PHP Session or leave as is?

[Craig321]

Hi,

Just wondered what is best? Here's an example:

Basically I'm submitting a form, this form submits to the same page the form is on so it can echo out some info based on what was submitted.

After I had finished that and it was all working I remebered about session IDs so I made it do this:

Form submits to a separate PHP page with the submit code in it, when that code is done doing it's thing it goes to a new page carrying the session id, the session id is then posted on another different page.

Basically the main thing that this is doing is avoiding someone making a macro that refreshes the page and presses OK to the little warning that comes up and re-submitting the same information, instead, with php session ids, when they refresh they'll just see the information there still which I really like.

So it's up to security, which way is safer?

Thanks
Craig.

 

[Dj_Jestar]

If you are worried about spam bots, add a time limit (read: minimum limit) that someone can submit multiple forms - like these forums use, or even more secure, only let one submission per session, but all this can be avoided easily by the spam bot just simply clearing all data (cookies/get/post) and refreshing the page.

 

[Craig321]

OK, thanks, will look into minimum limit.

Is it safe to carry on using PHP Session? I quite like the fact it enables me to put their last submitted item at the top of the page.

Also, how can I make a session stay after the browser has been closed? Everytime I close the browser the sessions gets deleted meaning the users last file uploaded piece of text disappears.

Cheers
Craig.

 

[Beansprout]

Sessions expire at the end of a browser session. You might want to look into cookies if you want persistance across sessions

 

[Craig321]

OK, that's no problem, will allow me to do the same.
I read somewhere that this will give me a permanent cookie?

setcookie("CookieName", $cookievalue, time() + 31536000);

 

[Dj_Jestar]

yes and no beansprout, there is actually (by default) no way for the server to know that the user agent has been closed. This is why sessions have a timeout. A new session is created when the user agent does not provide a valid session id.

Basically, session's are only good for the current ... session that the user is spending on your site. If you want any information stored for more than say 15minutes, you should look into other methods of storing data - i.e. flatfiles or database.

RE: cookie, it won't be permanent, but it'll expire in after 1 year.

 

[Craig321]

Cookies are working fine now
I think 13 years will do

Thanks for the help
Craig.

--edit--

Will time() + 99999999 make the cookie last around 13 years as you said? You edited it out

 

[Dj_Jestar]

I edited because I misread your reply, but it won't be 13 years either.. my maths suck. calc says that 99999999 will be 3.1709791666666666666666666666667years, which is still plenty time

 

[Craig321]

3 years will do

Thanks for the help everyone
Craig.

 

[Craig321]

If you are worried about spam bots, add a time limit (read: minimum limit) that someone can submit multiple forms - like these forums use, or even more secure, only let one submission per session, but all this can be avoided easily by the spam bot just simply clearing all data (cookies/get/post) and refreshing the page.

Hi,

I couldn't find anything on minimum limit, well I did find some stuff that limits form submission to x ammount of seconds but couldn't get any of it to work

Tutorial / examples would be brill

Cheers
Craig.

 

[Dj_Jestar]

when you submit the form, also submit a timestamp (i.e. $timestamp = time()) store timestamp somewhere like on the user table, or maybe the session but table would be better.

Then when the user goes to submit the form again, do a time check

<?php

if (($timeremaining = (time() - $timestamp)) < 300) {
    die("Sorry, you can only submit one form every 5 minutes.\nYou have $timeremaining seconds left to wait.");
}

?>

 

[Craig321]

Will play around with that code, thx.