I'd like to use cookie for it easy to use :) use setCookie() function!
COOKIE用来保存用户名,省得用户填写 检查用SESSION
ty all for the response !sry, my php knowledge is still halting at php3 and i have not tried most "new" functions :)Now please suppose two cases might mostly happen.1. a user has a valid cookie and expired session or no session id at all.as u said, should check cookie now..and if the cookie is valid, generate a new session id for the user?? because my session admin class also returns some role values together with the session id, those role values will be passed to a js menu file to give different type of user a different menu. I dunno how u or the advance php methods do it, i would like to learn it but i cannot change the source code for the current project, ty for any reply for this topic.2. if a user has a unexpired session id, it is not necessary to check cookie, is it right?this is my source code.. do not laugh at me :) perhaps it is quite old style.for login page and those pages for free users.. (because i have multiple types unregistered users, i have to pass every of them a sid so that i could give them a corresponding menu, and furthermore, the mostly same but static pages to show them all functions and gui of the site.) require_once('../../include/sessMan.inc.php'); $sessionVariable = new sessMan(); if(addslashes($_GET['sid']))$sessionID = addslashes($_GET['sid']); if(addslashes($_POST['sid']))$sessionID = addslashes($_POST['sid']); if (!$sessionID) $sessionID = $sessionVariable->login("x", "y","init_business"); $role=$sessionVariable->validate($sessionID);for session validate, for every page. $sessionVariable = new sessMan(); if(addslashes($_GET['sid']))$sessionID = addslashes($_GET['sid']); if(addslashes($_POST['sid']))$sessionID = addslashes($_POST['sid']); $role=$sessionVariable->validate($sessionID); $unique_id = $sessionVariable->uid();will you please tell me how to add cookie for now? ty again.
2.if a user has a unexpired session id, it is not necessary to check cookie, is it right? 这个是应该的,如果他的session死了,不存在了才能用cookie,要不然代码重复,显得没有必要.3.应该把cookie的代码加到后面就可以了吧.我现在没有php不好试,你们去试吧,楼主的要求就是要求同时有cookie与session的验证
hmm.. i think this way might be not right.I expect the session only lasts for 30 minutes but cookie lasts for several days or months.as i said, i have several types of user, that means i need the cookie records at least the followed variables, user_name, user_pwd, user_role. I am still not clear with the cookie organization. however, i expect to get the three variables from a whatever legal or illegal cookie object. Firstly get its user_role from the object. then validate user_name and user_pwd from corresponding user tbl of this user_role.thank you for the auto_prepend_file suggestion !sry, i still have not got your phone number.. I can understand what you said, but it seems it is not the perfect solution :)
你的session不是已经保存到数据库中了吗? 这样只要把你的session的过期时间设置的和你的cookie的过期时间一致不久可以了吗?如果session你是保存到数据库中的话,session_destory()方法中的sql语句应该是 "delete * from table where exptimie > time()"之类的东西.所以应该没有问题的.
hehe...when you decide to find the solution,in fact,you have got the answer... the procedure of your thinking is the best way... maybe you donn't like to save the session on the server side for a long time.then,use cookie...if the cookie is valid ,you can make session unexpired...
oh NO.... it is not the solution.. :(the reason i do not want to keep the session for a long time is i do not want to do the risk that anybody misuses my site. I only give the session 30 minutes so that even though anyone gets a valid session id, it is already limited time for him to do any bad thing..please think about my problem again. 1. 30 mins session 2. 30 days cookie
如果这样的话,我就感觉不到你把session保存到数据中有什么好处了,而且还会加大数据库的访问量!而且我觉得你的概念是错误的,"i do not want to keep the session for a long time is i do not want to do the risk that anybody misuses my site" 因为给这个用户保存了cookie,他只要再访问一次网站,你就会自动给他再分配一个session,sessionid是变了,但是sessionid的设计是通过get和post传递的,这样我可以很轻松的得到我新的sessionid,他如果原来在攻击你,现在还是可以一样继续.一个脚本就应该可以实现.另外我也可以做个机器人不停的访问你,让我原来的session不过期.最简单的就是一个定时在屏幕上"某一个点"点击的机器人,不停的点击刷新,这个sessionid就也不会过期.我倒是觉得你真的要是想限制攻击, 可以通过限制单位时间间隔内同一个ip的点击的次数,控制session.我觉得限制session过期时间的真正的意义不在这.所以我还是觉得我原来的想法是对的. ------------------------------------------------------------------- 如果真要是想实现 1. 30 mins session 2. 30 days cookie你的cookie中只要保存用户名/密码就可以了, 你的用户的角色和权限....不用保存到本地的cookie中,在用户访问的时候,你可以重新从数据库中查询出该用户的角色和权限等问题,扔到session中.cookie不是安全的,在cookie中保存的东西越多,你暴露给用户的信息就越多,他攻击和破坏你的可能性就越大.在cookie中保存用户名/密码要用md5加密,对加密后字符串自己再用自己的方法加密一下,md5也已经不是安全的了.
the reason i want to use cookie which i never want to use it b4 is, my boss does not want the user inputs his pwd every time. u mean it is not necessary to pass a session id a short period?will u please tell me what those giant sites handle the similar session and cookie case? so far im hesitate to implement this cookie.. seems its advantage is not so worthful comparing to the security loss..
session 放在服务器端,感觉上安全点。 cookie 入在客户端,有时候会点欺骗的感觉。
I suppose my question is somehow typical. I get many support by online friend all over the planet.and the solution will be spaw out soon..http://www.phpe.net/articles/19.shtml http://www.phpe.net/articles/20.shtmlthese two articles r talking about cookie.. no virus related :)
I just summarize all info i collected before implementation.There are something need to be clarified at first. if you suspect that, please give ur reason.1. if a user logs into a site, the site can c the user's cookie sent by it, the site can never c any other cookies which are not sent by the site itself.2. as an extension, a site can not get any cookie of a person who has never touched this site.3. the user can modify the his own cookie. As he can only know his own user name and password, and the most serious we concern of our website is to avoid anybody accesses the database since you can always define the php files in the linux product server as readonly which is impossible to be destroyed, we need not care that he modifies his user name and password and send us a whatever illegal cookie, since it will be ignored after validating from user table.so far so good.. there is a principle in those giant sites. it is to set session a short time, but a cookie from one month to permanent according to the choice from user. Hence, the suggestion from hahawen is a bit wrong, because we cannot save a short session id into a long cookie which makes no sense :)I am ready to save user name, password, and user role into cookie, as hahawen suggested, i will encode them. if(user_has_session_id) { validate this session id } else { if(user has cookie) { if(validate this cookie is true) { set a new session } else { goto login page } } else { goto login page } }hahawen said user can write a script or robot to refresh session frequently.. hehe, here is germany and my server provider is the top one. it should be his job to check the kind of illegal access and block him.. please show it here if you feel anything bad. thank you for your suggestion .. :)
still a problem left.is it true that a cookie is for one page?I noticed that after I set a cookie for login page, then go to search page which gets a sessionid. In the local pc I have found the new generated cookie in c;\docuemnt...\myuser\cookies\... Now what i want is to close the browser and access the search page without the sessionid. because the cookie is there, i thought i could access the search page directly. however, it does not. it seems the cookie is only useful when i access the login page.my question is, should i set a new cookie for every page of the site?
a cookie is working for all pages of the same site!!Do you forget to set cookie's expire time?your question is not a real problem.
solution..SetCookie("CookieArray[0]", "Value 1", time()+3600*24*100, "/"); SetCookie("CookieArray[1]", "Value 2", time()+3600*24*100, "/");if we do not write the fourth parameter "/", a cookie set by a/b/login.php cannot be used by a/c/search.php. "/" means root and the cookie is valid for all files of the site.thank you all !
and include the login page in every page that you want to validate the user
use setCookie() function!
检查用SESSION
tried most "new" functions :)Now please suppose two cases might mostly happen.1. a user has a valid cookie and expired session or no session id at all.as u said, should check cookie now..and if the cookie is valid, generate a new session id for the user??
because my session admin class also returns some role values together
with the session id, those role values will be passed to a js menu file
to give different type of user a different menu. I dunno how u or the
advance php methods do it, i would like to learn it but i cannot change
the source code for the current project, ty for any reply for this topic.2. if a user has a unexpired session id, it is not necessary to check
cookie, is it right?this is my source code.. do not laugh at me :) perhaps it is quite old style.for login page and those pages for free users.. (because i have multiple types
unregistered users, i have to pass every of them a sid so that i could give
them a corresponding menu, and furthermore, the mostly same but static pages
to show them all functions and gui of the site.) require_once('../../include/sessMan.inc.php');
$sessionVariable = new sessMan();
if(addslashes($_GET['sid']))$sessionID = addslashes($_GET['sid']);
if(addslashes($_POST['sid']))$sessionID = addslashes($_POST['sid']);
if (!$sessionID) $sessionID = $sessionVariable->login("x", "y","init_business");
$role=$sessionVariable->validate($sessionID);for session validate, for every page. $sessionVariable = new sessMan();
if(addslashes($_GET['sid']))$sessionID = addslashes($_GET['sid']);
if(addslashes($_POST['sid']))$sessionID = addslashes($_POST['sid']);
$role=$sessionVariable->validate($sessionID);
$unique_id = $sessionVariable->uid();will you please tell me how to add cookie for now? ty again.
2.if a user has a unexpired session id, it is not necessary to check
cookie, is it right?
这个是应该的,如果他的session死了,不存在了才能用cookie,要不然代码重复,显得没有必要.3.应该把cookie的代码加到后面就可以了吧.我现在没有php不好试,你们去试吧,楼主的要求就是要求同时有cookie与session的验证
cookie lasts for several days or months.as i said, i have several types of user, that means
i need the cookie records at least the followed
variables, user_name, user_pwd, user_role. I am
still not clear with the cookie organization.
however, i expect to get the three variables from
a whatever legal or illegal cookie object. Firstly
get its user_role from the object. then validate
user_name and user_pwd from corresponding user tbl
of this user_role.thank you for the auto_prepend_file suggestion !sry, i still have not got your phone number.. I can understand what you said, but it seems it
is not the perfect solution :)
"delete * from table where exptimie > time()"之类的东西.所以应该没有问题的.
the procedure of your thinking is the best way...
maybe you donn't like to save the session on the server side for a long time.then,use cookie...if the cookie is valid ,you can make session unexpired...
want to do the risk that anybody misuses my site. I only give the
session 30 minutes so that even though anyone gets a valid session id,
it is already limited time for him to do any bad thing..please think about my problem again. 1. 30 mins session
2. 30 days cookie
-------------------------------------------------------------------
如果真要是想实现
1. 30 mins session
2. 30 days cookie你的cookie中只要保存用户名/密码就可以了, 你的用户的角色和权限....不用保存到本地的cookie中,在用户访问的时候,你可以重新从数据库中查询出该用户的角色和权限等问题,扔到session中.cookie不是安全的,在cookie中保存的东西越多,你暴露给用户的信息就越多,他攻击和破坏你的可能性就越大.在cookie中保存用户名/密码要用md5加密,对加密后字符串自己再用自己的方法加密一下,md5也已经不是安全的了.
my boss does not want the user inputs his pwd every time. u mean it is not necessary to pass a session id a short period?will u please tell me what those giant sites handle the similar
session and cookie case? so far im hesitate to implement this cookie.. seems its advantage
is not so worthful comparing to the security loss..
cookie 入在客户端,有时候会点欺骗的感觉。
http://www.phpe.net/articles/20.shtmlthese two articles r talking about cookie.. no virus related :)
suspect that, please give ur reason.1. if a user logs into a site, the site can c the user's cookie
sent by it, the site can never c any other cookies which are not
sent by the site itself.2. as an extension, a site can not get any cookie of a person
who has never touched this site.3. the user can modify the his own cookie. As he can only know
his own user name and password, and the most serious we concern
of our website is to avoid anybody accesses the database since
you can always define the php files in the linux product server
as readonly which is impossible to be destroyed, we need not care
that he modifies his user name and password and send us a whatever
illegal cookie, since it will be ignored after validating from
user table.so far so good.. there is a principle in those giant sites.
it is to set session a short time, but a cookie from one month
to permanent according to the choice from user. Hence, the
suggestion from hahawen is a bit wrong, because we cannot save
a short session id into a long cookie which makes no sense :)I am ready to save user name, password, and user role into cookie,
as hahawen suggested, i will encode them. if(user_has_session_id)
{
validate this session id
}
else
{
if(user has cookie)
{
if(validate this cookie is true)
{
set a new session
}
else
{
goto login page
}
}
else
{
goto login page
}
}hahawen said user can write a script or robot to refresh session
frequently.. hehe, here is germany and my server provider is the
top one. it should be his job to check the kind of illegal access
and block him.. please show it here if you feel anything bad. thank you for your
suggestion .. :)
then go to search page which gets a sessionid.
In the local pc I have found the new generated cookie
in c;\docuemnt...\myuser\cookies\...
Now what i want is to close the browser and access
the search page without the sessionid. because the
cookie is there, i thought i could access the search
page directly. however, it does not. it seems the
cookie is only useful when i access the login page.my question is, should i set a new cookie for every
page of the site?
SetCookie("CookieArray[1]", "Value 2", time()+3600*24*100, "/");if we do not write the fourth parameter "/", a cookie set by
a/b/login.php cannot be used by a/c/search.php. "/" means root and the cookie is valid for all files of the site.thank you all !