Hello,
I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.
I've got no clue how to use a table for session management.
I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time
I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?
Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.
What other methods are there or have I totally gotten the session management using a DB concept wrong?
Any suggestions/tips well appreciated.
Thanks,
rug
5  2454 
Hope this gives you some ideas...
I've done something similar but used two session ids created by PHP (letting PHP deal with the uniqueness of both) and stored both in the database.
One was encrypted and used as a client side cookie and the other left plain and used as the server session file but never sent client side.
Regards.
The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!
You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.
Hello,
I want to use a MySQL Heap table (server load isn't an issue) for session management considering that I use a shared server and don't want anyone who has access to /tmp to be able to read session data and possibly hijack a session.
I've got no clue how to use a table for session management.
I've started off by creating a table that will store the following:
Session ID (will create this using dechex with a random number)
Username (unique)
User Type
Session Creation Date/Time
I'm used to using PHP's $_SESSION variable. How would I go about replacing this with the DB session management?
Also:
Every time a page is requested how would I track a PC to know if a user has logged in or not? I could use an IP but then some ISP's assign a unique IP every time a new page is loaded.
What other methods are there or have I totally gotten the session management using a DB concept wrong?
Any suggestions/tips well appreciated.
Thanks,
rug
The only time a user will have two IPs on successive HTTP requests, is if that user is using a proxy to access your site. ISPs assign IP Addresses upon connection, not upon request. If that were the case, you would never get your data back!
True, I didn't think about that. Anyway I heard that AOL does something like this.
You will need to create your own session handlers: take a look at PHP.net's documentation on the matter.
This is what I needed, on the right track now, thanks Motoma! :)
Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).
Does your hosting provider give you access to a php.ini file? You could just change the session.save_path to something outside of the /tmp directory (as an example, create a folder in the same directory as your editable php.ini file and then link to that, since you know that directory is inaccessible to web browsers).
I did consider this possibility but then I opted to go with a Heap table, for learning purposes. Hey, it's fun ok. :)
Sign in to post your reply or Sign up for a free account.
Similar topics
by: Chung Leong |
last post by:
There's my draft list of the top ten PHP security issues. As you can see,
there's only nine right now. I've ranked them based on how readily the
vulnerability can be exploited. This is the reason...
|
by: mrbog |
last post by:
Tell me if my assertion is wrong here:
The only way to prevent session hijacking is to NEVER store
authentication information (such as name/password) in the session.
Well, to never authenticate...
|
by: Steve |
last post by:
I have a pretty nice php web site, that's also reasonably secure.
However, I wrote some php code to create some dynamic images based on
database data, but I can't figure out how to secure this...
|
by: jmkovacs |
last post by:
Hello,
Is there a way using PHP's OpenSSL library functions to obtain the
shared session key established between a client and the server used in
the current SSL connection? I intend to use this...
|
by: opt_inf_env |
last post by:
Hello,
I have a page such that each user can see only a corresponding
(personal) part of the page. In the beginning I wanted to perform
initialization of users (by asking there names and...
|
by: ehendrikd |
last post by:
hi all
i need some clarification on how the php session work in relation to
cookies.
we have a web site where users need to log in. a few of our users were
having troubles with their browser...
|
by: =?Utf-8?B?YW5vb3A=?= |
last post by:
Hello,
I am developing a Simple ASP Application with a Login page. I
want to know how session ID can be generated after User has authenticated
instead of generation along with the Login page...
|
by: Daniel |
last post by:
is there a way to detect if a user tries to access a php file?
For instance, db.config.php is called in many php pages but should
never actually be open directly. Is there a way to know if...
|
by: Drew |
last post by:
I have been working on internal, intranet apps in the past few years, so I
haven't needed to secure apps with a login/password and sessions like I did
8 or so years ago (I use Windows Auth now,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
