I was just wondering. Lets imagine i have a website with a login-system in PHP. And if the user succesfully logs in to the system the php sets something like: $_SESSION['user']="Loggedin".
And now, if you as a user of the website, could you just create your own PHP-script in your XAMPP folder or whatever and set the session user to loggedin and get access to my site?
Thanks!
No need to worry for this,
If you use Cookie for this then there's issue to be hacked and son on. But in Session, it will store on server side, so whether user can create a file and used or trying to get data from buy using session variable, they can't.
User can't get Session variable from the local server, they must have to access session variable from the same server.
And one more thing, this session is destroys when you close your browser.
A PHP session stores user information on the server for later use.
So if you are making a session on your localhost, with the same name, that doesn't influence the one on the website/server.
Remember that session information is temporary and will be deleted after the user has left the website.
Related
There is a problem that I can not understand when working with Codeigniter Session Library. Same network users use same session (We work with a big company, and they said me this: When anybody logged in to system, then everybody logged in)! Is this possible? How, and what can I do for fix this bug?
I am using Codeigniter Core Session Library and it uses database.
It is more possible to have app logic error that a session one.
Maybe you can reproduce it if you try on your local development server to use 2 ore more different user accounts (from different browsers).
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
When a page is loaded, the session class will check to see if valid
session data exists in the user's session cookie. If sessions data
does not exist (or if it has expired) a new session will be created
and saved in the cookie. If a session does exist, its information will
be updated and the cookie will be updated. With each update, the
session_id will be regenerated.
I don't know where you read that same network users use the same session, but in the CodeIgniter-documentation, I find that the session is stored in a cookie, and network users will not have the problem you discribed.
I want to create a session on a server backend for Joomla PHP and a Javascript quiz module, that are used from an Android application.
Even if the Android application closes unexpectedly, that session should be available again on a subsequent load of the application.
What's the best way someone can suggest for this?
I'd suggest storing the PHP Session cookies on disk if you are going to use $_SESSION in PHP. Otherwise, you should look into cookies that you can manually set the expiry time on and keep them stored on disk in Cache/
That will store the current progress of the application in the session cookie, but without a login (or code from you) there's not that much more i can say.
To access from another browser/device you would need a login to identify the user and provide them with a valid session.
Create a user account in your database for each phone, maybe identified by the phone's udid.
Store the data in your database as the user moves through the quiz
When the user opens the app, check their udid against your database and retrieve any data that is needed for that user
I am beginning to learn php. I have a question regarding sessions.
Right now, I know that session_start() creates a session variable.
What I don't know is, when I access the session I created, do I need to use session_start() again?
If yes...
Why is this? Because I already created a session and I wonder why it wouldn't last the entire browsing session.
because what i understand from it is, that it is going to create a new session.
No:
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
http://php.net/session_start
Each new page you visit is an entirely new context for PHP. session_start allows you to reestablish a previous context/session/data.
The session_start function tells PHP to enable session tracking. It doesn't wipe out the session created by a previous page. You must call session_start() before you'll have access to any variables in $_SESSION.
Because of the manual session_start()
session_start — Start new or resume existing session
the same way you would connect to database every time you want to use it. it will connect to however you're storing your sessions. The session variables are no wiped out.
Also read more here but this should help to understand how sessions work:
When you are working with an application, you open it, do some changes
and then you close it. This is much like a Session. The computer knows
who you are. It knows when you start the application and when you end.
But on the internet there is one problem: the web server does not know
who you are and what you do because the HTTP address doesn't maintain
state.
A PHP session solves this problem by allowing you to store user
information on the server for later use (i.e. username, shopping
items, etc). However, session information is temporary and will be
deleted after the user has left the website. If you need a permanent
storage you may want to store the data in a database.
Sessions work by creating a unique id (UID) for each visitor and store
variables based on this UID. The UID is either stored in a cookie or
is propagated in the URL.
Session data is stored at the Server side but the reference or id to the session is stored on the client's browser cookie. For the server to know your session id we make a call to session_start() on each page it is required (at the top) so that the first thing done is to get the id from the user and retrieve the session data. It is required on every page whenever you want to access session data.
Here is a video tutorial also. http://blip.tv/step4wd/php-sessions_en-5983086
The answer is yes. You have to do that on every page. If you don't do that you get a undefined index error.
This will work because we include the file
Index.php
<?php
session_start();
//file doesn't have session_start
include "file.php";
?>
No: it is NOT always going to create a new session. It only tells the script that this page wants to start OR maintain an existing session.
A session is nothing more that a STATE AT THE SERVER that you carry from from page to page.
It is NOT accessible from the client (browser).
The only thing the browser must do to keep the session is passing an ID (called default PHPSESSID in PHP).
This ID can be stored in a cookie, GET or POST, as long as you get it transfered to the server with each request you make.
Youve to use session_start(), everywhere you need to work with session like, creating, accessing, destroying.
Unlike cookies, you can't access or work with session unless you initiate the session.
I need to transfer the user session across servers. ie. If user logged in server1 and if the user exists in server2 , then I have to transfer the user session details to server2. For this I used the following technique
From server1, redirect user to http://server2/auth_from_server1.php?sessionid=12345
On server2 (internally, in the PHP code of auth_from_server1.php), do a request to http://server1/secret/check_session_id.php with the sessionid, 12345.
On server1, in the implementation of check_session_id.php, validate the ID and return OK, FAILURE, and session related data you want to pass, such as username, ...
On server2, when the call returns with OK, store the transferred session data, and give the user a cookie and session for this server.
But when the call back function call the auth_from_server1.php the value in session id is null. I tryed to check the sessionid as
if(isset($_SESSION['sessionId']))
echo 'true';
else
echo 'false';
But $_SESSION['sessionId'] is null. In login page I am setting the value for session id as
$_SESSION['sessionId'] = session_id();
Thanks in advance....
Wouldnt it be easier to just store session data in a shared directory?
Alternatively you can store it in a database.
I would suggest writing a custom PHP session handler or using a prebuilt session handler like ShareDance. You can store session information in a MySQL database shared amongst the two machines, a SQLite file, etc.
There are many benefits to using PHP's built in ability to get/set session data by using session_set_save_handler() namely, that all calls to get or set from $_SESSION will work in your application code without any additional modification.
More information can be found here:
http://php.net/manual/en/function.session-set-save-handler.php
A tutorial on writing custom session handlers (old but still relevant) is here:
http://devzone.zend.com/article/141
When server 2 calls server1/secret/check_session_id.php it has to submit the session ID like server1/secret/check_session_id.php?sessionid=12345 and in check_session_id.php you have to call session_id($_GET['sessionid']) before session_start().
Another opportunity could be sharing the filesystem.
Since PHP puts the session in the filesystem, you could share the filesystem (sshfs for example) on both servers.
the setting for changing the destination directory in the php.ini is
session.save_path
This problem can quickly get out hand when you start adding more and more severs to the problem. One of the best solutions that I have found is to store the session on a database and share that database with the servers. Redis typically works great for this. Here is a great guide to get started with redis
I think to store an id of a user in DB is the most appropriate way to do this.It is an error proof way.
Cheers
Can PHP sessions be edited like cookies? Or they're stored on the webhost?
The session key is stored in the client's browser, while the data is stored on the server.
When the user makes a request on the server, their session key is sent across the network and the values associated with their key are retrieved from the specific session file on the server and are made accessible via $_SESSION.
It it possible to hijack another user's session if the key is intercepted, which is why you should have specific values in the session which associate to the user's computer/network connection (IP address, for example).
Session data cannot be edited by the user, as they are stored on the server. The user can, however, start a new session and ditch whatever session data he previously had. Also, you should be aware of portential security issues, such as session fixation.
Usually they're stored in the /tmp directory of a webserver if the host isn't careful. This can be changed with session_save_path(), it's something I do with all of my PHP applications that use sessions.
This works like below:
Browser requests page, submitting your SID or Session ID with help of a cookie or with the URL.
Server finds cookie files inside the session_save_path() and unserializes the array
You access that info with PHP
Alas, the only thing the client knows is the session's ID, but that can be hijacked, for example by using cookie stealers, or other Cross Site Scripting methods. If I, for example, got your SO session, SO wouldn't know better than I was you. Unless they also check my IP or something like that.