/    Sign up×
Community /Pin to ProfileBookmark

Anti Spoof with sessions

Copy linkTweet thisAlerts:
Sep 20.2007

I’M making a contact page up and have read and followed a link from a thread I found in searching this forum which landed me at some site on the subject of using a token to stop spoofing by using sessions.

the example that was given was

[code=php]$token = md5(uniqid(rand(), true));
$_SESSION[‘token’] = $token;[/code]

with no sign of session_start() in sight.

  • 1. If I’M passing the session token value from one script to another, I need the session_start()

  • 2. Can I just leave that session and kill it in the next page? if so, How? as the article doesn’t say.

    • to post a comment
    PHP

    6 Comments(s)

    Copy linkTweet thisAlerts:
    @bokehSep 20.2007 — You need session_start() on every page that is going to access the $_SESSION super global. You can kill the session from any page after calling session_start(). See the examples in the manual in the session_destroy() page.
    Copy linkTweet thisAlerts:
    @rootauthorSep 21.2007 — Thx.

    Daft question, can the $_SESSION be used to store any data or is their a limit to what you can store in the $_SESSION array?

    Looking in the php.net site, it doesn't make it clear, just that you can store stuff, nothing indication size, type of limits.
    Copy linkTweet thisAlerts:
    @felgallSep 21.2007 — As much as you like. By default the session data apart from the session id itself is stored in a file on the server. By overriding the appropriate session commands you could save the session data in a database or however you like.
    Copy linkTweet thisAlerts:
    @bokehSep 21.2007 — can the $_SESSION be used to store any data or is their a limit to what you can store in the $_SESSION array? [/QUOTE]
    All data types except resouces. With objects you need to include the class definition before calling session_start. You can even store complete files and images (as strings).
    Copy linkTweet thisAlerts:
    @rootauthorSep 22.2007 — Ok, thx guys.
    Copy linkTweet thisAlerts:
    @Stephen_PhilbinSep 24.2007 — There's also the PHP ini setting for session.autostart to consider. The person that gave the example may have been relying on sessions being auto-started, but then again they might just have been lazy.

    Note that you can't store objects in sessions properly when using auto-started sessions because it doesn't give you the chance to include the class descriptions. However, you [i]might[/i] be able to do it if you use PHP5's class autoloader "__autoload()". I can't remember if that works or not. I think it does.
    ×

    Success!

    Help @root spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 5.19,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @AriseFacilitySolutions09,
    tipped: article
    amount: 1000 SATS,

    tipper: @Yussuf4331,
    tipped: article
    amount: 1000 SATS,

    tipper: @darkwebsites540,
    tipped: article
    amount: 10 SATS,
    )...