[FX.php List] [OFF] Theory of managing sessions

Troy Meyers tcmeyers at troymeyers.com
Mon Nov 19 07:47:25 MST 2007 

Jonathan,

I don't know if it would work for you, but I store "what step the user is in" data either in the session or in FileMaker (coupled with a record owned by the user) and use the _same_ URL for each step in an interview process. That way, if the user resubmits an old form it is recognized on the server end that the user should be in a different step, and that step is displayed, including possibly a page that asks if a new interview should be started, if the old one had ended. Doing it this way, though, you need to have backward navigation for the user coded in the page so they can go back an change something in an earlier step, if that's allowable.

I can't see why this wouldn't work using either the session-in-cookie or the -in-URL method. If the session had been destroyed, the PHP should be able to recognize that and start at the appropriate spot.

Make any sense?

-Troy


> Hi Folks.
> 
> Sorry for the slightly off topic post.  I'm having trouble getting 
> this straight...
> 
> The question is how to properly use sessions to allow and limit  access
> to a solution.  My  current dilemma: how to restrict folks  from
> revisiting pages of a mulltipage solution after they have  completed the
> process...when using SID.
> 
> In my current solution, I am using SID to make sure that I don't have 
> cookie problems. When cookies are not available from the user's 
> browser, the PHPSESSID appears in the URL.  The last step of the 
> process is a page that runs session_destroy.  Yet, I can use the 
> browser history (Safari) and re-load pages from the solution. They 
> display with data from the session...and the PHPSESSID still appears  in
> the URL.
> 
> I thought that session_destroy was the way go to wipe the session.  For
> reference, This doesn't happen when browser cookies are turned  "On" and
> the system doesn't use SID.  Also for reference, I am using  simple
> check at the top of each page to check whether a session is  "on" and
> dump to a "ended" page if the test fails..
> 
> if($_SESSION['SessionInd'] != "On" ) {
> 
>   header('Location:ended.php');
> 
> }
> 
> The SessionInd is set when the user logs in.  I probably need to beef
> this up.
> 
> What am I missing withe SID method?
> 
> Thx
> 
> Jonathan

More information about the FX.php_List mailing list