Just looking for some ideas and maybe feedback on what I have at the moment.
A website that has standard access using a generated 'session id' stored as a PHP
session. This is alwazs passed as a GET method and checks if the user has been active for the last 10 minutes.
Otherwise unset and log out.
Problem I have if a mobile application accesses the same information in a similar manner... is it best to use the session id's ... as it can become annoying if suddenly your session runs out in a mobile app, esp. if the app has been left open.
So I thought of using a dev key. What is the best way to use a dev key for third party access? Is it to simply override the session key - i.e constant log in? or is it maybe best to use both?
Thanks in advance
I wouldn't suggest using a GET parameter to maintain sessions. It can leave you vulnerable to attacks. If you really want to do it make sure you generate the session IDs randomly. But whenever I want sessions I use PHP's built in session functions
You would manage a distributed session using db. You create the same session data on a table, then, the differents clients can ask to the db if exists a session open. You can try that using different status from the session.
In that way, you can use the table to persist the session data, but use the built in php sessions functions, like #Adam Lynch says
Related
According to the documentation (http://ellislab.com/codeigniter/user-guide/libraries/sessions.html), the CodeIgniter session library has the following behavior:
"When a page is loaded, the session class will check to see if valid session data exists in the user's session cookie. If sessions data does not exist (or if it has expired) a new session will be created and saved in the cookie. If a session does exist, its information will be updated and the cookie will be updated. With each update, the session_id will be regenerated."
I think this behavior can be dangerous from a security point of view, because somebody could flood the site with requests and that way pollute the session store (which, in my case, is a mysql database). And my app is running on an ordinary web host..
Is there any easy solution to this which does not require too much additional coding? Maybe a library that could substitute for the one that ships with the core? I don't want to code it all myself because I think that would defend the purpose of using a framework.. and I actually don't want to use another PHP framework, since, for my specific requirements, CI is perfect as regards the freedom it gives you...
because somebody could flood the site with requests and that way pollute the session store
So? Then you just have a bunch of sessions in the db. This doesn't affect the validity of sessions. If there is a mechanism to delete old session based on space/time, then those sessions are gone and the former owners of those sessions will need to re-authenticate.
If you are worried about collisions, do a little research and you will find that any collision probability is a function of the underlying operating system and/or PHP itself, so CodeIgniter can't help you there.
Also, maybe disk space fills up but that is an operations/architecture problem, not a CodeIgniter problem and not a security issue in and of itself.
I have seen many similar questions on the overflow, but none of them really addressed my scenario hence I am opening this question.
I am working on a project where there is database of thousands of mp3 tracks and mixes. Each mp3 file has an id and associated information on database. Now a shopping cart is being build in a way that user can select tracks and add to the cart. When a track is being added to cart its id is stored in the session and this works fine.
Now the problem arrives when there is large number of id's stored in a session. A session being a cookie [codeignitor] , I know it has 4kb of storage.
What will be the best practice to get this data preserved? I know that I have to change my strategy and move out of using session.
I tried using database [mysql], its not only slower but also has several issues, like each new user need to have a row added to database tables, how to clear these tables after use.. etc etc.
I tried using memcached but I believe that is not the right choice since the data that I am trying to store is not that huge. Also memcached has several issues on windows platform, provided I am not sure if the client will deploy it on a linux / windows server.
I need a native cross platform solution. I have done quiet a lot of research and did not find a reliable solution yet.
I use codeigniter framework, hence you can suggest any PHP or codeigniter solutions, thanks much.
You talk about storing things "in the session" so I assume you're using PHP's session handler, not setting cookies individually.
In this case, the session storage is all done on the server side, so a 4k limit does not apply. Take a look at your http headers during a request, and you will see only something like this:
Set-Cookie: PHPSESSID=1234abcde56789f
This session ID refers to a file (typically stored in a directory, e.g. /var/lib/php/session/ on RHEL distros) which contains the actual data as a serialized PHP object.
Why dont you try setcookie() function in php?
you can store as much amount of data you want in the cookie,and store the refrence to the session in database!
hope you will understand my answer!
what miken32 is saying is correct. And if you are using Codeigniter, then set up a session database table and use codeigniter sessions. if you use a db table then its just an id which is set on the cookie. be sure and start with the official codeigniter session db table so it works properly.
codeigniter session class has built in 'garbage collection'.
all explained here, scroll down for the database portion:
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
Using a native PHP session is the right way to move, as the fellow users answered a php session stores only id on to cookie, But codeignitor behaves differently, it stores all the data on to cookie and this is where the catch is.
Moving on to normal PHP session was a pain because I have to change the codes allover the project. After a little research and testing I have come to a conclusion that [Native Session library for CI][1]
[1]: https://github.com/EllisLab/CodeIgniter/wiki/Native-session by Derek Jones is an awesome alternative to use PHP sessions over CI with the same CI session functions and syntax.
So to conclude , Either use PHP sessions from the scratch or use this library as an alternative to overcome CI session size Limitations.
I'm writing an app using Zend Framework and I need to be able to logout users on demand. The app will receive a request containing some kind of ID's that are mapped to SessionIds and it will end/expire those sessions. I know how to do the mapping, but what then? How do I end a session having its ID?
I see that there is Zend_Session::setId(), but I don't think this does what I want to do.
I have an idea to just delete files that are associated with given session, since they are named sess_[sessionId], but I guess that is an ugly way to do it.
You can save session info to the database. It would be related by session id.
Then create a plugin that checks if the DB row still exists. If not, then execute Zend_Auth::getInstance()->clearIdentity()
The method that logs the user out would delete the session from DB.
Depending on the structure of your sessions and what exactly you are trying to clear, there are a number of ways to destroy, expire and unset Zend_Sessions. Please refer to http://framework.zend.com/manual/1.12/en/zend.session.html for further information.
If in the future you could provide more detail and perhaps a bit of code illustrating your issue I'm sure the community would be more then happy to provide a better answer.
Good Luck.
I have two pages and I want to pass data to each other.
How can I do this without accessing a DB?
Sessions? Cookies? someother magical way?
If you know how, can you please post sample code?
Thanks
Session variables is one way:
$_SESSION["variable"] = "value";
This variable can then be read/modified by another page.
Also note, that you need to start the session by calling start_session(); at the beginning of your script.
And Cookies are another way... You can also try writing in and out of a file instead of a DB
How does a user get between these two pages? I assume a Form based solution is out of the question...
Amongst the possibilities, here are some that I think about :
You could $_SESSION (see Session Handling) -- if both pages are accessed by the same user, without too much time between the two accesses, so the session doesn't expire.
You could store your data to a file ; that'll work fine if :
The amount of data is big
You want it to persist for a long time
But you'll have to do some cleaning-up by yourself
Another idea would be some external daemon, like memcached
But, as it's a caching engine, it's not necessarily good for storing data : the data that is cache can be removed from the cache even if it has not expired yet (i.e. if there is no place left in cache, memcached will remove some least used data)
Of course, if the data is small and you don't mind it going back and forth through the network, and both pages are accessed by the same user using the same browser, you could use cookies
Only a couple of possibilities, though ; my preferences would probably be :
$_SESSION
or files
Depending on your situation.
Is there a way to find out on session being started. Like for instance the session start event in the global.ascx file of .net. The requirement is to find the no. of visits the user has done on the site.
Instead of checking each time during posts or gets to the server. Is there something in php to find out if the session is a new one. Zen framework is also used for the app.
Zend_Session::isStarted() and Zend_Session::sessionExists() will tell you if the session is already started. To find out when it was started for the first time, you could store the timestamp it was created, by adding it to the session on the very first startup. Just check if a key started_at already exists in the Session and if not add it and/or notify some other class about it to do something.
You can actually mimic what is done by global.ascx file through php and also there are a number of scripts available online for tracking online users you need to google about that.
you can use memcache for that purpose, or simply hack with a file(mentioned on Safraz answer) on the disc, or use a table on your database for that purpose.
Memcache appears to me the best solution since it is easy to setup and they already provide counter with increment/decrement. The only drawback of this solution your won't be able to reset the counter easily.