timothyarden

Okay thanks for explaining that (and the link) David, it helps a lot I am already using session_destory() (I probably should have mentioned that sorry) I just dont understand why on php.net they say not to unset() the $_SESSION variable? Thanks for that r3wt, I won't use a second session for admin's

bump

Another question: In my logout script I am doing this: unset($_SESSION) But in the PHP manual it says "Caution: Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal." It is currently having no problems and no errors so I don't understand what it means - could someone explain please? Thankyou

Thankyou for the posts r3wt and Psycho r3wt: Could you please expand on why you said: "don't rely on the session for authentication"? Is it for the same reason as further above where Jacques said if the data is updated it will not updated for that individual user until they log out? Psycho: Point 1 - Okay I won't check the database on each pageload - only for sensitive pages like mentioned earlier. Point 2 - Thankyou for explaining why ssl doesn't matter for sessions. If it isn't 100% secure is there any way I can increase it's security / any guidelines I need to follow? Point 3 - Could a hacker potentially copy a persons cookie and use it themselves - having the server see the cookies identifier and then grant access to the session data which is stored and modified on the server? Thanks for everyones help so far! EDIT: This is already in my code and executed on every page load function __construct( $SessionName = "developmentwebsite", $Secure = SECURE, $HTTPOnly = TRUE ){ // sec_session_start() if( ( ini_set( 'session.cookie_secure', 1 ) === FALSE ) || ( ini_set( 'session.cookie_httponly', 1 ) === FALSE ) || ( ini_set( 'session.use_only_cookies', 1 ) === FALSE ) ){ // Forces sessions to only use cookies. header( "Location: ../Error.php?error=Could not initiate a safe session (ini_set)" ); exit(); } $CookieParams = session_get_cookie_params(); session_set_cookie_params( $CookieParams[ "lifetime" ], $CookieParams[ "path" ], $CookieParams[ "domain" ], $Secure, $HTTPOnly ); if( !isset( $_SESSION ) ){ session_name( $SessionName ); session_start(); } session_regenerate_id(); $_SESSION[ 'Expiration' ] = NULL; // This will be 15 minutes later and have validation in another part of the script }

Also how do sessions use cookies and aren't they vulnerable through this?

Thankyou for your responses Jacques, Psycho and David For the purposes of this project there will be very little, if any changes to administrators once the application is launched. Once a user is admin, there should be no need to change admin status as these people are all part of an organisation and we can trust each other. But I had planned to set whether the user was an admin in the session and validate this from the database each pageload. So does this mean that sessions are 100% secure and can only be viewed and edited by the server scripts (unless the script displays them in some form)? Also does the above depend at all as to whether you have a secure connection with ssl? And thanks for that David, I'm leaning towards 15 minutes lockout.

Is it safe to use a session to validate whether or not a user is an administrator or not? (https is being used if it makes any difference) For example: $Administrator = // Get true / false from mysql database ; $_SESSION[ 'Administrator' ] = $Administrator; // And later use this to validate access to sensitive parts of a web application CheckAdmin( $_SESSION[ 'Administrator' ] ); Is this practice safe because the session is stored on the server and the client only has an identifier with which the server recognises that the session belongs to that client. If not could you explain why and how I could achieve what I am trying to do / fix any vulnerabilities that using a session to validate administrator access would have. Thanks in advance!

Not super experienced with this so I won't give you advice on the code because I may confuse you but I was thinking I should suggest that you use MySQLi within your script instead.

Still reading through the article. So far it has been a massive help. Thank you so much! I will probably still have some questions at the end of it though.

I guess there isn't any real reason for setting it in the script. I understand what it does though; setting the MySQLi connection to, when it sends queries to the database, have a max of 5 minutes before it times out.

Okay, thanks I'll read it and get back to you Thanks for all your help

I removed the invereted commas arround MYSQLI_OPT_CONNECT_TIMEOUT and the warning is gone - is that how it should be? (I got the code off a website.)

$DatabaseConnection -> options( "MYSQLI_OPT_CONNECT_TIMEOUT", 300 ); Does anyone know why this code is getting this error warning: Warning: mysqli::options() expects parameter 1 to be long, string given in... (definitely this line) This didnt help me: http://www.php.net/manual/en/mysqli.options.php

Also from your previous code will this code extract var_dump(self::$stat); // self refers to the class A var_dump($this->inst); // $this refers to the specific instance of A have the same effect as var_dump($this::$stat); // self refers to the class A var_dump(self->inst); // $this refers to the specific instance of A or have I missed the point

Thankyou for your post Jacques. Could you also explain what you mean by current object? (I understand current class). // I tried to look up objects but it didnt help http://www.php.net/manual/en/language.types.object.php Could you also explain what a method or attribute of an object is? "The -> operator is used to call a method or access an attribute of an object"; does this mean it can also be used in addition to :: to access static methods or an attribute of a class or is :: to be used exclusively for static methods and attributes of classes?