UBB.Developers Forums UBB.threads 7 Development How Do I? Session support?

Ok thanks for the answers guys.
These sessions will be an interesting path to investigate.

Peelboy brought up an interesting point though, if we have lots of users online it might add on the server load.
Anyway, since we have the choice between session and cookies, all is well and everyone is happy :D

Benj

Now about those handcuffs and that bike... Is there something you'd like to share with us? []http://amdragon.com/images/icons/hairy.gif[/]

[]http://www.amdragon.com/images/eileensig.gif[/]

What...I use the cuffs instead of a bikelock! []/w3timages/icons/smile.gif[/]

That's a brilliant come-back. Bravo! []/w3timages/icons/laugh.gif[/]

[]http://www.amdragon.com/images/eileensig.gif[/]

What I have just realized is the way I am working with arrays in the port, I'm basically writing for php4. In php3, you can't reference an array in a string, so you have to concatonate(sp?) everything, like this:

echo "Hello" .$user[U_Username]. ". How are you?";

where in php4 you can do this:

echo "Hello $user[U_Username]. How are you?";

The first way makes for some extremely ugly code when printing out all the info for the generated pages.

Is this going to be a problem? I can write for php3 if that's what everyone wants, but like I said it is somewhat uglier not to mention, a pain in the butt[]/w3timages/icons/wink.gif[/]

EDIT: Nevermind. It turns out you just can't reference multi-dimensional arrays in strings in php3, not standard ones. Like I said, I'm still learning[]/w3timages/icons/laugh.gif[/]

Edited by Scream on 10/19/00 04:18 PM.

PHP 4 is the way to go scream.
Faster and better. If any one has php3 on their server, they should upgrade to php4 !!

Aldar

Sessions data is not mad amounts of load. It's a tiny file created initally in the /tmp directory. I use sessions on a fairly active site and I have no load issues.

Development on PHP3 stopped months ago and all support has been halted on it by Zend. PHP3 is dead and has long since been replaced by PHP4. PHP4 is a very stable product and has had serveral patches released already to add more features and not stablity issues. To support PHP3 now would be a waste since by the time w3t is complete in PHP3 then they might be ready to work on PHP5.

Plus ewaddle isn't the way to handle sessions in PHP3. You use phplib to take care of sessions in PHP3. phplib is better code and it's cleaner too

A session varible can be transfered in two ways (that I know of, there might be a third). They can be in a cookie or if the browser doesn't support cookies you can have PHP automaticlly append or you can specify in a config or in a required header to automaticly check if their is a cookie and if not then append the session id to the end of the URL. With that method people without cookies turned on can access the site.

Actually Scream, even if the cookie data was set to be there forever then that wouldn't make it so you don't have to log out because the server keeps the data in a file in /tmp and PHP has a method for destroying these files on a random basis when they "expire". If you run phpinfo(); in PHP4 you'll see that info down a bit. gc_maxlifetime and gc_probability are the two variables that define this. gc_probability the the percent chance that the file will be destroyed. With a recommendation from Zend and my personal recommendation 5-10 is a good value for this and gc_maxlifetime is how long you want the session data to be valid. I think it's a little mislabled because I think gc_maxlifetime actually is how long the data is saved then the probability to destroy it comes into play only when the server isn't too busy or something like that I'm not 100% sure about that.

I actually edited my w3t so it doesn't save your cookies and you have to log in everytime. I had several complaints from users who had two accounts and used the same computer (husband and wife / brother and sister / etc) that they'd log in under the other person's name and then when they hit logout and tried to login under their own name w3t would say "Hello, their name" in the corner but the main part of the page would say they're not logged in. At that point neither account could log in so I had to make a little script to clear all cookies from my server in the w3t folder and close all browser windows and then they'd hafta try and relogon and sometimes that didn't even work and I'd hafta explain to these people how to manually delete the cookie from their browser folder. So I just made all my cookies in w3t temp cookies and that fixed the problem.

my big issue is that w3t saves my password in a cookie. Totally not cool IMHO.

Actually I've heard of it being possible to "hack" the cookie protection of only allowing the domain that set the cookie to access it.

"Also.. A while back I wrote a .js file that could be included in a post on this forum.. It would pull your user name and password, then create an image tag pointing to a cgi script on my server (with a query string that contained the user name and password) From there it could store everybody's user name and password into a database (I just wanted to see if it worked.. it did.. so I reported it as a bug and deleted the scripts)"


Exact reason I hate that w3t saves my password in a cookie! It should be my username and a random number that's generated and stored with my info in the database.

Actually DoubleClick does know name and other info on most people. Ever fill out a form on a page with a DoubleClick ad on the top? Guess what? Their cookie with your ID goes to the company you filled the form out to asks you if they can share your info with their providers who are interested in selling their products to you. Guess who is their provider for all that other stuff. DoubleClick.. They then connect the DoubleClick database to their database and DoubleClick now know's your info. There was that lawsuit about DoubleClick doing this (which I think they won) and the lawyer was able to get his name, SSN, address, phone number, and other info from the DoubleClick database.

PHP sessions will help because your personal data isn't stored in cookies on your system. Plus it's not a global cookie. Plus it gets deleted when you close the browser window. Plus it's a random alphanumeric string generated each time you login.

"For example.. you might not strip special chars off a search form and a user could figure out a way to write code that does a select statement on the user_info table and prints it out to the screen... who knows?!?!?!"

I love doing that when someone asks me to check out their site or app that they just worked on. Scares the crap outta them. []/w3timages/icons/smile.gif[/]

You don't need tons of RAM. They don't reside in RAM. They are stored in the /tmp directory and most of these files are less then 1/2 a KB.

If ya read the session info on Zend's site (Zend makes PHP) they'll explain the differences between ASP and PHP session support somewhere I remember. They are handled better in PHP then in ASP, IMHO.

I've never heard -any- body say that using sessions on a high load site was a good idea.. heh.. when you say fairly active does that mean 10 gigs a month data transfer? or 20 gigs a day? If you are like my friend and have a site that transfers 20 gigs a day.. I don't think you would like sessions too much.. =)

------------------------------------------------
Jeremy 'PeelBoy' Amberg

Honestly.. The first way you did it is the -safe- way.. I got in a bad habbit of doing it the second way, and I run in to little problems here and there even on PHP4 (or even Perl for that matter) that end up being solved by switching the code to the first way of doing it.. Don't ask me why..

Even in perl I try to: print "hi ", $user, "\n";

I don't know why but I have less problems that way. (not that I run into a problem doing it the second way very often, but when I do it's annoying)

------------------------------------------------
Jeremy 'PeelBoy' Amberg

The password is encrypted in the cookie.

I never said heavy traffic is good with sessions I just said I don't have problems.

There was a time when it wasn't and I never knew it changed to being encrypted till now.

oh in that case.. hehe..

on a personal site or forum that gets a lot of hits, but not a LOT of hits.. sessions work fine I'm sure.. I would use them on my personal forum if it was still up.. I just wouldn't use it on a massive site that gets a LOT of hits.. they can be evil.. :)

------------------------------------------------
Jeremy 'PeelBoy' Amberg