So why do I need session?

--0-1440969023-1176265904=:86608
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

You use a session to store values that are required over the course of a single visit, and a cookie to store more persistent data that is used over multiple visits.
Session: when you close the browser the session gets flushed. Which means the browser will not recognize the user next time he/she browse the page unlike cookie.

So why do I need session? OR maybe I didn’t understand session






---------------------------------
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
--0-1440969023-1176265904=:86608--

Re: So why do I need session?

Are you asking someone specifically, or is this a general question?

Here's an example of when sessions are useful:
You have a login area on your website on which users who have registered
can log in to access special content. Only, you want such a high
security on your website so that people shouldn't be able to simply
browse to the hidden files, nor should a user still be logged in when
his friend uses his computer and starts a fresh browser. Here's where
sessions are perfect! You store the userId or similar information in the
session and start every secret page with the question:

if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;

of course you should not do that check in login.php... :P

Mike

PS: That $GLOBALS[USER] and the User class part is my own stuff.. Dunno
if anyone else does stuff like that.. :P


sam rumaizan skrev:
> You use a session to store values that are required over the course of a single visit, and a cookie to store more persistent data that is used over multiple visits.
> Session: when you close the browser the session gets flushed. Which means the browser will not recognize the user next time he/she browse the page unlike cookie.
>
> So why do I need session? OR maybe I didn’t understand session
>
>
>
>
>
>
> ---------------------------------
> Looking for earth-friendly autos?
> Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
>

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: So why do I need session?

Mikael Grön wrote:
> Are you asking someone specifically, or is this a general question?
>
> Here's an example of when sessions are useful:
> You have a login area on your website on which users who have registered
> can log in to access special content. Only, you want such a high
> security on your website so that people shouldn't be able to simply
> browse to the hidden files, nor should a user still be logged in when
> his friend uses his computer and starts a fresh browser. Here's where
> sessions are perfect! You store the userId or similar information in the
> session and start every secret page with the question:
>
> if (!isset($_SESSION['userId']) ||
> !CoolCheckUserValidityFunction($_SESSION['userId'])):
> header("Location: login.php");
> exit;
> else:
> $GLOBALS[USER] = new User($_SESSION['userId']);
> endif;
>
> of course you should not do that check in login.php... :P
>
> Mike
>
> PS: That $GLOBALS[USER] and the User class part is my own stuff.. Dunno
> if anyone else does stuff like that.. :P

Out of curiosity, why do you create the user object on every page
request? Why not store the user object in the session?

Also, $GLOBALS[USER] is invalid unless you have defined a constant
called USER somewhere.

-Stut

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: So why do I need session?

Yes, no, you're right. I don't do that on every page on the systems I've
built. And yes, I define('USER','The user namespace'); before I set it.

Mike

Stut skrev:
> Out of curiosity, why do you create the user object on every page
> request? Why not store the user object in the session?
>
> Also, $GLOBALS[USER] is invalid unless you have defined a constant
> called USER somewhere.
>
> -Stut
>
>

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: So why do I need session?

--0-406749508-1176276485=:92934
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

It is a general question.
Why can't I use cookie instead?

Mikael Grön wrote:
Are you asking someone specifically, or is this a general question?

Here's an example of when sessions are useful:
You have a login area on your website on which users who have registered
can log in to access special content. Only, you want such a high
security on your website so that people shouldn't be able to simply
browse to the hidden files, nor should a user still be logged in when
his friend uses his computer and starts a fresh browser. Here's where
sessions are perfect! You store the userId or similar information in the
session and start every secret page with the question:

if (!isset($_SESSION['userId']) ||
!CoolCheckUserValidityFunction($_SESSION['userId'])):
header("Location: login.php");
exit;
else:
$GLOBALS[USER] = new User($_SESSION['userId']);
endif;

of course you should not do that check in login.php... :P

Mike

PS: That $GLOBALS[USER] and the User class part is my own stuff.. Dunno
if anyone else does stuff like that.. :P


sam rumaizan skrev:
> You use a session to store values that are required over the course of a single visit, and a cookie to store more persistent data that is used over multiple visits.
> Session: when you close the browser the session gets flushed. Which means the browser will not recognize the user next time he/she browse the page unlike cookie.
>
> So why do I need session? OR maybe I didn’t understand session
>
>
>
>
>
>
> ---------------------------------
> Looking for earth-friendly autos?
> Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
>








---------------------------------
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
--0-406749508-1176276485=:92934--

Re: So why do I need session?

You can, only it's not as secure. It's easier to edit cookies since
they're not stored on the server. Also cookies don't disappear when you
close the browser, which is standard on other pages with login systems.
Your users will expect to be logged out when closing the browser.

Mike

sam rumaizan skrev:
> It is a general question.
> Why can't I use cookie instead?
>
> Mikael Grön wrote:
> Are you asking someone specifically, or is this a general question?
>
> Here's an example of when sessions are useful:
> You have a login area on your website on which users who have registered
> can log in to access special content. Only, you want such a high
> security on your website so that people shouldn't be able to simply
> browse to the hidden files, nor should a user still be logged in when
> his friend uses his computer and starts a fresh browser. Here's where
> sessions are perfect! You store the userId or similar information in the
> session and start every secret page with the question:
>
> if (!isset($_SESSION['userId']) ||
> !CoolCheckUserValidityFunction($_SESSION['userId'])):
> header("Location: login.php");
> exit;
> else:
> $GLOBALS[USER] = new User($_SESSION['userId']);
> endif;
>
> of course you should not do that check in login.php... :P
>
> Mike
>
> PS: That $GLOBALS[USER] and the User class part is my own stuff.. Dunno
> if anyone else does stuff like that.. :P
>
>
> sam rumaizan skrev:
>
>> You use a session to store values that are required over the course of a single visit, and a cookie to store more persistent data that is used over multiple visits.
>> Session: when you close the browser the session gets flushed. Which means the browser will not recognize the user next time he/she browse the page unlike cookie.
>>
>> So why do I need session? OR maybe I didn’t understand session
>>
>>
>>
>>
>>
>>
>> ---------------------------------
>> Looking for earth-friendly autos?
>> Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
>>
>>
>
>
>
>
>
>
>
>
> ---------------------------------
> The fish are biting.
> Get more visitors on your site using Yahoo! Search Marketing.
>

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: So why do I need session?

Mikael Grön wrote:
> You can, only it's not as secure. It's easier to edit cookies since
> they're not stored on the server. Also cookies don't disappear when you
> close the browser, which is standard on other pages with login systems.
> Your users will expect to be logged out when closing the browser.

"as secure"??? Cookies are not secure at all. There has been a *very*
lengthy discussion of this subject on the PHP-General mailing list.
Search the archives for a recent thread with the subject "Session
Authentication".

-Stut

> sam rumaizan skrev:
>> It is a general question.
>> Why can't I use cookie instead?
>> Mikael Grön wrote:
>> Are you asking someone specifically, or is this a general question?
>>
>> Here's an example of when sessions are useful:
>> You have a login area on your website on which users who have
>> registered can log in to access special content. Only, you want such a
>> high security on your website so that people shouldn't be able to
>> simply browse to the hidden files, nor should a user still be logged
>> in when his friend uses his computer and starts a fresh browser.
>> Here's where sessions are perfect! You store the userId or similar
>> information in the session and start every secret page with the question:
>>
>> if (!isset($_SESSION['userId']) ||
>> !CoolCheckUserValidityFunction($_SESSION['userId'])):
>> header("Location: login.php");
>> exit;
>> else:
>> $GLOBALS[USER] = new User($_SESSION['userId']);
>> endif;
>>
>> of course you should not do that check in login.php... :P
>>
>> Mike
>>
>> PS: That $GLOBALS[USER] and the User class part is my own stuff..
>> Dunno if anyone else does stuff like that.. :P
>>
>>
>> sam rumaizan skrev:
>>
>>> You use a session to store values that are required over the course
>>> of a single visit, and a cookie to store more persistent data that is
>>> used over multiple visits. Session: when you close the browser the
>>> session gets flushed. Which means the browser will not recognize the
>>> user next time he/she browse the page unlike cookie.
>>>
>>> So why do I need session? OR maybe I didn’t understand session
>>>
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------
>>> Looking for earth-friendly autos? Browse Top Cars by "Green Rating"
>>> at Yahoo! Autos' Green Center.
>>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------
>> The fish are biting.
>> Get more visitors on your site using Yahoo! Search Marketing.
>>
>

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: So why do I need session?

As I said.
Cookies being completely insecure is as valid as Cookies not being as
secure as Sessions.

.... *sighs*

Though, there are ways to make cookies more secure, for example by
storing copies of them with timestamps in a database and matching values
before allowing users to pass... But that's more or less exactly what
Sessions do, so there's really no use of Cookies for authentication.

Mike


Stut skrev:
> Mikael Grön wrote:
>> You can, only it's not as secure. It's easier to edit cookies since
>> they're not stored on the server. Also cookies don't disappear when
>> you close the browser, which is standard on other pages with login
>> systems. Your users will expect to be logged out when closing the
>> browser.
>
> "as secure"??? Cookies are not secure at all. There has been a *very*
> lengthy discussion of this subject on the PHP-General mailing list.
> Search the archives for a recent thread with the subject "Session
> Authentication".
>
> -Stut
>
>> sam rumaizan skrev:
>>> It is a general question.
>>> Why can't I use cookie instead?
>>> Mikael Grön wrote:
>>> Are you asking someone specifically, or is this a general question?
>>>
>>> Here's an example of when sessions are useful:
>>> You have a login area on your website on which users who have
>>> registered can log in to access special content. Only, you want such
>>> a high security on your website so that people shouldn't be able to
>>> simply browse to the hidden files, nor should a user still be logged
>>> in when his friend uses his computer and starts a fresh browser.
>>> Here's where sessions are perfect! You store the userId or similar
>>> information in the session and start every secret page with the
>>> question:
>>>
>>> if (!isset($_SESSION['userId']) ||
>>> !CoolCheckUserValidityFunction($_SESSION['userId'])):
>>> header("Location: login.php");
>>> exit;
>>> else:
>>> $GLOBALS[USER] = new User($_SESSION['userId']);
>>> endif;
>>>
>>> of course you should not do that check in login.php... :P
>>>
>>> Mike
>>>
>>> PS: That $GLOBALS[USER] and the User class part is my own stuff..
>>> Dunno if anyone else does stuff like that.. :P
>>>
>>>
>>> sam rumaizan skrev:
>>>
>>>> You use a session to store values that are required over the course
>>>> of a single visit, and a cookie to store more persistent data that
>>>> is used over multiple visits. Session: when you close the browser
>>>> the session gets flushed. Which means the browser will not
>>>> recognize the user next time he/she browse the page unlike cookie.
>>>>
>>>> So why do I need session? OR maybe I didn’t understand session
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------
>>>> Looking for earth-friendly autos? Browse Top Cars by "Green Rating"
>>>> at Yahoo! Autos' Green Center.
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------
>>> The fish are biting.
>>> Get more visitors on your site using Yahoo! Search Marketing.
>>>
>>
>

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: So why do I need session?

Mikael Grön wrote:
> As I said.
> Cookies being completely insecure is as valid as Cookies not being as
> secure as Sessions.

Sessions are more secure than cookies, but only in so far as the actual
data stored in a session is never sent to the client.

> ... *sighs*

I'm not sure what that's supposed to mean. This is a serious topic, and
the lack of understanding of it that too many PHP developers suffer from
is part of the reason PHP is getting a bad security reputation.

> Though, there are ways to make cookies more secure, for example by
> storing copies of them with timestamps in a database and matching values
> before allowing users to pass... But that's more or less exactly what
> Sessions do, so there's really no use of Cookies for authentication.

There is no real way to make cookies secure. Anything you do needs to be
reversible and so can be brute-forced. The best approach to take IMHO is
to use cookies for session IDs and identification between visits.
*Never* authenticate someone based purely on a cookie, and *never* track
user status in cookies.

Oh, and to correct one other thing, cookies will disappear when you
close the browser if you don't give them an expiry time. This is how the
session ID cookie works.

-Stut

> Stut skrev:
>> Mikael Grön wrote:
>>> You can, only it's not as secure. It's easier to edit cookies since
>>> they're not stored on the server. Also cookies don't disappear when
>>> you close the browser, which is standard on other pages with login
>>> systems. Your users will expect to be logged out when closing the
>>> browser.
>>
>> "as secure"??? Cookies are not secure at all. There has been a *very*
>> lengthy discussion of this subject on the PHP-General mailing list.
>> Search the archives for a recent thread with the subject "Session
>> Authentication".
>>
>> -Stut
>>
>>> sam rumaizan skrev:
>>>> It is a general question.
>>>> Why can't I use cookie instead?
>>>> Mikael Grön wrote:
>>>> Are you asking someone specifically, or is this a general question?
>>>>
>>>> Here's an example of when sessions are useful:
>>>> You have a login area on your website on which users who have
>>>> registered can log in to access special content. Only, you want such
>>>> a high security on your website so that people shouldn't be able to
>>>> simply browse to the hidden files, nor should a user still be logged
>>>> in when his friend uses his computer and starts a fresh browser.
>>>> Here's where sessions are perfect! You store the userId or similar
>>>> information in the session and start every secret page with the
>>>> question:
>>>>
>>>> if (!isset($_SESSION['userId']) ||
>>>> !CoolCheckUserValidityFunction($_SESSION['userId'])):
>>>> header("Location: login.php");
>>>> exit;
>>>> else:
>>>> $GLOBALS[USER] = new User($_SESSION['userId']);
>>>> endif;
>>>>
>>>> of course you should not do that check in login.php... :P
>>>>
>>>> Mike
>>>>
>>>> PS: That $GLOBALS[USER] and the User class part is my own stuff..
>>>> Dunno if anyone else does stuff like that.. :P
>>>>
>>>>
>>>> sam rumaizan skrev:
>>>>
>>>>> You use a session to store values that are required over the course
>>>>> of a single visit, and a cookie to store more persistent data that
>>>>> is used over multiple visits. Session: when you close the browser
>>>>> the session gets flushed. Which means the browser will not
>>>>> recognize the user next time he/she browse the page unlike cookie.
>>>>>
>>>>> So why do I need session? OR maybe I didn’t understand session
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------
>>>>> Looking for earth-friendly autos? Browse Top Cars by "Green Rating"
>>>>> at Yahoo! Autos' Green Center.
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------
>>>> The fish are biting.
>>>> Get more visitors on your site using Yahoo! Search Marketing.
>>>>
>>>
>>
>

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: So why do I need session?

You keep repeating what I've already said. That's what the *sigh* was about.
But, I was hasty in sighing as you're right in how important it is to
clarify to the absolute limit on this subject. Sorry about that!
Far to many programmers are completely oblivious when it comes to
hacking methods.
And, as you said, there's no way to make a cookie secure... Only a bit
more secure. Everything is in shades of gray.
Truthfully, I've never ever built a site or part of a site that relies
on cookies for anything. Except for the more or less default PHP
configuration for sessions to use cookies for the SESSID.

Mike


Stut skrev:
> Mikael Grön wrote:
>> As I said.
>> Cookies being completely insecure is as valid as Cookies not being as
>> secure as Sessions.
>
> Sessions are more secure than cookies, but only in so far as the
> actual data stored in a session is never sent to the client.
>
>> ... *sighs*
>
> I'm not sure what that's supposed to mean. This is a serious topic,
> and the lack of understanding of it that too many PHP developers
> suffer from is part of the reason PHP is getting a bad security
> reputation.
>
>> Though, there are ways to make cookies more secure, for example by
>> storing copies of them with timestamps in a database and matching
>> values before allowing users to pass... But that's more or less
>> exactly what Sessions do, so there's really no use of Cookies for
>> authentication.
>
> There is no real way to make cookies secure. Anything you do needs to
> be reversible and so can be brute-forced. The best approach to take
> IMHO is to use cookies for session IDs and identification between
> visits. *Never* authenticate someone based purely on a cookie, and
> *never* track user status in cookies.
>
> Oh, and to correct one other thing, cookies will disappear when you
> close the browser if you don't give them an expiry time. This is how
> the session ID cookie works.
>
> -Stut

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

java with PHP

--0-834609797-1176294530=:7212
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

How can I run java with PHP?
Any example please






---------------------------------
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
--0-834609797-1176294530=:7212--

Re: So why do I need session?

As a side note, there are a lot of companies/organizations that
completely block cookies at the firewall level. As a result, the
cookie never makes it to the web browser. If relying strictly on
cookies for authentication, on every page, the user must
re-authenticate.

Jody

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: java with PHP

> How can I run java with PHP?
> Any example please

You could look here:
http://www.zend.com/products/zend_platform/features_comparis on/java_bridge
or here:
http://php-java-bridge.sourceforge.net/pjb/

--
Stanislav Malyshev, Zend Products Engineer
stas@zend.com http://www.zend.com/

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: So why do I need session?

That's a bit of a half-truth... cookies do disappear if you don't
specify a time to livem. When I use cookies to store miscellaneous data
(for security I use session naturally) I typically do not specify a time
to live so when the user closes the browser, the cookie dies. Cheers.

Armando

Mikael Grön wrote:
> You can, only it's not as secure. It's easier to edit cookies since
> they're not stored on the server. Also cookies don't disappear when you
> close the browser, which is standard on other pages with login systems.
> Your users will expect to be logged out when closing the browser.
>
> Mike
>
> sam rumaizan skrev:
>> It is a general question.
>> Why can't I use cookie instead?
>> Mikael Grön wrote:
>> Are you asking someone specifically, or is this a general question?
>>
>> Here's an example of when sessions are useful:
>> You have a login area on your website on which users who have
>> registered can log in to access special content. Only, you want such a
>> high security on your website so that people shouldn't be able to
>> simply browse to the hidden files, nor should a user still be logged
>> in when his friend uses his computer and starts a fresh browser.
>> Here's where sessions are perfect! You store the userId or similar
>> information in the session and start every secret page with the question:
>>
>> if (!isset($_SESSION['userId']) ||
>> !CoolCheckUserValidityFunction($_SESSION['userId'])):
>> header("Location: login.php");
>> exit;
>> else:
>> $GLOBALS[USER] = new User($_SESSION['userId']);
>> endif;
>>
>> of course you should not do that check in login.php... :P
>>
>> Mike
>>
>> PS: That $GLOBALS[USER] and the User class part is my own stuff..
>> Dunno if anyone else does stuff like that.. :P
>>
>>
>> sam rumaizan skrev:
>>
>>> You use a session to store values that are required over the course
>>> of a single visit, and a cookie to store more persistent data that is
>>> used over multiple visits. Session: when you close the browser the
>>> session gets flushed. Which means the browser will not recognize the
>>> user next time he/she browse the page unlike cookie.
>>>
>>> So why do I need session? OR maybe I didn’t understand session
>>>
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------
>>> Looking for earth-friendly autos? Browse Top Cars by "Green Rating"
>>> at Yahoo! Autos' Green Center.
>>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------
>> The fish are biting.
>> Get more visitors on your site using Yahoo! Search Marketing.
>>
>

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php