Session Variables in PHP

  • Blinkster182
  • Beginner
  • Beginner
  • Blinkster182
  • Posts: 59

Post 3+ Months Ago

Right. In my site the person logs in and does stuff. But where do I start the session Variable and how do you set one. do you start it in the process login page or somwhere else?
Thanks in advance
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

I usually start the session once the user has been validated.

check out http://www.php.net for the functions and how to
  • Cafu
  • Student
  • Student
  • Cafu
  • Posts: 97

Post 3+ Months Ago

I usually have a php file that I include on every page. I call session_start () in that which "creates a session or resumes the current one ".

So, the first page they hit they have a session (even before they log in) and I have access to it on every page.

http://us3.php.net/function.session-start
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

And if your site takes multiple hits doesn't this slow it down?
  • Cafu
  • Student
  • Student
  • Cafu
  • Posts: 97

Post 3+ Months Ago

I guess that depends on how many hits you are taking and how your server is managing the sessions (files, memory, db, etc).

I wouldn't think opening a session would create too much overhead unless it is a very high volume site, especially if it's an empty session or just holding a few variables. It would be interesting to benchmark it though.
  • Blinkster182
  • Beginner
  • Beginner
  • Blinkster182
  • Posts: 59

Post 3+ Months Ago

Well. All that the ID will hold is the password and Username. would holding a password be ok? Or can people pull out session variables
  • Cafu
  • Student
  • Student
  • Cafu
  • Posts: 97

Post 3+ Months Ago

Technically, other people shouldn't be able to access variables you put in a session but it depends how your server is set up to handle sessions. The default method is for PHP to store session info in text files in a directory somewhere on the server. If someone has or gets access to this directory they could read the session files.

I think you should ask yourself if you need to put the password in the session. Once you log them in are you checking that password everytime? Perhaps you could check the password once on log in and put the username and IP in the session. Then to tell if the person is logged in, check to see if they have a username in their session and check if the IP in the session matches the IP of the current request.

If you must put the password in the session, you could use md5.

Code: [ Select ]
$_SESSION["password"] = md5(this_guys_password);



then when you need to reverify the password for some reason:

Code: [ Select ]
if ($_SESSION["password"] = md5(whatever_this_guys_password_should_be)) { 
  • Cafu
  • Student
  • Student
  • Cafu
  • Posts: 97

Post 3+ Months Ago

If you want to go a little more in-depth, I recommend this article:

http://www.phpbuilder.com/columns/tim20000505.php3


Read the comments after the article. The author basically wrote a pretty secure log in routine, but other readers were happy to point out potential flaws ;) You should come away with a better understanding of of the various issues and potential problems.

Post Information

  • Total Posts in this topic: 8 posts
  • Users browsing this forum: No registered users and 92 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.