, as I do most of my page development openly, then add some security in.

  11. #11
    Join Date
    Sep 2003
    Posts
    95
    Quote Originally Posted by chazzy
    what I don't get is that you are putting up a link to your login form once they have authenticated. I'm assuming that is just there until the other pages are up?
    PHP Code:
                            if (md5($_POST['password']) == $password_db) { 
                            $_SESSION['username'] = $_POST['username']; 
                            echo "valid"; 
                            ?> 
                            <a href="intranet/index.php?<?php echo SID ?>">about:blank</a>    <? } else { 
                            echo 
    "invalid user"
                            } 
                    } else { 
                                    echo 
    "user not found or to many users found"
                    }
    no no no no.

    I am redirecting the user tolocalhost/intranet/intranet/index.php not localhost/intranet/index.php

    the link redirects to a folder inside the site that contains the seured pages.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles