My web application uses UserId almost throughout the entire application.. what is the most efficient way to secure a session variable in php? Is session vulnerable to attacks? Should i keep my encrypted value of UserId in session? Any suggestion... ...
I would like to have my PHP website destroy a users session if they have been idle for 5 minutes. If this does happen, I'd like to present the user with a message stating why they were logged out and redirect them to the login page. What is the best way to handle this? I am running on php and myadmin. Thanks Avinash ...
Hi what do you think about this problem? We do have too much information in HttpSession, because much information is computed and a few large graph of objects are needed to store between requests finally. Is it appropriate to use any cache like memcache or so? Or is it the same as increasing memory for JVM? There's fear of storing it ...
If it's true,and I know the value of PHPSESSID,can I fake that user? ...
I have a session handler class that calls session_write_close() at the end of the script. This insures that even if a header() or exit() is issued the session data is saved. public function __destruct() { session_write_close(); } However, I have noticed that for one of my AJAX pages TWO session updates are committed by the databas...
Does anyone know of a browser extension (preferably Firefox) that allows you to create independent cookie stores at a finer (and configurable) granularity than the specification? E.g. say http://a.example.com/ first sends Set-Cookie: a=bar; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.com So clearly this would also ...
I have a PHP authentication system on my website using the $_SESSION variable. A form submits a username and password to the file "login.php". It is handled like this: <?php include '../includes/sessionstart.inc.php'; ?> <?php ob_start(); ?> if($_POST){ $q = mysql_query("SELECT id, company FROM users WHERE username = '".mysql_real...
Hello, My application use stardard MVC pattern with jsp and servlets. I like to redirect to login page when the user clicks a link after session expire. Same application is used for many countries, so i give a country code with the login url. So simple redirecting to login page is not possible. How can i redirect to my web application r...
If I access session variable in ashx handler through it is always null. How can I access the current user here. public void ProcessRequest (HttpContext context) { context.Session[UIConstants.SessionItems.ID] = Id; } ...
I run a site with decent traffic (~100,000 page views per day) and sporadically the site has been brought to its knees due to SQL Server timeout errors. When I run SQL Profiler, I see a command getting called hundreds of times a second like this: ... exec dbo.TempGetStateItemExclusive3 @id=N'ilooyuja4bnzodienj3idpni4ed2081b',... ... ...
Okay so the way this works is the user authenticates via web form and generates a session ID as so: sub session_open { my $sid; my $user = shift; if ( open(SEMA, "> ../sema/sess") ) { flock SEMA, LOCK_EX; do { $sid = generate_session_id(); } while ( -d "$SDIR/$sid" )...
Since the Flash Player (or, more exactly, the URLLoader class) will not let you read HTTP response headers or cookies set by the server, and if you get hold of a session cookie through some workaround like reaching out to the browser and run JS, you can't send it to the server, because, among others, the Cookie header will be blocked. N...
I'm building a Flex client against a Struts backend and I have to find a way to transmit the session token without relying on cookies, because I can't use cookies in a Flash movie. I'm looking at putting the token in either the message body or the URL. Putting it in the URL has somewhat of a bad reputation, security-wise. However, I jus...
It seems I have to find a different way to transmit the session token from a Flex client to a Struts backend without using cookies. If I were to put the session token in the payload of a request, at what point would I have to customize Struts' behaviour so that I can reuse as much of the existing session handling as possible? In particu...
There's no access to the HTTP cookies from within a Flash movie, but I now have repeatedly read that Flash Player is supposed to take care of session cookies automatically. I could, however, not find any documentation about this, and it sure didn't work with my Flex client running against a Struts backend using the default JSESSIONID coo...
I want to check the user whether they have sign in or not, so I assign a hidden from field to store the session key, and I have a post method form to submit. Can others/hackers, copy my session key from my field and send a post method to the server?? If yes, how can I do to avoid this? ...
The users of my web application may have more than one browser window (or tab) open and pointed to the same page. We're using cookie based session id's, and the user will usually work within the same session id in both browsers/tabs. I would like to be able to uniquely identify which browser window (and tab) that requested an ASP.NET pag...
I don't have a lot of experience with either PHP or Adobe AIR. I'm just researching at the moment. I am considering creating some kind of internal AIR app. It would basically be a web chat interface that can be minimized to the tray, with the ability to notify users of new messages, etc. In other words, a pretty basic web chat applicatio...
The setup: Django 1.0 default sessions (db, no caching) apache 2.2, mod_python, prefork, 5 processes What I am trying to do: initialize a new object (custom class, several dicts as member variables, a few methods) save it in the session. use that object from several subsequent requests Problem: The process that created the obje...
I'm curious if there is a way to dynamically change the session ID from the context of a SessionStateStoreProvider (or some other customizable module) in C# for ASP.NET. I am implementing a custom SessionStateStoreProvider, and I was thinking about augmenting the session ID to tell the store provider where to go look for a session. I'v...