digitalecartoons Posted October 29, 2007 Share Posted October 29, 2007 "A session ends when the user loses the browser or after leaving the site, the server will terminate the session after a predetermined period of time, commonly 30 minutes duration" The 'session ends after user leaves the site' part doesn't work with me In the starting page, setsession.php, the session is first set. <?php session_start(); $_SESSION["domino"] = true; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head>rest document </html> The php script, getsession.php, checks for the existance of this session id: <?php session_start(); if(!isset($_SESSION["domino"])){ echo "session is unset"; exit; } else { echo "sessionis is set"; rest php script } ?> When typing getsession.php into the address bar, I get a 'session is unset', which is ok since the session hasn't been set yet. On visiting setsession.php and typing getsession.php again, I get a 'session is set', which is ok too cause the session has been set in setsession.php But when I do the following in the exact same order: - go to setsession.php (session is set) - go to any other page e.g. www.startrek.com - type in getsession.php in the address bar Then I still get a 'session is set' as if the session id hasn't ended on leaving the website. How is this possible? Quote Link to comment https://forums.phpfreaks.com/topic/75249-session-doesnt-end-upon-leaving-site/ Share on other sites More sharing options...
pocobueno1388 Posted October 29, 2007 Share Posted October 29, 2007 You can set it to expire in your ini file. <?php ini_set ("session.gc_maxlifetime", "3600") ?> Quote Link to comment https://forums.phpfreaks.com/topic/75249-session-doesnt-end-upon-leaving-site/#findComment-380591 Share on other sites More sharing options...
calabiyau Posted October 29, 2007 Share Posted October 29, 2007 I've always been lead to believe that session only ends when browser is closed, not on leaving a site. What is the source for that information? I"m curious if I am wrong about this. Quote Link to comment https://forums.phpfreaks.com/topic/75249-session-doesnt-end-upon-leaving-site/#findComment-380637 Share on other sites More sharing options...
digitalecartoons Posted October 29, 2007 Author Share Posted October 29, 2007 You're right, it doesn't end upon changing a website. But I now don't completely understand how to use session for securing a form script. This is what I've got now: <?php session_start(); $_SESSION["domino"] = true; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> //rest of page showing flash movie This sets the session upon visiting my site. When the form sends its data to the mailform.php: <?php session_start(); if(!isset($_SESSION["domino"])){ //error message 'forbidden access' exit; } else { session_destroy(); unset ($_SESSION["domino"]); //rest of script: processing the form input } This checks for the session-id. This should verify that the user sent the form through my website. According to tutorials and the use of sessions in mailforms anyway. But I've found a way to bypass this. If I know the mailform is at www.test.com/mailform.php, I wouldn't get access to it accessing it directly. As it shouldn't. But when I know it's at www.test.com/mailform.php, all I have to to is type www.test.com (or www.test.com/index.php) to have the session set. Then I could do anything I want, visit other sites, whatever. As long as I don't close the browser. And finally, to abuse the mailform.php file, I just have to type in www.test.com/mailform.php and I get access, cause the session is still set. That way I could always make use of the php script even when I'm not supposed to. Am I using session not correctly? I thought session-id's should prevent such a thing? Quote Link to comment https://forums.phpfreaks.com/topic/75249-session-doesnt-end-upon-leaving-site/#findComment-380653 Share on other sites More sharing options...
calabiyau Posted October 29, 2007 Share Posted October 29, 2007 Maybe you could say a little about what this is all about? I'm not really clear on what you're trying to accomplish. Sessions are normally used to either maintain information about a user between pages or to restrict access to certain parts of your website. If you are trying to restrict acces to a mail form( just an educated guess), then you need some kind of membership system of usernames and passwords and if they enter the correct combination, THEN you set the session variable. What are you trying to do? Quote Link to comment https://forums.phpfreaks.com/topic/75249-session-doesnt-end-upon-leaving-site/#findComment-380694 Share on other sites More sharing options...
digitalecartoons Posted October 29, 2007 Author Share Posted October 29, 2007 What I'm trying to do is allowing my mailform.php script only to be access if the user is on my website and submitting it's form. What I don't want to allow: 1. typing www.test.com/mailform.php... it should echo an error message 2. using my mailform.php script in another website 3. a user first setting the session id by visiting my site and then do point 1 or 2 I thought that that's was what sessions are all about, but I was able to bypassing in by doing point 3 Here's where I've learned about sessions and protecting my php script: http://apptools.com/phptools/forms/forms7.php Quote Link to comment https://forums.phpfreaks.com/topic/75249-session-doesnt-end-upon-leaving-site/#findComment-380710 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.