Home > Archive > PHP Language > March 2004 > Sessions or Cookeies for Security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Sessions or Cookeies for Security
|
|
| Patrick 2004-03-26, 11:12 pm |
| Hi all,
I have users with different levels of security sharing the same machine.
I want to force alogin if the browser is closed. What is the best
way to go about this?
Patrick
| |
| Olivier Bellemare 2004-03-26, 11:12 pm |
| The best way to do this would be with sessions, since cookies are made to do
the exact opposite of this (Cookies are for "remembering" things if the
browser is closed)
With sessions, if the browser closes, the client will NOT remember anything
and will have to enter a login again.
"Patrick" <pknews@kirks.net> a écrit dans le message de
news:c3mjna$sa6$1@sparta.btinternet.com...
> Hi all,
>
> I have users with different levels of security sharing the same machine.
> I want to force alogin if the browser is closed. What is the best
> way to go about this?
>
> Patrick
| |
| Rudi Ahlers 2004-03-26, 11:12 pm |
| This is quite an interesting subject though
I've been developing in ASP as well, for a while now, and in ASP, session
depend on the user having cookies enabled, whereas PHP doesn't. Isn't that
rather ironic?
And also, a session in ASP only lasts 20 minutes by default, which is rather
irritating if you need to read large pages, and then haveto re-login to goto
the next page. I think when I go down on my knees tonight, I'll say a
special thank-you for PHP :)
--
Kind Regards
Rudi Ahlers
+27 (82) 926 1689
For as he thinks in his heart, so he is. ... (Proverbs 23:7)
"Olivier Bellemare" <__NOSPAM__olivier.bellemare__NOSPAM__@cgocable.ca>
wrote in message news:eUA7c.178064$2g.8783@charlie.risq.qc.ca...
The best way to do this would be with sessions, since cookies are made to do
the exact opposite of this (Cookies are for "remembering" things if the
browser is closed)
With sessions, if the browser closes, the client will NOT remember anything
and will have to enter a login again.
"Patrick" <pknews@kirks.net> a écrit dans le message de
news:c3mjna$sa6$1@sparta.btinternet.com...
> Hi all,
>
> I have users with different levels of security sharing the same machine.
> I want to force alogin if the browser is closed. What is the best
> way to go about this?
>
> Patrick
| |
| Lee A. Wentzel 2004-03-26, 11:12 pm |
| "Patrick" <pknews@kirks.net> wrote in message
news:c3mjna$sa6$1@sparta.btinternet.com...
> Hi all,
>
> I have users with different levels of security sharing the same machine.
> I want to force alogin if the browser is closed. What is the best
> way to go about this?
>
> Patrick
What I have done in the past, is used cookies. Set the expiration time to
zero. So when they leave the site and close the browser, they will be
forced to login. I use this on my managers page. At the top of each
managers page, I have code that looks for the cookie, and the content of
that cookie. If it is there, it displays the page. If it is not, it kicks
them back to the login page. To make things a little more secure (in my
opinion) I have the "username" be the cookie name, and the "password" be the
content of the cookie. The advantage of that, is you hard code the
information into your PHP. Any someone trying to guess logins and passwords
would have an infinite number of possibilities. Hope this makes sense to
you.
Lee
| |
| Michael Vilain 2004-03-26, 11:12 pm |
| > "Patrick" <pknews@kirks.net> a écrit dans le message de
> news:c3mjna$sa6$1@sparta.btinternet.com...
>
>
In article <eUA7c.178064$2g.8783@charlie.risq.qc.ca>,
"Olivier Bellemare"
"<__NOSPAM__olivier.bellemare__NOSPAM__@cgocable.ca> wrote:
> The best way to do this would be with sessions, since cookies are made to do
> the exact opposite of this (Cookies are for "remembering" things if the
> browser is closed)
>
> With sessions, if the browser closes, the client will NOT remember anything
> and will have to enter a login again.
>
>
But my browser (all of them on the Mac) uses a cookie to track a
session. Granted that cookie goes away when the browser closes, but
they're still using cookies. AFAIK, unless you use a POST and a hidden
field between forms, there's no stateless way to maintain session
information between pages.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| Patrick 2004-03-26, 11:12 pm |
| "Michael Vilain <vilain@spamcop.net>" wrote:
[...]
>
> But my browser (all of them on the Mac) uses a cookie to track a
> session. Granted that cookie goes away when the browser closes, but
> they're still using cookies. AFAIK, unless you use a POST and a hidden
> field between forms, there's no stateless way to maintain session
> information between pages.
>
Thanks all.
|
|
|
|
|