[nycphp-talk] Session basics
Aaron Fischer
agfische at email.smith.edu
Thu Aug 11 09:51:32 EDT 2005
Brian O'Connor wrote:
> I don't use cookies for that. I use $_SESSION['userID'],
> $_SESSION['user'], $_SESSION['pass'].
>
> I understand the concept of sessions, I don't understand the concept of
> hijacking them, and making a system to prevent hijacking them.
>
> On 8/10/05, *Daniel Convissor* <danielc at analysisandsolutions.com
> <mailto:danielc at analysisandsolutions.com>> wrote:
>
> On Wed, Aug 10, 2005 at 12:10:54PM -0400, Brian O'Connor wrote:
>
> > And I have a question about my current system:
> > As of right now, I create 3 sessions for each user: userID, user,
> and pass
>
> Do you mean you're setting three cookies? Don't.
>
> Don't set any cookies manually. Let PHP's session_start() do it for
> you.
>
> Then, to save data in the session, save it like this:
>
> $_SESSION['username'] = 'foo';
>
> That saves it on the server, which is the whole point of sessions.
>
> --Dan
>
I think you're still missing part of how php sessions work.
The default is for sessions to use a cookie. When a new session is
started a cookie is sent to the user that contains the unique session
name. All other session variables are stored on the server. When going
to a new page, the session name in the cookie is compared to the session
name on the server. If they match, OK, things continue.
If you don't want to use a cookie you can pass the session name along in
the URL using the PHPSESSID constant. I believe that this is not
recommended as it is very transparent.
Also, in your example you are not creating three different sessions.
You are creating one session and storing three different variables in
that session.
I believe that if you want to get more in depth about preventing
sessions from being hijacked, that is when you get into writing your own
session functions/classes (see the other ongoing sessions thread).
I'm just a newbie of sorts myself, so I'm hoping the gurus will correct
me if I have inaccuracies here.
hth,
-Aaron
More information about the talk
mailing list