Jump to content

parkin_m

New Members
  • Posts

    4
  • Joined

  • Last visited

    Never

Profile Information

  • Gender
    Not Telling

parkin_m's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. [!--quoteo(post=356149:date=Mar 18 2006, 01:04 PM:name=wildteen88)--][div class=\'quotetop\']QUOTE(wildteen88 @ Mar 18 2006, 01:04 PM) [snapback]356149[/snapback][/div][div class=\'quotemain\'][!--quotec--] When you use session_start a special random string is generated called a [b]sessionid[/b]. This is either stored in a cookie on the clients computer (if the computer/browser accepts cookies) or it is sent over the url (if the cookie couldn't be set). Now when you use session_start ts will check wether the client has the same session id stored in the cookie or the url against the session file (which is automatically generated and stored in location that is specified in the php.ini on the server) and is given the same name as the value of the sessionid but is prepended with sess_ So if you have session id of [i]cdum2u7lqifl3s9h6s7s2kcqs3[/i] then a file called [b]sess_cdum2u7lqifl3s9h6s7s2kcqs3[/b] will be automaticaly created. So if the two match then it'll use the current session otherwise it'll create a new blank session. This is how session_start works evertime you use it. [/quote] Thank you very much, exactly what i was looking for and loads of help!
  2. [!--quoteo(post=356091:date=Mar 18 2006, 02:31 AM:name=kenrbnsn)--][div class=\'quotetop\']QUOTE(kenrbnsn @ Mar 18 2006, 02:31 AM) [snapback]356091[/snapback][/div][div class=\'quotemain\'][!--quotec--] Did you read the [a href=\"http://www.php.net/session\" target=\"_blank\"]section on sessions[/a] in the PHP manual? Ken [/quote] Yes
  3. [!--quoteo(post=356064:date=Mar 18 2006, 12:23 AM:name=ToonMariner)--][div class=\'quotetop\']QUOTE(ToonMariner @ Mar 18 2006, 12:23 AM) [snapback]356064[/snapback][/div][div class=\'quotemain\'][!--quotec--] Once a session is created it is [b]associated with that client and that conncetion to the server[/b] - these sessions stay alive til the browser closes. [/quote] What do you mean by "it is associated", I thought the only association between a client and a server, is the IP address. I have been reading a tutorial online: [a href=\"http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/\" target=\"_blank\"]http://www.devshed.com/c/a/PHP/Creating-a-...P-Login-Script/[/a] "Users with shell access to the web server can scan valid session id's if the default /tmp directory is used to store the session data. " If the session IS associated with that connection, then why is it possible for a hacker to browse through valid session IDs? When a session is created what is generated and where is it all stored? if you could just explain at the most fundamental level possible it would be a great help thanks
  4. Hi I have just got into PHP and i am using it along with mySQL to create a website the will allow the administrator to upload new mp3s with name title and description. The public will be able to view these entrys of the database in a nicely formatted php webpage using css etc etc. I have created all the scipts and forms to allow someone to do this uploading and editing of the database, but have now gotten stuck while trying to create a secur(ish) php login script so that only a user in members table (the administrator) can access this. I decided the way to do this is to: 1. Have a log in page 2. take the username and password from the user 3. check this infomation against the mySQL database to see if it exists 4. create a new session if they match OR report an error if they do not 5. retrieve the IP address of the user 6. save the session ID and the ip address into the database this is where it gets a little confusing. at the start of every new page i can then check to make sure that the user who is on this page has a session ID and that the IP address is the same as the one that is stored in the database.. but how?? session_start() creats a $_SESSION array everytime it is run. Where is this infomation stored? How does the server know which session is linked to which computer user if there are more than one sessions currently open? by using an IP check i think i will stop any hacker being able to steal a valid session ID and force their way in. is this correct? any help asap would be great, i did do a forum search but couldnt find anything in relation thanks mike
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.