Hi, we're working on a payment gateway system with PHP. We use sessions to store the shopping cart data. The system takes you off-site to the payment processor's site, and then return you to your site. On most hosts, we have no issues when we arrive back at our site and having the session data still be there. On those with an issue, turn...
I'm doing a simple shopping cart for a small site. I plan to store cart items as well as logged in user_id in session variables. to make things a little more secure, I thought I'd do this: sha1() the user_id before storing it in the session. Also sha1() and store the http_user_agent var with some salt, and check this along with the...
Hi everybody, I had some thoughts back ago about using memcached for session storage, but came to the conclusion that it wouldn't be sufficient in the event of one or more of the servers in the memcached pool were about to go down. A hybrid version is to save the main database (mySQL) from load caused by reads would be to work out a f...
I am using the Authlogicgem for authentication and most of it seems to be working great. Authlogic provides several columns that you can add to your Users table (for example) that it knows to fill in if they are present. i.e. login_count, current_login_ip, last_request_at and last_login_at. All seem to be working fine with the exceptio...
Im using asp.net website with WCF service, having wsHttpBinding,Aspnet compatibility enabled, specified as Sessionmode -allowed, service behavior- isinitiated and client session cookie enabled. Its looking like Asp.Net session object and WCF Session( HTTPContext.Current.Session) work independently. How can I share Asp.net Session value t...
hi, i have an application wherein i have incorporate a "Remember Me" feature for the login screen. I do this by creating a cookie when the user logs in for the first time, so next time when the user visits the site i get the cookie and load the user information. i have written the code for loading user information in a common class in ...
Hi, I am using database with a list of username/passwords, and a simple web form that allows for users to enter their username/password. When they submit the page, I simply do a stored procedure check to authenticate. If they are authorised, then their user details (e.g. username, dob, address, company address, other important info) ...
Hello, I am collecting as information as possible about http(s) session attacks. There is a plenty of information about existing attacks, but, i would like to know if some new breeds of attacks are now made possible either by security flaws in popular software or technologies or by new smarter security engineering. Do you have some re...
Hi, I have a question regarding Clustering (session replication/failover) in tomcat 6 using BackupManager. Reason I chose BackupManager, is because it replicates the session to only one other server. I am going to run through the example below to try and explain my question. I have 6 nodes setup in a tomcat 6 cluster with BackupMana...
In my PHP Web-App I use sessions to store the user's data. For exmaple, if a user logs in, then an instance of the User class is generated and stored in a Session. I have access levels associated with each user to determine their privileges. Store the user in a session by: $_SESSION['currentUser'] = new User($_POST['username']); F...
Hi all, I have a Webapp which connects to 2 DBs (one core, the other is a logging DB). I must now create a Windows service which will use the same business logic/Data access DLLs. However when I try to reference 2 session factories in the Service App and call the factory.GetCurrentSession() method, I get the error message "No session ...
I'm building an iPhone app, which will allow users to log in to a PHP web server that authenticates the user and starts a session. My idea for managing a session is to create a singleton User class that has a sharedLogin method. Would it be prudent to store the session variable in the shared instance in order to maintain the session? ...
Hi, I'm trying to build a Spring server for GWT (you can think of it as of Javascript AJAX client). But I can't decide on one point of architecture. How should session be created and used? The obvious easiest way - is to use HTTP sessions (cookies and stuff). Looks fine, but I think that sending session ID separate from the headers wou...
Hi, I would like to know if it is possible to read $_SESSION attributes without locking it. Currently, session_start() locks SESSION, that means other PHP processes will wait until it is unlocked. But, some processes just want to get some $_SESSION variables, not to write on them. Is that possible to implement some function like session...
When the user clicks a logout button, I connect to a script that simply does this session_destroy(); session_start(); I thought this would be enough to reset all $_SESSION variables such as $_SESSION['logged'] and $_SESSION['username'] but when I load the page again, it automatically logs me in as if the session is still active. ...
When I call hreq.getSession().invalidate(); app engine slows down tremendously. I looked at appstats and saw that on a page where no database calls are made, it was calling memcache.get and datastore.get 23 times each. The stack trace of these calls showed that it was being called from getSession(). This only happens on the production ...
I am working with Zend_Auth and cookie/session persistence. I can't seem to figure out how to force an authentication with this class. Is there any way to force Zend_Auth to believe it has authenticated as a user? ...
...Like Django's session or cookies Does anyone have a simple way of allowing this? ...
I'm wondering if I'm going to store some data into the session is it going to be there while the user is authenticated (using formsauth) or might happen that the data will suddenly go null ...
EXPLAINING WHAT I'M TRYING TO SOLVE: I have a webpage (file_list.php) showing a list of files, and next to each file there is a button to delete it. When user press the DELETE button close to a certain file name, the browser goes to a script called delete_file.php that deletes the file and then it tells browser to go back to the file_li...