[FX.php List] [OFF] Theory of managing sessions

Gjermund Gusland Thorsen ggt667 at gmail.com
Tue Nov 20 15:25:34 MST 2007


Tihi, I always did this in a different way, then you guys it seems.

I always make my own key as array inside $_SESSION['']

example

$_SESSION[$pKey]['currentUser'] = $r['data'][key( $r['data'] )]['userID'][0];

and when I want to kill the session I use simple stuff like:

$_SESSION[$pKey]['currentUser'] = '';

or if I will like I want to be brutal:

$_SESSION[$pKey] = '';


On Nov 20, 2007 9:29 PM, Andrew Denman <adenman at tmea.org> wrote:
> The comments on the session_unset() php page seem to indicate you need both
> session_unset() and session_destroy() to clear out a session:
> http://us3.php.net/manual/en/function.session-unset.php.  Once comment even
> mentioned adding " $_SESSION = array();" to the mix after calling both
> functions.
>
> I'm not sure exactly what these functions do to the session file on the
> server, but they should clear out any data that was in the session.  If it
> does not clear the session file (as I suspect), those get cleaned up after
> their expiration time based on the probabilities set in php.ini (session_
> settings), so it is possible that by submitting the URL with a session ID
> that has not been cleaned up you can still have a valid session (though it
> should be clear of saved data).  This comment mentions re-starting the
> session so you have a blank session, but it may still cause the problem you
> are encountering:
> http://us3.php.net/manual/en/function.session-destroy.php#71889
>
> The best way to solve this problem is to set your own session variable when
> the user starts the process and clear it once they're done, or keep track of
> their progress like Troy mentioned.  If your pages look for this variable(s)
> and don't find it you can kick them off of the page.
>
> Andrew Denman
>
>
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org
> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Jonathan Schwartz
> Sent: Tuesday, November 20, 2007 1:15 PM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] [OFF] Theory of managing sessions
>
> Something is very wrong here.
>
> I can't get a session to destroy, even using the session_destroy() command.
>
> For reference, I am using SID in the URL.  Cookies are turned off.
>
> As a test,  I copy the URL. I run session_destroy().  I quit Safari.
> I restart Safari.  I paste the UR back into Safari.  It still works,
> displaying data from the session!
>
> What's the deal?
>
> Thx.
>
> Jonathan
>
> At 7:38 AM -0800 11/20/07, Lindal, Mark wrote:
> >re: Session and security
> >This is now the area that I am working on with my solution.
> >
> >On my last page, I added these two lines of code so there is no caching of
> >the pages:
> >
> >header('Cache-Control: no-cache');
> >header('Pragma: no-cache');
> >
> >I believe this is to prevent caching of pages to prevent people from going
> >back a page in the history and retrieving data.
> >
> >------------------------------
> >Mark Lindal
> >mlindal at nrcan.gc.ca
> >250-363-0603
> >
> >
> >
> >_______________________________________________
> >FX.php_List mailing list
> >FX.php_List at mail.iviking.org
> >http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
> --
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-381-1852
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>


More information about the FX.php_List mailing list