NotionCommotion

I have a bunch of users in a database (id, name, etc). I have a bunch of documents which belong to users (id, filename, users_id, etc), and expect 500 or less per user. The documents will be renamed to the document_id, and X-Sendfile (since they are stored under the document root) will be used to retrieve them and a header will be used to return them to their original name. Is it recommended to make a separate folder for each user and store each individual user's documents in that folder, or create one folder for all documents? If I go with the one folder approach, I will need some method from keeping the total files per folder below some reasonable limit (1,000?). My thought is to estimate the maximum potential number of folders, and creating subfolders under the main document folder. I will likely hash the ID, and use the first character to create the first subfolder, the second character to create a second subfolder in the first subfolder, and continue as long as needed to accommodate the maximum potential documents (if there are 1,000,000 potential folders, then three levels will keep the maximum per folder under 244). Please provide rational for one approach over the other. Thank you

It doesn't take much! Glad to be of help.

You sent content to the browser before calling the header (a big no-no). Happened right between when you call session_start() and include your password.php file.

Thank you all for your replies. Subdomains turned out to be just the ticket (I hope!). Step 1: I set up my DNS for mysite.com, *.mysite.com, and *.*.mysite.com to go to the same file. Step 2: Apache redirects www (or PHP just strips it off), and deals with ServerAlias. Step 3: Do the following: $domain=explode('.', $_SERVER['HTTP_HOST']); switch($domain) { case 1: //Display front site. case 2: //If $domain[1] exists in DB, display user site, else display warning page. case 3: //If $domain[1] exists in DB AND $domain[2]==admin name (as stored in DB for $domain[1]), display admin site, else display warning site. default: //display warning page } Questions Do I have the correct workflow? (see question 4 which might indicated that I need to change it) Can I rely on $_SERVER['HTTP_HOST']? It is provided by the client (bad), but verified by the webserver (good), so it should be fine, right? If I use sessions on all three and don't change the name, for the admin site, I will have (3) cookies all named PHPSESSID with the same path but different domains. Will the cookie with the same domain as the admin page always take precedent? Should I rename all three to have unique names? By the way, this was the original intent of what turned out to be an off-topic title to this thread. Currently, a user cannot add content (and thus JavaScript) to mysite.com and joes_site.mysite.com, so I have no risks, but that might change in the future. As stated in Question 3, admin site includes its own session cookie as well as session cookies for main site and user site, and user site includes its own session cookie as well as session cookies for main site. Jacques1 recommends using domains joe.user-sites.mysite.com and joe.site-admin.mysite.com (and I suppose I could main.mysite.com as well from the "corporate" site). I guess this makes sense, but I obviously don't want the user to have to enter "user-sites" in the URL. Just use Apache to rewrite and add it? Also, Jacques1 indicated that there is a risk for “global” cookie for .users.yoursite.com which is also valid for other user sites. How is this mitigated? Thank you all for your help!

Guess so, but they are missing out on some fun!

I am sure you are correct, however, I always say "look at what the server is telling you by using var_dump or print_r (and without saying, error detection)". I've posted a dozen similar replies, and have not heard once that it was of any help. Shouldn't (especially beginners) be doing this often?

Thanks Kicken. I will check out ServerAlias! I was able to get a subdomain working earlier today, but had to go to my domain name host (1&1), and create a subdomain for my primary domain and point that name to my server. I will contact 1&1, but hopefully there is a better way. Thanks Jacque1. As you could tell, I am very new to subdomains, but very excited on the opportunities that they might provide.

if ($tx['category']!='receive') continue; Notice: Undefined index: category in C:\xampp\htdocs\content\cron\check_deposits.php on line 18 $tx does not have the element 'category'. When you get these errors/notices, back up a bit. Use either var_dump($txs) or my favorite echo('<pre>'.print_r($txs,1).'</pre>');. Is the array what you expected?

Thanks kicken, I wasn't implying that a separate copy of my application will be used for each user, but that something unique would be made available for each user, and the application would configure things as appropriate. Sounds like we are on the same page. I take it that "configuring a wild-card vhost" is a Apache (or similar) configuration, and will it send all requests regardless of the subdomain to the same file, right? So then, I don't need a separate folder for each user? Sounds great! My virtual host is already created with a wildname, no? (see below). But this will not magically allow janedoe.mysite.com to work. Can you give me some points on where to? NameVirtualHost *:443 <VirtualHost *:443> bla bla bla Thank you

I am obviously way over my head. Currently, a user logged on to john.yoursite.com can do very little. They can view information, and do a couple of heavily validated SELECT menu post updates. That's not to say this is a smart approach as things seem to change and maybe it will not be so safe in the future. The admin user does have the ability to add HTML, however, I am using http://htmlpurifier.org/ to in theory make it safe. I guess I (kind of) understand the part about a good guy visiting a bad guy's site, and getting a cookie. But what if the session array was broken down by site accessed name, and the application only allows access based on the URL? also, is my http://mydomain.com/index.php?site=folder1&type=admin idea totally fubar?

Understand the recommendation about managing session credentials via code. Easy enough. Does this also provide reasonable protection between front and admin sites? In regards to each user site having its own sub domain, how is this implemented? My wildest dreams suggest 100,000 subdomains . If I don't have 1,000 subdomains, I failed. Do you know if that is how wordpress.com does it? For instance, I have a wonderful site https://notioncommotion.wordpress.com/. Think it is a unique domain? Think they created some folder just for me? Or is wordpress.com's implementation inherently insecure, and I should not attempt to mimic it? Or maybe I shouldn't even be creating separate folders for each site. Instead, I have something like http://mydomain.com/index.php?site=folder1 and http://mydomain.com/index.php?site=folder1&type=admin, and use the webserver to rewrite it. Can it be implemented securely? If so, please provide general description of approach. Thank you

Thanks Jacques1, I agree that when things get weird and hacky, it is usually a flawed implementation, and would appreciate some more input. I posted a somewhat related question http://forums.phpfreaks.com/topic/292405-how-to-structure-website-with-accompanied-microsites/ which is not exact, but provides some background. I have a public website where people can look at the application, and signup if they want. Currently, I have this at http://mydomain.com/index.php. Sessions are only used to support the site creation phase (you've done part, and only need to click a link on your email), and doesn't deal with user logons. If they sign up, they select a "domain name" (not really a domain name, but it differentiates their site kind of like a WordPress.com or Facebook account does) and they get two websites. Assuming they picked the name "bobs_site", their two sites will be http://mydomain.com/bobs_site/index.php and http://mydomain.com/bobs_site/administrator/index.php. The two sites are completely separate and an admin user doesn't have access to the frontend using their admin username/password. Normally the user who signed up will only visit the administrator portion, and the user's customers will visit the other portion, however, the user will likely wish to see what the other portion looks like so may create a frontend logon for himself and log on as well. You provided the following advise: Could you elaborate on this topic, and how it might apply to my scenario? Thank you

If I have three files such as the following, and put session_start() in each, the session cookie will be domain: "mydomain.com" and path "/". As such, the session will be shared between all three files. http://mydomain.com/index.php http://mydomain.com/folder1/index.php http://mydomain.com/folder1/folder2/index.php If I want the cookie to be unique to each file, then it seems I have several options. I could use session_name() to give the cookie a unique name for each file. I could use session_set_cookie_params() to set a unique path for each (/, /folder1, /folder1/folder2), however, the index files in the children directories will also be sent the root directories session cookie, right? Will this cause problems? Should both approaches be implemented? Or is there another approach? Thanks

I have a script called getstarted who's purpose is to create microsights which are located as: /var/www/html/microsite1/index.php /var/www/html/microsite1/lib/ (symbolic link) /var/www/html/microsite1/administrator/index.php /var/www/html/microsite2/index.php /var/www/html/microsite2/lib/ (symbolic link) /var/www/html/microsite2/administrator/index.php /var/www/html/microsite3/index.php /var/www/html/microsite3/lib/ (symbolic link) /var/www/html/microsite3/administrator/index.php Each of the index.php files looks like: define( '_VSEXEC', 1 ); // Set flag to indicate that this is a parent $file=__FILE__; $type='back'; //or front require('/path/to/mainfile.php'); Question: Should the microsites be virtual servers or just subfolders? If there are many, seems like virtual servers are not a good solution, right? Instead of accessing a microsite as http://mydomain.com/microsite1/index.php and http://mydomain.com/microsite1/administrator/index.php, I would like to do so as http://microsite1.mydomain.com/index.php and http://microsite1.mydomain.com/administrator/index.php. How is this best accomplished? The key to the microsites being unique is the name of the folder (microsite1, 2, 3, etc). Note that the user may later change the sites name (i.e. microsite1 to bobs_site) as well as the administrator link (i.e. administrator to bobs_backend) using the administrator PHP application. My mainfile.php which is included in each of the index.php files simply gets the name by using basename(dirname($file)), and then queries the DB using this name to get the microsite specifics. Is there anything inherently wrong with this approach? A separate session cookie is used for the front microsite (http://mydomain.com/microsite1/index.php) and the accompanying administrator microsite (http://mydomain.com/microsite1/administrator/index.php). The same session cookie should be used whether accessed as http://mydomain.com/microsite1/index.php or http://microsite1.mydomain.com/index.php, and the same for the two admin entry points (note that www.mydomain.com is rewritten to mydomain.com). I originally started asking this question in post http://forums.phpfreaks.com/topic/292398-help-understanding-cookies-domains-and-paths/, but don't think I was clear with my requirements. Currently, I have the session cookies for both the front and admin site as domain ".mydomain.com" and path "/microsite1/" The accompanying session is something like array('front'=>array('bla','bla'),'admin'=>array('bla','bla')). In hindsight, I think this was a poor decision as front users and admin users can logoff which should delete their session, and this causes both the front and admin session to be deleted if they are concurrently logged as as both. Recommendations how best to implement this (no detailed code required, just provide general approach). Thank you REFERENCE ONLY. My website has five pages which are implemented using files home.html, features.html, pricing.html, and main.php located in my HTML root directory (/var/www/html). home.html, features.html and pricing.html are accessed directly. main.php is accessed as http://mydomain.com/main.php?p=getstarted&c=foo&d=bar for getstarted and similarily for contactus. Instead of using this as the URL, I would like to use http://mydomain.com/getstarted, http://mydomain.com/getstarted/foo, or http://mydomain.com/getstarted/foo/bar. I have successfully implemented this by adding the the following to my Apache configuration file /etc/httpd/conf/httpd.conf as shown below (no need to check it out unless you want to). I wish to keep this functionality intact. <VirtualHost *:80> ServerName mydomain.com ServerAlias www.mydomain.com mail.mydomain.com smtp.mydomain.com ftp.mydomain.com DocumentRoot /var/www/html <IfModule mod_rewrite.c> RewriteLog /var/log/httpd/rewrite.log RewriteLogLevel 3 </IfModule> <Directory "/var/www/html"> Allow from all Options +Indexes <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / ## If the request is for a valid directory, file, or link, don't do anything RewriteCond %{REQUEST_FILENAME} -d [OR] RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -l RewriteRule ^ - [L] #remove the trailing slash RewriteRule (.+)/$ $1 # If you add this first rule to support views, be sure to remove the QSA flag from the second rule (maybe not required since the first rule has the L flag) # replace my-page/my-controller/data with main.php?p=my-page&c=my-controller&data=data RewriteRule ^(getstarted|contactus)/([^/]+)/([^/]+)/?$ main.php?p=$1&c=$2&d=$3 [L,QSA] # replace my-page/my-controller with main.php?p=my-page&c=my-controller RewriteRule ^(getstarted|contactus)/([^/]+)/?$ main.php?p=$1&c=$2 [L,QSA] # replace my-page with main.php?p=my-page RewriteRule ^(getstarted|contactus)/?$ main.php?p=$1 [L,QSA] #Replaces file if "." is not in the string (i.e. it will not replace file.html, but will replace file RewriteRule ^([^.]+)$ $1.html [L] </IfModule> </Directory> </VirtualHost>

Makes sense. Thanks

Sneaky! What would be the purpose of doing so?

Please elaborate on "Cookies are domain restricted, could be a host or subdomain." Nice article! I was expecting such good reading Good examples. Please elaborate on what "Is a trick to add a cookie multiple domains." is doing. Thanks!

Thanks requinix, I haven't read the article yet, but first glance indicates it is better than others I have read. Thank you In hindsight, totally agree about your remark about what the browser sees, and don't know why I asked the question. Thank you Didn't recall the tl;dr; acronym, so promptly looked it up. Okay, I obviously read the wrong definition! Do you mind giving a couple of examples of cookie domains which match the tail end of the hostname, and cookie paths which match the beginning of the path. Thanks!

First of all, does anyone know of some good documentation to better understand cookies? I've gone through the PHP manual, and can find how to use PHP to work with cookies, but not how cookies really work. In particular, it is my understanding that if the domain is .mydomain.com, then mydomain.com, www.mydomain.com, or whatEver.mydomain.com, cookies could be set for each, and available for each, right? If path was /, cookies will be sent for mydomain.com, mydomain.com/bla, and mydomain.com/bla/bla. If path was /bla, cookies will be not be sent for mydomain.com, but will be sent for mydomain.com and mydomain.com/bla/bla. Also, what would be the impact if Apache rewrote bla.mydomain.com to mydomain.com/bla? Please feel free to provide any other insight on this topic. Thank you

Forget about the SQL stuff for now. Focus just on sending stuff between the server and client. The client is your web browser. The server is the Apache/IIS/etc sever located somewhere. Client says "server, give me some HTML". Server gets the HTML, and sends it to the client. User clicks "submit" on the client, but wait, nothing happens??? Well, your inputs and submit button need a <form> tag around the inputs to tell it where to send the data. Note that the HTML you showed doesn't have this form. Add the form, and then the data goes whizzing to the server. The server receives the data, does some work, and then sends back the appropriate HTML. But don't do your SQL queries yet. Instead, make sure it is receiving the correct data. I like to use echo('<pre>'.print_r($_POST,1).'</pre>');, but others prefer var_dump($_POST);. As ginerjm indicated, enable error display! When you know everything is working, deal with the SQL part, so the correct HTML is sent back. Client receives the HTML, and user is happy

Thanks ChOcu3r. Note sure if it will be necessary, but good to know. Thanks ginerjm, I don't think users have sessions, but clients have sessions. If a user visits http://mysite.com/site1/index.php and http://mysite.com/site1/administrator/index.php, there will be two session cookies set, right? What about http://site1.mysite.com/index.php and http://site1.mysite.com/administrator/index.php? Two more? Then there is http://www.mysite.com/site1/index.php (however, I indicated that I will be rewriting, so maybe these are not an issue). I was getting lost in the number of cookies, and wanted to centrally locate them under just http://mysite.com/site1. But then, if the general user logs off of a given client, the administrator user on that same client is logged off.

I've read, but sure I can use some more reading. HTTP or PHP manual? http://php.net/manual/en/features.cookies.php looks weak. Also, the whole point of my post regarded the cookie which stores the session ID. Could that session be renamed?

Again, cookies are not my strong point, so I might be totally off base. But isn't the name for the session cookie always "PHPSESSID"?

If I destroy the cookie for the general site, will it not destroy the subdirectory cookie?

Sonofharold, It has nothing to do with SQL, and not even your books table. Look at the the following line. Strings need quotes around them. See http://php.net/manual/en/language.types.string.php. Your string is not well formed. $strSQL = SELECT * FROM `books` WHERE author = '".$aa."' AND publisher = '".$bb."' AND yearpublished = '".$cc."' AND genre ='".$dd."'" "; I would probably do something like the following (provided I didn't want to use PDO): $strSQL = "SELECT * FROM books WHERE author = '{$aa}' AND publisher = '{$bb}' AND yearpublished = '{$cc}' AND genre ='{$dd}'";