Interested to Buy Any Domain ? << Click Here >> for more details...
Answer Posted / rakesh kumar nautiyal
Generally speaking I agree with what your saying about
needing to know
if a session has been started or not. But I also believe
it has its
place for some user land custom session handlers. Being
able to throw
an exception in a session object's __construct() or __wakeup
() for
various reasons can present a situation that is easily
solved inside
__construct() by:
if(session_has_started()) { // Added function via
patch
session_regenerate_id($newID); // Added $newID via
the patch
$_SESSION = array();
} else {
session_id($newID);
session_start();
}
Say there is an authentication token in the session, the
session needs
to be started so we can access the token. If the token
proves to be
invalid, we need to create a blank session with a new
session ID.
> Also, the concept of session_id_exists is
fundamentally
> broken (think of atomic file creation). That is why
there is
> no such function.
I disagree. If a provided session ID via $_REQUEST(for
arguments sake)
is found not to exist by using the theoretical
session_id_exists().
That would mean the script was given an ID that wasn't
created by PHP,
and the script logic could act accordingly. What am I
overlooking?
> Regarding providing an id to session_regenerate_id: I
have
> seen too many supposedly save session id generators
that I
> would be in favor of adding that kind of overwriting
power.
I agree that PHP should be left to create a unique ID. But
the
functionality currently exists for the user to set their
own ID with
session_id($newID). The user has this ability before a
session is
started. But loses the ability when trying to use
session_regenerate_id() in a similar fashion after the
session has
started. It seems like a contradiction to allow it in one
case and not
the other.
I could try and grok the source to figure it out myself,
but someone
here might know off the top of their head. Is calling
something like
md5(uniqid(rand(), TRUE)) better, worse, or equivalent to
how PHP
creates a unique session ID?
| Is This Answer Correct ? | 1 Yes | 3 No |
Post New Answer View All Answers
When should you use a stored procedure?
Which function(s) in PHP computes the difference of arrays?
How to remove all duplicate values in array in php?
What are the advantages of stored procedures in php?
What is the maximum size of a database in mysql?
What does isset() function?
What is the difference between javascript and php?
What is printf in php?
What is lazy loading in php?
What is list function with their uses.
What is rtrim php?
4 down vote favorite share [g+] share [fb] share [tw] I am developing my site using server side sessions using redis as backend for saving the session. Now the issue which is bothering me is of user leaving the website without logging out. I mean user simply closes the browser which causes the cookie to be deleted. Now session of that user still exists on the server and will not be used again as new login requires creating a new session due to security reasons. To avoid the case where hacker steals the old cookie and use it after user login again with same old session id. In essence user leaves the website without explicitly logging out and his session will be deleted after certain time limit of inaccessibility. I am thinking time limit of 30-60 minutes. Also with every new request from user his cookie will also be updated to keep track of when the user last time accessed the site. But nowadays, people let site remain open for long time without accessing it. For example users open facebook and gmail in new tabs and forget about them for 2-3 hours and still they are not asked to login again. Is letting a 2-3 hours old cooke access the session secure? My concern is someone steals user cookie and use it 2-3 hours later. Thinking on this topic has also forced me to question how facebook manages security if user can use a session where they are not accessing it for long periods of time and still they remain logged in. Or is it not secure for me to keep logged in when am not accessing the site session for longer period of time? It can be the case also there is some pinging mechanism using which sites keep track of user having their site open in a browser and when browser closes they are notified and can work accordingly. My website is a social network and needs all those security and usage features which a social network may need. I am new to web security and web development in general and may be the case where my above questions may seem a little basic. If you feel that is the case kindly point to some good reference where I can read and find answers to my question.
Write a program using while loop in php?
What is the special meaning of __sleep and __wakeup?
What is difference between include,require,include_once and require_once()?
