Previous Thread
Next Thread
Print Thread
Hop To
Page 2 of 2 1 2
#33709 10/19/2000 6:10 PM
Anonymous
Unregistered
Anonymous
Unregistered
Ok thanks for the answers guys.
These sessions will be an interesting path to investigate.

Peelboy brought up an interesting point though, if we have lots of users online it might add on the server load.
Anyway, since we have the choice between session and cookies, all is well and everyone is happy <img border="0" title="" alt="[Big Grin]" src="images/icons/grin.gif" />

Benj

#33710 10/19/2000 6:18 PM
Anonymous
Unregistered
Anonymous
Unregistered
Now about those handcuffs and that bike... Is there something you'd like to share with us? <img src="http://amdragon.com/images/icons/hairy.gif" alt=" - " />

<img src="http://www.amdragon.com/images/eileensig.gif" alt=" - " />

#33711 10/19/2000 6:24 PM
Anonymous
Unregistered
Anonymous
Unregistered
What...I use the cuffs instead of a bikelock! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

#33712 10/19/2000 6:28 PM
Anonymous
Unregistered
Anonymous
Unregistered
That's a brilliant come-back. Bravo! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

<img src="http://www.amdragon.com/images/eileensig.gif" alt=" - " />

#33713 10/19/2000 7:06 PM
Joined: Jun 2006
Posts: 9,242
R
Former Developer
Offline
Former Developer
R
Joined: Jun 2006
Posts: 9,242
What I have just realized is the way I am working with arrays in the port, I'm basically writing for php4. In php3, you can't reference an array in a string, so you have to concatonate(sp?) everything, like this:

echo "Hello" .$user[U_Username]. ". How are you?";

where in php4 you can do this:

echo "Hello $user[U_Username]. How are you?";

The first way makes for some extremely ugly code when printing out all the info for the generated pages.

Is this going to be a problem? I can write for php3 if that's what everyone wants, but like I said it is somewhat uglier not to mention, a pain in the butt;)

EDIT: Nevermind. It turns out you just can't reference multi-dimensional arrays in strings in php3, not standard ones. Like I said, I'm still learning:)

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A><P ID="edit"><FONT SIZE=-1><EM>Edited by Scream on 10/19/00 04:18 PM.</EM></FONT>

#33714 10/19/2000 7:26 PM
Anonymous
Unregistered
Anonymous
Unregistered
PHP 4 is the way to go scream.
Faster and better. If any one has php3 on their server, they should upgrade to php4 !!

Aldar

#33715 10/19/2000 8:14 PM
Anonymous
Unregistered
Anonymous
Unregistered
Sessions data is not mad amounts of load. It's a tiny file created initally in the /tmp directory. I use sessions on a fairly active site and I have no load issues.

#33716 10/19/2000 8:18 PM
Anonymous
Unregistered
Anonymous
Unregistered
Development on PHP3 stopped months ago and all support has been halted on it by Zend. PHP3 is dead and has long since been replaced by PHP4. PHP4 is a very stable product and has had serveral patches released already to add more features and not stablity issues. To support PHP3 now would be a waste since by the time w3t is complete in PHP3 then they might be ready to work on PHP5.

Plus ewaddle isn't the way to handle sessions in PHP3. You use phplib to take care of sessions in PHP3. phplib is better code and it's cleaner too

#33717 10/19/2000 8:25 PM
Anonymous
Unregistered
Anonymous
Unregistered
A session varible can be transfered in two ways (that I know of, there might be a third). They can be in a cookie or if the browser doesn't support cookies you can have PHP automaticlly append or you can specify in a config or in a required header to automaticly check if their is a cookie and if not then append the session id to the end of the URL. With that method people without cookies turned on can access the site.

#33718 10/19/2000 8:32 PM
Anonymous
Unregistered
Anonymous
Unregistered
Actually Scream, even if the cookie data was set to be there forever then that wouldn't make it so you don't have to log out because the server keeps the data in a file in /tmp and PHP has a method for destroying these files on a random basis when they "expire". If you run phpinfo(); in PHP4 you'll see that info down a bit. gc_maxlifetime and gc_probability are the two variables that define this. gc_probability the the percent chance that the file will be destroyed. With a recommendation from Zend and my personal recommendation 5-10 is a good value for this and gc_maxlifetime is how long you want the session data to be valid. I think it's a little mislabled because I think gc_maxlifetime actually is how long the data is saved then the probability to destroy it comes into play only when the server isn't too busy or something like that I'm not 100% sure about that.

#33719 10/19/2000 8:38 PM
Anonymous
Unregistered
Anonymous
Unregistered
I actually edited my w3t so it doesn't save your cookies and you have to log in everytime. I had several complaints from users who had two accounts and used the same computer (husband and wife / brother and sister / etc) that they'd log in under the other person's name and then when they hit logout and tried to login under their own name w3t would say "Hello, their name" in the corner but the main part of the page would say they're not logged in. At that point neither account could log in so I had to make a little script to clear all cookies from my server in the w3t folder and close all browser windows and then they'd hafta try and relogon and sometimes that didn't even work and I'd hafta explain to these people how to manually delete the cookie from their browser folder. So I just made all my cookies in w3t temp cookies and that fixed the problem.

#33720 10/19/2000 8:40 PM
Anonymous
Unregistered
Anonymous
Unregistered
my big issue is that w3t saves my password in a cookie. Totally not cool IMHO.

#33721 10/19/2000 8:41 PM
Anonymous
Unregistered
Anonymous
Unregistered
Actually I've heard of it being possible to "hack" the cookie protection of only allowing the domain that set the cookie to access it.

#33722 10/19/2000 8:45 PM
Anonymous
Unregistered
Anonymous
Unregistered
"Also.. A while back I wrote a .js file that could be included in a post on this forum.. It would pull your user name and password, then create an image tag pointing to a cgi script on my server (with a query string that contained the user name and password) From there it could store everybody's user name and password into a database (I just wanted to see if it worked.. it did.. so I reported it as a bug and deleted the scripts)"


Exact reason I hate that w3t saves my password in a cookie! It should be my username and a random number that's generated and stored with my info in the database.

#33723 10/19/2000 8:52 PM
Anonymous
Unregistered
Anonymous
Unregistered
Actually DoubleClick does know name and other info on most people. Ever fill out a form on a page with a DoubleClick ad on the top? Guess what? Their cookie with your ID goes to the company you filled the form out to asks you if they can share your info with their providers who are interested in selling their products to you. Guess who is their provider for all that other stuff. DoubleClick.. They then connect the DoubleClick database to their database and DoubleClick now know's your info. There was that lawsuit about DoubleClick doing this (which I think they won) and the lawyer was able to get his name, SSN, address, phone number, and other info from the DoubleClick database.

#33724 10/19/2000 8:53 PM
Anonymous
Unregistered
Anonymous
Unregistered
PHP sessions will help because your personal data isn't stored in cookies on your system. Plus it's not a global cookie. Plus it gets deleted when you close the browser window. Plus it's a random alphanumeric string generated each time you login.

#33725 10/19/2000 9:01 PM
Anonymous
Unregistered
Anonymous
Unregistered
"For example.. you might not strip special chars off a search form and a user could figure out a way to write code that does a select statement on the user_info table and prints it out to the screen... who knows?!?!?!"

I love doing that when someone asks me to check out their site or app that they just worked on. Scares the crap outta them. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

#33726 10/19/2000 9:03 PM
Anonymous
Unregistered
Anonymous
Unregistered
You don't need tons of RAM. They don't reside in RAM. They are stored in the /tmp directory and most of these files are less then 1/2 a KB.

#33727 10/19/2000 9:06 PM
Anonymous
Unregistered
Anonymous
Unregistered
If ya read the session info on Zend's site (Zend makes PHP) they'll explain the differences between ASP and PHP session support somewhere I remember. They are handled better in PHP then in ASP, IMHO.

#33728 10/19/2000 9:19 PM
Anonymous
Unregistered
Anonymous
Unregistered
I've never heard -any- body say that using sessions on a high load site was a good idea.. heh.. when you say fairly active does that mean 10 gigs a month data transfer? or 20 gigs a day? If you are like my friend and have a site that transfers 20 gigs a day.. I don't think you would like sessions too much.. =)

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33729 10/19/2000 9:23 PM
Anonymous
Unregistered
Anonymous
Unregistered
Honestly.. The first way you did it is the -safe- way.. I got in a bad habbit of doing it the second way, and I run in to little problems here and there even on PHP4 (or even Perl for that matter) that end up being solved by switching the code to the first way of doing it.. Don't ask me why..

Even in perl I try to: print "hi ", $user, "\n";

I don't know why but I have less problems that way. (not that I run into a problem doing it the second way very often, but when I do it's annoying)

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33730 10/19/2000 9:30 PM
Joined: Jun 2006
Posts: 9,242
R
Former Developer
Offline
Former Developer
R
Joined: Jun 2006
Posts: 9,242
The password is encrypted in the cookie.

---
Scream
<A HREF="http://www.wcsoft.net" target="_new">http://www.wcsoft.net</A>

#33731 10/19/2000 10:06 PM
Anonymous
Unregistered
Anonymous
Unregistered
I never said heavy traffic is good with sessions I just said I don't have problems.

#33732 10/19/2000 10:08 PM
Anonymous
Unregistered
Anonymous
Unregistered
There was a time when it wasn't and I never knew it changed to being encrypted till now.

#33733 10/19/2000 10:16 PM
Anonymous
Unregistered
Anonymous
Unregistered
oh in that case.. hehe..

on a personal site or forum that gets a lot of hits, but not a LOT of hits.. sessions work fine I'm sure.. I would use them on my personal forum if it was still up.. I just wouldn't use it on a massive site that gets a LOT of hits.. they can be evil.. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

------------------------------------------------
Jeremy 'PeelBoy' Amberg

#33734 06/27/2001 7:33 PM
Anonymous
Unregistered
Anonymous
Unregistered
i am almost shy to tell this weakness in public, but somehow this needs to be addressed. Didyou fix the javascript vulnerability described above?
So yes, the password is encrypted. So at least they cannot find my password and use it in other places. But the encrypted password works to get access to wwwthreads, it works in place of the unencrypted password at login.
Imagine if they get the admin password via the javascript trick ..... Very bad. By the way, sessions might have an encrypted password in the url, and that password can be obtained in referrer logs of images. Make sure that the url does NOT contain the password.
But if someone obtains the session url immediately, real time, can't they choose the session url and just log into the same session???

#33735 06/27/2001 7:36 PM
Anonymous
Unregistered
Anonymous
Unregistered
This is very shocking, I hope you fixed this and you filter out javascript.
Well I had a guy who put up a post with javascript that opens an infinite number of browser windows. Crashed many many computers, even Linux gets into trouble with this one.
And sure the boad users were pissed at the admins who did not immediately find and delete all his posts.
I cannot figure a legitimate use for javascript in a board post

#33736 11/29/2001 7:11 PM
Anonymous
Unregistered
Anonymous
Unregistered
Can you give us pointers to where the cookies are set. I would like my forum to use a session cookie for the login. Also, I would prefer to encrypt the password and a timestamp, and when the timestamp is too old log them out.

#33737 11/29/2001 8:58 PM
Joined: Jun 2006
Posts: 9,242
R
Former Developer
Offline
Former Developer
R
Joined: Jun 2006
Posts: 9,242
That would be in the ubbt.inc.php file. There is a function called start_page. In there you will see 3 calls to setcookie().

-------------------
Rick Baker
UBBThreads developer

Page 2 of 2 1 2

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
IMG Options
by mmem700 - 06/12/2021 10:14 AM
Custom Island database updates
by Pak Chan - 06/09/2021 2:11 PM
PHP 8 support + which php engine is used in IIS?
by luket - 06/08/2021 7:05 AM
7.7.5 Update error
by ECNet - 05/30/2021 8:08 PM
Re: Custom Island Questions
by ECNet - 05/30/2021 5:00 PM
Who's Online Now
1 members (Ruben), 61 guests, and 97 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
gallery test
gallery test
by Mors, September 23
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Powered by UBB.threads™ PHP Forum Software 7.7.5