Help with PHP sessions for use in a contact form

Major_Disaster

Major_Disaster

Major_Disaster

Associate
Joined
2 Nov 2007
Posts
488
Hello all,

Id really appreciate some help using sessions in my PHP contact form.

What i would like to achieve is a way limiting each user to submitting the form once every 60 seconds (so im not overrun by Spam). I was thinking of creating some session based on the user's IP (or SID - but i dont really understand that) and just checking the session data.

However, i dont understand fully how sessions work, this is what i currently have:

Code: 
	//Start the session
	$session = session_id();
	if($session == "") {
		session_start();
	}

	//Check if the a message has been sent in the last 60 seconds
	$timeLimit = $_SESSION['lastMailed'] + 60 < time();
	if (!$timeLimit && $_SERVER['REMOTE_ADDR'] = $_SESSION['ip']) {
		$response['error']['time'] = 'Whoah, slow down there! Please wait 60 seconds before sending another enquiry';
	}

//blah blah check the POST data and send the email

	//Start timing from when the message was sent
	$_SESSION['lastMailed'] = time();
	$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];

But PHP is giving me warnings about modifying session data.

Sorry im being a bit vague, its just im not too sure what the best way to implement sessions are.

I would really appreciate some help.

Cheers
 
I haven't used sessions in ages, I think all you need to get a session going is

Code: 
session_start();

Try just that and get rid of

Code: 
if($session == "") {
		session_start();
	}

Tell me how to get on :)
 
Also been a good few years since i fiddled with PHP, but I believe UncleRuckus is right.

You need to initialize the session first. session_start(); at the top of the page. Then you can start to check if there is a valid session or not.

something along the lines of

Code: 
session_start();

if(isset($_SESSION['session_name'])) {

} else {

}

also you should be using $_SESSION not $session.

http://php.net/manual/en/language.variables.superglobals.php
 
Last edited:
EDIT: Scap that i just needed to put the session_start() at the top.

I do have a question though, im trying to limit one message each user to being able to send a message every 60s (so i cant get spammed too much). I was thinking i could use the IP address in the Session data? Could this be achieved? You can see my attempt in my OP.

Cheers
 
Last edited:
The thing is though with the IP they can be shared, so It' could potentially stop another user sending a message; slim but it could happen.

I would strap a count down to the session as each user will have a unique session id. I think the only way for that session id to go way is either wait 20 odd minutes or close the window and reopen, I can't be 100% on this.

Give me five I'll get on book off the shelf and have a look.
 
I can't find the answer I am looking for, grrr.

I think using a timer would be fine, if though you did start getting spam it's only going to be a few lines of code to sort it out. ;)

If I think of anything I'll post back.
 
If you are just having an open e-mail form on a website chances are you'll need more than just a 60 sec IP block. Where there is 1 spam bot there is normally plenty more. a 60 sec IP block won't cut it me thinks.

I'd consider just using a good old fashioned Capatcha, such as: http://www.google.com/recaptcha

While some forms of Capatcha can be broken with OCR software it's still extremely rare when a bot bypasses such things.
 
Last edited:
@UncleRuckus - Thanks for the help. Ill look at using the session ID instead of / in conjunction with the IP

@JimAroo - Thanks.The thing is i had setup reCaptcha, but then was worried about how ugly it looks with JS turned off. Looking at AWstats compared to Google Analytics i *think* i have a lot of visitors without JS, so i didnt want to muck up the form for them...
 
You must log in or register to reply here.
Back
Top Bottom