cherri8 Posted April 3, 2012 Share Posted April 3, 2012 Hi i hear allot of things on the net that PHP sessions can be unsafe if you are not an experience programmer.I still want to make sites with PHP regardless what I hear.I was wondering if ASP sessions+cookies are safer than PHP sessions+cookies because ASP codes are hidden on the browser? . I think ASP session info is hidden from people using shared hosting but with PHP sessions it is not hidden from people . thanks Link to comment Share on other sites More sharing options...
justsomeguy Posted April 3, 2012 Share Posted April 3, 2012 They operate the same way. It's up to a hosting provider to configure their servers to store session data in an appropriate place. Link to comment Share on other sites More sharing options...
cherri8 Posted April 6, 2012 Author Share Posted April 6, 2012 thanks. if i only use sessions for php and not cookies can i use these codes to check if people are login on a secure page?. i plan to do the regenerate id or whatever it is called for session id but i have not done it as yet. if (isset($_SESSION['fuser']) && isset(shal1($salt.$_SESSION['id']) && isset(sha1($salt.$_POST['fpassword']) ) ) {header('Location:securepage.php');} if (!isset($_SESSION['fuser']) && !isset(shal1($salt.$_SESSION['id']) && !isset(sha1($salt.$_POST['fpassword']) ) ){header('Location:index.php');}----------------------------------i have a database tables question.im going to do a session table with "CREATE TABLE sessions ( id varchar(32) NOT NULL, access int(10) unsigned DEFAULT NULL, data text DEFAULT NULL, PRIMARY KEY (id) )";saw this on a tutorial on the net.the sessions id does not have AUTO_INCREMENT like i see in this site tutorials.Im wondering if i can replace id varchar(32) NOT NULL, with id int UNSIGNED NOT NULL AUTO_INCREMENT, in my members table and all the other tables connected with members like the shop table for example? or i probably should just put everything from the sessions table into the members table?thanks Link to comment Share on other sites More sharing options...
birbal Posted April 6, 2012 Share Posted April 6, 2012 session id will be alphanumeric by default so it will need a varchar data type rather than int. you dont need to link up your session table to other table like member table. you will use session as you are used to you will only need to override the php session handling.http://php.net/set_save_session_handler <= check this link if i only use sessions for php and not cookies can i use these codes to check if people are login on a secure page?you dont need to save password in sessions. when you make a login check its credential and if login matches give them a access token lile $_SESSION['auth']=true; ..and you will check for this token in secure page. Link to comment Share on other sites More sharing options...
justsomeguy Posted April 6, 2012 Share Posted April 6, 2012 It's not correct to use isset with a function like sha1, isset only checks if a variable is set. The return value of a function isn't a variable, it's a value. Link to comment Share on other sites More sharing options...
cherri8 Posted April 7, 2012 Author Share Posted April 7, 2012 thanks you guys!.birbal: i'll use the $ _SESSION['auth']=true; idea like you said and since that session is going to be made for correct ip,password,and username i decided to not put username in sessions and just use isset($_SESSION['auth']) && isset($_SESSION['id']).i heard it isnt the good idea to put username in sessions so that method would be great for me. justsomeguy: i'll use md5 instead.I hope that its ok to use with isset: $pwd=$_POST['fpassword']; = md5($salt.$_POST['fpassword']);$id=$_SESSION['id']; = md5($salt.$_SESSION['id']); isset(md5($salt.$_SESSION['id'])) Link to comment Share on other sites More sharing options...
TheGallery Posted April 7, 2012 Share Posted April 7, 2012 you dont need to save password in sessions. when you make a login check its credential and if login matches give them a access token lile $_SESSION['auth']=true; ..and you will check for this token in secure page. Got a question here. The $_SESSION['auth']=true; is suggested just for pages that have content, only registered users can see right? Because if you are going to retrieve user-specific data (like a username or a profile picture) you need to have user specific information saved in the session like the user id. Is that right? Link to comment Share on other sites More sharing options...
birbal Posted April 7, 2012 Share Posted April 7, 2012 i'll use md5 instead.I hope that its ok to use with isset:it will be same as sha1. md5() also return string. It's not correct to use isset with a function like sha1, isset only checks if a variable is set. The return value of a function isn't a variable, it's a value.as justsomeguyg said already isset() check if a variable has value or not. md5() itself returning a value. so there is no point to use isset() there. Got a question here. The $_SESSION['auth']=true; is suggested just for pages that have content, only registered users can see right? Because if you are going to retrieve user-specific data (like a username or a profile picture) you need to have user specific information saved in the session like the user id. Is that right?exactly. you can save user id or other user related information which you will need in other pages. Link to comment Share on other sites More sharing options...
cherri8 Posted April 7, 2012 Author Share Posted April 7, 2012 it will be same as sha1. md5() also return string. as justsomeguyg said already isset() check if a variable has value or not. md5() itself returning a value. so there is no point to use isset() there. exactly. you can save user id or other user related information which you will need in other pages. thanks it is more clear to me now. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.