Results 1 to 4 of 4
  1. #1

    session security tips and code help

    My site pages are php, html and css. I have no need for a session on main pages. I only want a session on the forms, such as register and contact. session_start() is fine for all pages but i must be able to end the session in my situation. understand?
    session for registration form, then end session. I have no need for it after registration. Further, I do not want the drive filled with session files waiting for the garbage collection. I also need to delete the cookie.
    using xampp on Windows 10, my script works as expected. the session files are deleted and the cookies are deleted.
    I've had to battle this script with session handling. I got to a point where the session is destroyed (i watch the file disappear from the tmp folder), only to see the file reappear after a second. so i got angry and added an unset($_SESSION) to try to force the damn destruction of the file. sometimes php is a pain in the a55. the session_destroy should do what it says: destroy.
    I am aware that a session file will not be destoryed if a user navigates away from the site. I have no idea why browser makers cannot add a header for a website. simply alert the website when the user closed the browser or left the page. it would be nice. another problem is navigating to another page in the site from the form. the session file is not destroyed. Is there a way to detect the session on those pages?
    I will use a cron job to delete the unwanted session files older than 24minutes.

    i will greatly appreciate security tips. really, i cannot see the code behind pro services. I want to know how to harden this script. remember Facebook coders found a way to break the console? what must facebook security code look like? how can this script be harder and better?
    please remember that i am absolutely new to php. if you can show sample code with a concept i will greatly appreciate it.

  2. #2

    session security tips and code help

    First important point is to never trust the client and always do validation at server side.
    What happens if scripts are disabled or form hasn't even been used?

    if user login and then somehow end back to login form, will they then be logged out?

    any reason you use set cookie manually, instead of just using SESSION? only reason I can see for this, is if you want a remember me option or similar.

    just courius why you don't see the standard garbage collector to be good enough?

  3. #3

    session security tips and code help

    yes there is a reason why i set the cookie. all tutorials and even the data at php.net is not working for me. my cookie is never deleted. I have functioning eyes and i see the cookie in Edge browser console until i close the browser, hence a session cookie. I don't want the cookie hanging around until the browser is closed.
    this code: $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 3600, $params["lifetime"] etc. etc. does not remove the cookie. I can see it.
    I decided to forget the tutorials and think of a way to actually delete the cookie when i say delete cookie. Thus, I gave it a name and set the proper parameters and the cookie is deleted when i expect it to be deleted.
    basically, every other method has failed me. I tried my own code and the cookie is deleted.

    regarding session files, i just don't want them hanging around. i like a clean and orderly environment. i prefer to destroy them when i want them destroyed. i find it irritating. sorry but i cannot handle my tmp file full of files that are supposed to be destroyed. it drives me nuts.

  4. #4

    session security tips and code help

    There's really no point in trying to clean up session files and cookies immediately. Any solution you come up with will never be perfect and may leave stuff in varying situations. If you really want to try and keep your session directory clean then just rely on your cron job to do it. Other wise, let PHP's garbage collector do it's job. You can tweak PHP's session garbage collector to run more frequently if you want. You could even have it run on every page load mostly negating any need for a cron job, though I wouldn't really recommend that.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •