Jump to content

something about session

ibolui

By ibolui
in PHP Coding Help

Recommended Posts

ibolui Newbie

ibolui

Posted
Posted

hi guys. i came across some articles about session by chris shiflett.

 

http://shiflett.org/articles/the-truth-about-sessions

http://shiflett.org/articles/session-fixation

http://shiflett.org/articles/session-hijacking

http://shiflett.org/articles/storing-se ... a-database

 

he recommended some techniques on better handling of sessions. in the last article, i understand that storing session in a db is safer in a shared hosting environment.

 

but i would like to ask is that, if storing session is db is implemented, the techniques in his other articles still valid? as in i still need to write those codes in my app?

 

thanks,

still very new to php :P

Link to comment
https://forums.phpfreaks.com/topic/105696-something-about-session/
Share on other sites
redarrow Advanced Member

redarrow

Posted
Posted

If your concerned about sessions and secuity, Then the best aproach is to

use sessions as normal, then use mod_rewrite to rewrite the url's in a .htaccess file........

 

It true to say that database sessions are the best aproarch but picky in ways........

 

in genrall there nothink wrong using sessions for anythink genrall unless the users can see info that they shouldnt....

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

To solve all the problems on shared hosting, simply set session.save_path to be a private folder within your account space. This solves sessions ending due to the data files being deleted due to other accounts using a short session.gc_maxlifetime and it prevents access by other accounts to your session data file names (which contains the session id) and the content of the files.

 

The only real reason to store the session data files in a database is if you are doing web server load balancing and you need to share session data files between web servers and you cannot use a shared file location.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted
but i would like to ask is that, if storing session is db is implemented, the techniques in his other articles still valid? as in i still need to write those codes in my app?

 

If you are not using a https/SSL connection to send the session id back and forth between the server and the browser, then yes, you need to do things like regenerate the session id, test the user agent, and make sure that the IP address does not change at all or change to a different network.

ibolui Newbie

ibolui

Posted
  • Author
Posted

ic. thats helpful! :)

 

one of the article commented using of token instead of http headers.

 

<?php $token = md5(uniqid(rand(),TRUE)); $_SESSION['token'] = $token; ?>

 

 

This token should then be propagated with each request, using a different method than used to propagate the session identifier

 

i do not understand how to propagated the token, and using different method. is it in terms of coding?

if the token is propagated via url, and for each request, the token retreived from $_GET is verified against $_SESSION['token'], how does it prevent hacking?

redarrow Advanced Member

redarrow

Posted
Posted

 

 

mod_rewrite will enable you to re_write all your urls, So if you got any session ids name anythink in there

mod rewrite will hide everthink to the person on your site.............

 

The link to learn...

http://www.4webhelp.net/tutorials/misc/mod_rewrite.php

 

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.