LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 08-25-2003, 11:55 PM   #1
sashhoney
Member
 
Registered: Jul 2003
Distribution: Red Hat, Fedora, Debian
Posts: 85

Rep: Reputation: 15
Question Problem with php sessions


hi all,
well i m facing problem with the sessions in PHP.
i m developing PHP based MTP , for which i require session info to be passed between diff php files.
my first prob is related with security, when i create a session my session info is kept in a file in /tmp and is accessible by root. i want to restrict root to access this info as it contains some secured information.

my second prob is when i log out of my service, a logout script is called that will unregister variables and destroy sessions but when i click the back button in my browser, browser displays the prev page, ie page which can only be accessible by authorized user.

i will appriciate ur help
thanx in advance
 
Old 08-26-2003, 12:49 AM   #2
nephilim
Member
 
Registered: Aug 2003
Location: Belgium
Distribution: Debian (server), Kubuntu (desktop)
Posts: 248

Rep: Reputation: 30
First of all, you can choose where your session file is saved, check the php.ini file for the session path variable. You can than restrict access to the folder you choose to save your sessions in.

Second question: on the 'secured' page, you could always check if a certain session variable is present and if it isn't, redirect the user to a different page.
 
Old 08-26-2003, 01:07 AM   #3
Sliptwixt
LQ Newbie
 
Registered: Aug 2003
Posts: 8

Rep: Reputation: 0
Hi -
For your first problem, I'd say move that session directory to somewhere else than just /tmp , like somewhere just outside your document root. (Edit your php.ini file like mentioned above). root owns, you can't prevent root from doing anything, so locking down a file from him isn't possible.(without something like a pbmaster type of root-management system, I'm not sure) You can however, lock out just about anyone else, so set permissions on the directory your writing them too. Just make sure whatever user apache is running as for your site, has permissions.

For the second problem, take a look at 'no-cache headers'.
In php, I believe: header("Pragma: no-cache");
that'll tell the browser (and proxies) not to cache your data. You can force a refresh of the secure page right after the logout, forcing the browser to re-request from the server. The server will deliver a new version of that page (the 'i'm logged out version') , rewriting it's cache.

I don't claim these are the only solutions, nor that they are note-perfect. Search for 'no-cache header' on google and read up.
Hope that helps.



Last edited by Sliptwixt; 08-26-2003 at 01:17 AM.
 
Old 08-26-2003, 01:35 AM   #4
nephilim
Member
 
Registered: Aug 2003
Location: Belgium
Distribution: Debian (server), Kubuntu (desktop)
Posts: 248

Rep: Reputation: 30
I don't think it's a question of cache here, I think sashhoney just doesn't want the page to be displayed again when a user has logged out. So not even without session data. That is why I suggested checking a session variable.

But maybe I misunderstood the question, that's possible too.
 
Old 08-26-2003, 02:59 AM   #5
Sliptwixt
LQ Newbie
 
Registered: Aug 2003
Posts: 8

Rep: Reputation: 0
Yeah, I'm not sure then that I understand it completely either.

The problem with checking a session variable is that
the check is server-side. When the user hits 'Back',
the browser is delivering the cached version. There is
no data sent to the server for it to verify.
Don't get me wrong, checking sessions is the way I prefer to do things. However, a user having access to page they
just logged out of is not big concern for me in most of my applications. He just seems to be particulary concerned about
this, so that's my suggestion.
 
Old 08-26-2003, 03:43 AM   #6
nephilim
Member
 
Registered: Aug 2003
Location: Belgium
Distribution: Debian (server), Kubuntu (desktop)
Posts: 248

Rep: Reputation: 30
My mistake. Indeed, if the user hits back the server will never get the chance to check the session because the page is loaded from cache.

So disabling the cache in php.ini should work (as Sliptwixt already suggested).
 
Old 08-28-2003, 06:00 AM   #7
sashhoney
Member
 
Registered: Jul 2003
Distribution: Red Hat, Fedora, Debian
Posts: 85

Original Poster
Rep: Reputation: 15
hi
thanx for giving this suggestion
i went through php.ini and modify session entries and
also i used 'Cache control' with header function.
now the problem is solved
thanx again
 
Old 08-28-2003, 07:30 AM   #8
nephilim
Member
 
Registered: Aug 2003
Location: Belgium
Distribution: Debian (server), Kubuntu (desktop)
Posts: 248

Rep: Reputation: 30
You're very welcome.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
php sessions problems MaestroC Suse/Novell 2 12-06-2005 08:06 AM
sessions in PHP zowey Programming 2 12-26-2004 06:35 PM
Troble on PHP Sessions Gerardoj Programming 4 05-25-2004 01:03 PM
Apache PHP and sessions Satriani Programming 0 04-21-2003 11:55 AM
PHP Sessions RecoilUK Programming 1 04-21-2002 05:57 AM


All times are GMT -5. The time now is 02:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration