I need to save payment data in DB. So one of the ways is to store the data into session and in saving part do the rest.
I save it like this:
$request->session()->put('paymentData', $request->all());
And then in another controller I call the same session, do some things and then remove the session:
$data = $request->session()->get('paymentData', 'default');
// do some DB storing
// delete session
$request->session()->forget('paymentData');
My question is, if two users are doing payments at same time. Can it happen that they mix these sessions because they will access it under the same name paymentData? Session will be stored in file in storage\session. Or Laravel have some method to distinguish these two Sessions even though they have the same name/key?
Sessions are created per browser session. The Session instance is accessed by a specific session ID. The browser keeps the session ID in a cookie and sends it every time it makes a request, so the server knows which session to use for that request.
What you put within the session can be duplicated no problem - other users cannot see that data (unless they somehow obtain the session ID by a browser attack).
Related
I ned to set a session per every user, so when the user log ou from his account and login again in another account the old session will not be shown but the new that related to his new account will be shown
I am using the normal method in laravel to do it
Session::put('key', 'value');
But the problem as explained is that the session will br shown in all user using this computer
Session ids are supposed to be non-guessable. You're going to have to resolve (attempted) duplicates serverside. If you search through every existing session for a match then your not going to be able to scale this / its going to be very slow. That means you need an access path to the session data based on the username AS WELL AS the session id.
There are lots of solutions to this. I don't think any of them are exposed directly in Laravel.
You need to deal with maintaining the mapping directly in the session management - so you will need a custom session handler. The session handler deals with serialized data - so you need to think about how the username is resolved within the session handler. You could put it in the session and deserialize the data again the handler, or read the value from a global variable. Or you could write a prototytype of the session into a database with the sessionid as the primary key and the username as an indexed lookup before the session close handler is called.
Another approach would be to store the session as the username rather than using the session id. You still need to protect the username though and avoid session fixation, hence you would need to explicity generate the session id using a mechansim where only you can recover the username from it, e.g.
$data=array($username, openssl_random_pseudo_bytes(16));
$sessionid = encrypt(serialize($data), $your_secret_key);
(You still need to write your own session handler for this).
Does it start a current session based on cookies? Got that from the PHP website. How does PHP control the session? If I start a session when a user opens up my login page, what do I even use that session for? Can I use the current session to get info about the logged in user?
The PHP session system lets you store securely data in the $_SESSION global array. A typical example is to store the user's identifier in the session when they type in their password:
if ($user = try_login($login, $password))
$_SESSION['user'] = $user;
Then, you can access that information on all other pages:
if (isset($_SESSION['user']))
// logged in !
echo user_name($_SESSION['user']);
The data is stored on the server, so there is no risk of tampering (on the other hand, mind your disk usage).
Starting the session lets the current request use $_SESSION. If this is the user's first visit, the array will be empty and a new session cookie will be sent for you.
Closing the session merely prevents the current request from using $_SESSION, but the data stays around for the next requests.
Destroying the session throws away all the data, forever. The sessions are destroyed a certain duration after the last visit (usually around 30 minutes).
I assume you want to know what a PHP session means for you, the programmer.
When you do session_start() you are telling PHP that you want to use the session. This is made available to you as an array called $_SESSION. You can use that like any other array with the difference that the stuff you put in there stays there from one page to another (provided you use session_start() at the beginning of each page).
The actual mechanism may vary depending on configuration (php.ini), but a typical installation can use cookies for the session. Let's assume that your webserver is on linux and you're using cookies. You do the following
session_start();
$_SESSION['name']='Bob';
When PHP sees this it creates a text file with a semi-random name (for example sess_a3tfkd5558kf5rlm44i538fj07), sticks the $_SESSION contents in there as plain text and then sends a cookie to the user with the session id, which can be used to find the session file (for example a3tfkd5558kf5rlm44i538fj07).
The next time the user comes back he hands in the session id in his cookie, PHP goes to the relevant file and loads its contents in $_SESSION.
You'll note that the actual information is kept on the server while the user is only given an id. Kinda like handing in your coat in a club and getting a ticket with a number on it.
PHP's session_start starts OR resumes an HTTP session, which is explained fairly well in this article:
http://en.wikipedia.org/wiki/Session_(computer_science)
The concept of an HTTP "session" isn't specific to PHP, it's used in many (all?) server side HTTP frameworks as one way to allow for some state to be stored/associated across different request/responses (since HTTP is stateless). A unique token (which is often, but not always, stored in a cookie) identifies a particular client, and the server can associate the "session."
Here's some more info about sessions and PHP in particular that may help: http://www.php.net/manual/en/book.session.php
Like it says in the Manual
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
If you start a new session at your login page, the session is initially empty. You can store in it whatever you want, for instance, store the user id once the user has logged in. The session data is destroyed when you close the session.
You might want to read all chapters in the Session Extension Manual Pages and also see
what is session and cookies in php and where it stored
You can compare PHP session with the cookie, but session is the much more secure way of storing information. Cookie store data on user's computer, but session store on the server in a temporary file securely.
I have discussed session and how to use it on one of my blog post - How to start a PHP session, store and accessing Session data?
Below is an example code of storing data in PHP session:
<?php
session_start();
$_SESSION["name"] = "John";
?>
Below is the example of retriving the session data:
<?php
session_start();
echo $_SESSION["name"];
?>
The above code will display the name "John".
Source: How to start a PHP session, store and accessing Session data?
I need to store data in a session and make it available for other users.
I thought about to store that data in an Session, generate a random Link, which user 1 can send to user 2. The Session should expire after 3 Month.
The session name is the random code I generate which is simluar to the code I send with POST to receive it on the Secretlink with $_GET.
Is this working in general or am I on the wrong track?
Can I store a Session even when the user 1 left the website or will the session be terminated?
I also need to set the session via jQuery, but I couldn't find anything about expiration time of a session.
I already did it with a cookie, but of course that's not working with user 2.
Sessions are actually files, stored on the server. PHP sets a cookie with the session id, named PHPSESSID. You can also use the PHPSESSID GET parameter, but you would have to change that in the server's PHP settings. Using the GET parameter, you could pass that link to another visitor to let him use the session. You would also have to extend the session expiration time.
However, I wouldn't recommend sharing sessions with GET parameters. It could be a security risk when you are storing personal data in those sessions. I recommend that you write a small script that stores data in a database and that can be accessed (for reading and writing) by requesting an url or any url with a special GET or POST parameter.
One last thing, sessions are never accessible from jQuery directly. You would have to write a small script that requests data on your server via AJAX.
I am a newbie to php.
I just learned that you can create a session variable for a user after his login such as
$_SESSION['id']=****some value(say 3)******;
and this session variable is maintained as long as he doesn't log out(i.e. you clear this session variable using session_destroy).
Now , I have a confusion that if another user logs in then won't this id variable be overwritten thus logging the previous user out?
If this is true ,then what can I do to resolve it?
PHP sessions are tied to a user by a unique (random) ID string, generated the first time you invoke session_start() for a user. That ID is stored in the client browser as a cookie (or possibly via hidden form fields/query parameters).
Even though $_SESSION is used throughout the code, the CONTENTS of that $_SESSION array are tied to a particular user via that ID string. That means if I hit your site, $_SESSION will contain my details. If you hit your site, $_SESSION will contain your details.
There should be no practical way for my details to "leak" in your session, or vice versa. Destroying my session will not destroy yours, because yours is a completely different session, with a different ID.
All sessions are tied to a unique session ID. This is typically set inside the user's cookie.
I've implemented a mysql-based session interface in php.
I just found out that if I log in to my account using browser A (e.g. Chrome), and then I log in to the same account in another browser B (e.g. IE), each browser is assigned 2 separate session ids. How can I make it such that when I log in again using browser B, I retain the active session of the previous browser A?
The issue at hand is that I'm storing certain information in the session and the data not being synchronised between the same users in different browsers and is wrecking havoc. :S
Is there a way to achieve this?
Thanks!
If you're storing the session in the database, add a mechanism whereby the userId is stored as part of your database's session record, creating what I like to call a "semantic session". When the user logs in, check to see if another session already exists; if so, use session_id() to fixate the new session to the old session's ID, which will join them (and should change your new session's ID for all subsequent requests). Be sure to only perform this action during the login step, or you might end up with freaky race conditions of two sessions trying to be each other and "swapping".
Don't store the data in session, store it in the database.
Sessions are normally identified by cookies, which are only visible in one browser. You could probably use Flash to share the session ID between browsers, but I cannot think of a use case. The point of the session is to store data which is bound to a single browsing session, and not to the user in general. You should use a database or some other form of server-side storage for generic user data.