I am confused about sessions . I have a form that adds record. In this form first step is taking costumer information and i put the customer id in a $_SESSION["customer _id"] because when I submit customer information,related the first form,the second form appears and when i submit it too i get the value $_SESSION["customer_id"] and add it database.
My question is when the times multiple users use this system, is there a possible to confuse this session value? I mean when two user is active in this system and they are both add new record there will be two $_SESSION["costumer_id"] value . Does it make the system confusing?
No, There is a separate session created for each user, so don't worry about the session. please refer below link its very helpful to understand the working of session.
PHP $_SESSION for multiple users at once
Session support in PHP consists of a way to preserve certain data across subsequent accesses.
Session will be unique for each different connected users. Two different user's session will never mixed up. The stored data in session for particular user will not appear or accessible to any other user.
Related
I'm developing a site in PHP. When the user session starts I load all his db row in the $_SESSION var. When the user changes a db value I update the $_SESSION var too.
The problem starts when more than one session is active for the same user. Is there a way to update the data for all the sessions of the same user without overloading the database? Or, alternatively, is there a way to force php to use the same session file for all the session that belongs to the same user? Or I must simply query the db every time a session continues?
And another dilemma is: is it worth it? I mean, I do not know how much this mechanism could alleviate the server load, and I do not know if this mechanism is applicable to file-based sessions or I must use another session storing type.
This question is somewhat related to this other question on mine (even if the workaround for this is simply to delete all session files).
It really reaches the question why would you need to many data in a $_SESSION. And you should really take a time to decide which data is so often needed to be displayed.
In most of the cases you only need session identifier that keeps the user logged in, containing user_id, to take the needed data directly from the database.
Assuming the user can change its avatar, and you haven't go so many places to display this avatar, you don't need to store it in session, nor to SELECT it at the very same time. For instance, you can have a trigger page, which SELECTS the avatar by $_SESSION['user_id'] when he tries to send personal message to another user. Otherwise, you can put a cache (i.e. using memcached) where a query, which selects the user avatars should not be made more often than once an hour.
If user changes an email, it's the same. If somebody else tries to send him message, you trigger the SELECT query. Otherwise a cache is set.
So, let's say the user has changed his avatar, email, some other trivial info, then accessed your index page. In his session you load only the identifier. In the db the records are present, but they are not selected yet. So you have neither server load, because the session is light, nor database load, because no SELECT queries were sent.
No matter how many times the user tries to set his session (in this case logs second time), you have a present data in the db, and a session only with identifier. You can identify all his instances, but never use a data, which is not needed.
1 Well, I (don't, but) could do this with my session handler. I use databased SESSIONS with some extra information/columns like username and userid. That way I can exactly determine which session belongs to which user without fiddeling around with the serialized data.
http://php.net/manual/de/function.session-set-save-handler.php
2 But in your case it might be simpler to update your user table and then SELECT the user again to put the (new) data to $_SESSION['user']. (You will need some "user data was updated" info, to reload new data for all sessions).
3 Or you just avoid that a user can login more than once.
I am a newbie to php.
I just learned that you can create a session variable for a user after his login such as
$_SESSION['id']=****some value(say 3)******;
and this session variable is maintained as long as he doesn't log out(i.e. you clear this session variable using session_destroy).
Now , I have a confusion that if another user logs in then won't this id variable be overwritten thus logging the previous user out?
If this is true ,then what can I do to resolve it?
PHP sessions are tied to a user by a unique (random) ID string, generated the first time you invoke session_start() for a user. That ID is stored in the client browser as a cookie (or possibly via hidden form fields/query parameters).
Even though $_SESSION is used throughout the code, the CONTENTS of that $_SESSION array are tied to a particular user via that ID string. That means if I hit your site, $_SESSION will contain my details. If you hit your site, $_SESSION will contain your details.
There should be no practical way for my details to "leak" in your session, or vice versa. Destroying my session will not destroy yours, because yours is a completely different session, with a different ID.
All sessions are tied to a unique session ID. This is typically set inside the user's cookie.
Well i have a problem and need suggestions.
I am currently uploading a csv file which contains products data. There can be a lot of products. I am reading csv file using a library and than taking all the data in an array. Now i have a situation where i am stuck how to solve this.
Scanrio :
After uploading csv the user has a form where there are 9 specific columns. All the columns from csv should come into an array which will be displayed as dropdown. In the left side the form will contain specific fields and in the right side before each field there will be dropdown containing csv column names. After selecting the map button will be clicked and the columns will be selected from array and saved it into table. Now i dont know how i can hold data without saving into table while user selects the columns for mapping. What do i do? Shall i put the whole array in a hidden fields or else? Please suggest.
Now i dont know how i can hold data without saving into table while user selects the columns for mapping. What do i do? Shall i put the whole array in a hidden fields or else? Please suggest.
You could store them in session variables, that way whatever you store there is kept for each user separately and until that user logs out or some part of your code explicitly remove it. (Say, after you have discarted or made permanent the data on a database).
Hopefully, you are already using sessions, now give a look at session variables at php.net
Note: I have never used codeigniter, but a quick search show that it includes a class for mamaging sessions, look under FlashData, it seems to be the "codeigniter way" of doing it.
Edit:
Codeigniter sessions variables have a limit of 4KB, that may be enough for you, or maybe not. If it is not, you cal always use one of these alternatives:
Use the database to store the data, and store in the session variable some item id and user id to be able to retrive it.
Use a file, you can generate a random name and store it on the session variable, then store in the file whatever contents you need.
In case you can't handle the end of the sessions, you can have a expiration date stored in the database and a programmed task (are you able to use crons?) to remove the expired items from the temporary table (or file).
Although, beware! I don't know about the security of codeigniter... but, there are some risks. You may want to add a hidden "token" field with a random unique value associated with the user in a database table and an expiration date matching the lifetime of the session. You should create a new token each time you send a form, and after you recieve it verify if the token from the submited form matches a valid token for the user (identified by the session) in the database and if so, delete the token and proceed to process the rest of the form. If the token doesn't match or it is no longer valid, then the session has expired, somebody has been messing with cookies, or you have survived an attack (the case somebody recreates a post with an old token).
I repeat, I don't know of codeingiter security. But if I were the author of that framework, it would already have tokens implemented... so, chances are this security risk is already covered.
You can learn more about Cross-site Request Forgery at OWASP.
Why don't you store the user data in a session? This way you can pass it from page to page without putting it in the HTML(where it could be easily altered by a user).
Your best options are session or cookie. Cookies are limited in that they can only contain a certain amount of data and you are limited to a certain amount of cookies since cookies are stored on the clients machine. You can use sessions and this will save the information on the server. Codeigniter limits sizes to 4kb. To do this, in PHP you simply add
session_start()
to the top of every page you wish to use your session variables.
You should sanitize your user input. To set your session variables you use the assignment operator (=).
$_SESSION['var'] = filter_input( INPUT_POST, 'field_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
If you are using get you can use INPUT_GET.
If the user is not submitting the form, you could add an event listener via javascript and when form values are filled out you can store them in cookies and use PHP to extract the data from the cookie.
It is always best to sanitize and validate user data on the server.
I wrote a simple web app to let user input data as they walk around in a warehouse looking up products.
The database is a very simple one I created for the sole purpose of gathering some product data. They start the process by entering the location they are at the warehouse. There are multiple users, and I did not implement a login feature; the application is accessible by anyone on the local network.
I want to keep track of the location IDs that the users input, but I want to be able to distinguish data input by different users.
I need an identifier that will allow me to distinguish one user from another. It can even be different for the same user every time he connects to the DB or uses a different computer.
Is this possible?
You could save the session id I guess, but it's not very identifiable to a specific user.
It would however allow you to identify which actions were done in the same session.
Just remember to start your session first:
session_start();
echo session_id();
Maybe this way: http://php.net/session_id
And don't forget to init session: http://php.net/manual/en/function.session-start.php
I would make use of a unique session ID along with setting a unique User ID in the Session as well so both can be recorded. I do something similar with an application we use.
session_start()
$_SESSION['UserID'] == ? <---- Create you variable
You can read more here:
http://www.php.net/manual/en/book.session.php
Keeping track of sessions will also allow you to monitor active sessions, record active sessions in database, implement some basic timeout functionality if they are not active for a period of time, etc...
I have a project where I would like to create two session cookies in one browser. The first session would be to uniquely identify a person, the second would be to share events within the session between users. I have been using a database for this, but would like the data to disappear when the session dies. There are no logins within the system.
Is there a way to do this, other than creating a cookie system to replicate functionality?
For example, we would have two session cookies:
name=someRandomUUID and session=valueSharedBetweenUsers.
I don't want to share the name session with multiple users, but the session session would be. Thoughts?
If you want to share information between users, using a session is not the best idea as it uses the file system. You would be better off using the database which handles all the issues of locking, concurrency etc.
Although what you ask for is technically possibly, I would strongly recommend against it.
EDIT
Assuming I have understood your requirement correctly, here is how I would do it:
Use session only to store session data related to that user. It could include something like:
$_SESSION['name'] = 'test name';
$_SESSION['groupid'] = 2;
A MySQL DB and table with fields groupid, XXXXX (data you want to store), timestamp
Whenever anyone updates information for a particular group id, you update the timestamp.
Then run a simple cronjob to check if any current time - timestamp > 3600 (one hour) and you can consider that as stale and delete those records.
I *think* you can only have one "current" session, but the functionality you are referring to is session_name:
http://www.php.net/manual/en/function.session-name.php
The cookie functionality is very simple. I suggest looking into that instead.
Where is the "valueSharedBetweenUsers" coming from? Is it a constant or database entry?
Either way, it wouldn't make sense to create one session per group. You should instead be giving each user a unique session per user; with your "shared" attribute as a session attribute for each individual.
So start the unique session then just do <? $_SESSION['session'] = 'mySharedValue'; ?>
Now everyone has a session with a unique sessionID and a common value 'session'.
(Obviously if you need to change this attribute later you'll have to do it separately for each authed individual)
This isnt as far fetched as people are making facebook and twitter have at least 10 different sessions being created when a user has logged in.