Archived

This topic is now archived and is closed to further replies.

Ketay

Php - Unregistering Session

Recommended Posts

Ketay    122
Okay, in my game I log in and to save the login info I use: if(!$HTTP_SESSION_VARS[''password'']) session_register("password"); if(!$HTTP_SESSION_VARS[''email'']) session_register("email"); and it works fine, but when they try to log in as a different character it has them still logged in as that one, and I was wondering how to clear those variables so they can log in as a new character. I am currently using: session_unregister(email); session_unregister(password); but it doesnt seem to work. So I was wondering how to do it. Thanks. -Moo-

Share this post


Link to post
Share on other sites
konForce    592
On log out do:

session_unset();
session_destroy();

And, storing the password in a session variable isn't necessarily good, because in most implementations, sessions are stored as text files in the world readable /tmp drive.

It is usually better to store a unique user_id once a log-in attempt has been validated. This also allows you to prevent hitting the DB on every page view just to revalidate the user.

Also, do NOT use session_register if you are going to use the $HTTP_SESSION_VARS array. See the docs for more info on that. Lastly, if you are using PHP 4.1 or higher, use $_SESSION[] instead.

[edited by - konForce on October 21, 2002 9:06:10 PM]

Share this post


Link to post
Share on other sites
Ketay    122
For the logout I used those two and the unset worked I guess but the destroy made it do:

Warning: Trying to destroy uninitialized session in /home/trispher/public_html/logout.php on line 4

And it didnt log them out cuz if I tried logging in as another thing, it would still long in as the same thing (I didnt even have to type anything in the email and password fields either, it just log ins if you press it cuz it has it still stored...)

-Moo-

Share this post


Link to post
Share on other sites
konForce    592
Look at the docs for session_destroy:

http://www.php.net/session_destroy

Regarding your error, be sure you do something like:

----
session_start(); // initialize the session

session_unset(); // kills all session data
session_destroy(); // destroys the session
-----

Share this post


Link to post
Share on other sites
Arild Fines    968
quote:
Original post by konForce
And, storing the password in a session variable isn''t necessarily good, because in most implementations, sessions are stored as text files in the world readable /tmp drive.


Seriously? Most other implementations of session I know of only store a session ID on the client, and maintain a serverside map of those ID''s.
Why is PHP so (ridiculously) different?



Faith. n. Belief without evidence in what is told by one who speaks without knowledge, of things without parallel. -- Ambrose Bierce

Share this post


Link to post
Share on other sites
konForce    592
That's what PHP does. It stores solely the tracking ID via a cookie (or on the URL if cookies are disabled). I mean that by default, PHP stores the session data on the server's /tmp folder. This is OK if it's a dedicated machine, but if it's a shared machine, it's possible for people to hijack sessions.

Storing session data in text files relieves the need to store a bunch of (possibly rarely accessed) data in memory - like how most other languages do it. PHP has very flexible session handlers that can easily be modified to store the session data in a temporary table in a SQL database, in shared memory or whatever else you can come up with.

[edited by - konForce on October 29, 2002 2:03:18 PM]

Share this post


Link to post
Share on other sites
Arild Fines    968
quote:
Original post by konForce
That''s what PHP does. It stores solely the tracking ID via a cookie (or on the URL if cookies are disabled). I mean that by default, PHP stores the session data on the server''s /tmp folder. This is OK if it''s a dedicated machine, but if it''s a shared machine, it''s possible for people to hijack sessions.

Oh, you meant /tmp on the server. Everything makes much more sense now



Faith. n. Belief without evidence in what is told by one who speaks without knowledge, of things without parallel. -- Ambrose Bierce

Share this post


Link to post
Share on other sites