[FX.php List] [OFF] Theory of managing sessions

Andrew Denman adenman at tmea.org
Tue Nov 20 13:29:32 MST 2007 

The comments on the session_unset() php page seem to indicate you need both
session_unset() and session_destroy() to clear out a session:
http://us3.php.net/manual/en/function.session-unset.php.  Once comment even
mentioned adding " $_SESSION = array();" to the mix after calling both
functions.

I'm not sure exactly what these functions do to the session file on the
server, but they should clear out any data that was in the session.  If it
does not clear the session file (as I suspect), those get cleaned up after
their expiration time based on the probabilities set in php.ini (session_
settings), so it is possible that by submitting the URL with a session ID
that has not been cleaned up you can still have a valid session (though it
should be clear of saved data).  This comment mentions re-starting the
session so you have a blank session, but it may still cause the problem you
are encountering:
http://us3.php.net/manual/en/function.session-destroy.php#71889

The best way to solve this problem is to set your own session variable when
the user starts the process and clear it once they're done, or keep track of
their progress like Troy mentioned.  If your pages look for this variable(s)
and don't find it you can kick them off of the page.

Andrew Denman

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Jonathan Schwartz
Sent: Tuesday, November 20, 2007 1:15 PM
To: FX.php Discussion List
Subject: Re: [FX.php List] [OFF] Theory of managing sessions

Something is very wrong here.

I can't get a session to destroy, even using the session_destroy() command.

For reference, I am using SID in the URL.  Cookies are turned off.

As a test,  I copy the URL. I run session_destroy().  I quit Safari. 
I restart Safari.  I paste the UR back into Safari.  It still works, 
displaying data from the session!

What's the deal?

Thx.

Jonathan

At 7:38 AM -0800 11/20/07, Lindal, Mark wrote:
>re: Session and security
>This is now the area that I am working on with my solution.
>
>On my last page, I added these two lines of code so there is no caching of
>the pages:
>
>header('Cache-Control: no-cache');
>header('Pragma: no-cache');
>
>I believe this is to prevent caching of pages to prevent people from going
>back a page in the history and retrieving data.
>
>------------------------------
>Mark Lindal
>mlindal at nrcan.gc.ca
>250-363-0603
>
>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-381-1852
_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list