Sessionfile based users online viewer
Moderator: General Moderators
-
Shendemiar
- Forum Contributor
- Posts: 404
- Joined: Thu Jan 08, 2004 8:28 am
Sessionfile based users online viewer
I made it, but now i'm annoyed by the old sessionfiles. What can i do to get rid the them?
-
Shendemiar
- Forum Contributor
- Posts: 404
- Joined: Thu Jan 08, 2004 8:28 am
You'll have to setup a script to manually remove them. If not they'll lay around forever (probably...) and you'll run into possible security risks (session hi-jacking.. see http://www.acros.si/papers/session_fixation.pdf for an elaborate in-dept discussion on session handling...)
almost forgot..
check out http://www.devnetwork.net/forums/viewtopic.php?t=14193 for a code snippet
check out http://www.devnetwork.net/forums/viewtopic.php?t=14193 for a code snippet
-
Shendemiar
- Forum Contributor
- Posts: 404
- Joined: Thu Jan 08, 2004 8:28 am
Thanks for the links!evilMind wrote:You'll have to setup a script to manually remove them. If not they'll lay around forever (probably...) and you'll run into possible security risks (session hi-jacking.. see http://www.acros.si/papers/session_fixation.pdf for an elaborate in-dept discussion on session handling...)
-
Shendemiar
- Forum Contributor
- Posts: 404
- Joined: Thu Jan 08, 2004 8:28 am
I'll have to use an example to explain this since I don't think I'll be able to any other way.
Lets say you use php sessions for user authentication and variable crossover (like most do). You're user logs in which causes a session to be established, thus (most likely) creating a session file (default=/tmp/sess_randomString) and sending a cookie to the client to send back so we know what session file to look at for information... When a user clicks the logout button, the file is removed and the cookie is deleted (if it's not session based on an ie client (they don't delete those cookies)). So we have removed the session file and got rid of the cookie. No problems here.
But what about that pesky user that logs in but *never* logs out? Well, the cookie remains until it's time for it to blow up and so does the file. However the file doesn't know when to self-destruct so it just sits there. Which is why you have session files laying around that are >1 day old..
Sorry for the long explanation but it's the only way I knew how to explain why...
Lets say you use php sessions for user authentication and variable crossover (like most do). You're user logs in which causes a session to be established, thus (most likely) creating a session file (default=/tmp/sess_randomString) and sending a cookie to the client to send back so we know what session file to look at for information... When a user clicks the logout button, the file is removed and the cookie is deleted (if it's not session based on an ie client (they don't delete those cookies)). So we have removed the session file and got rid of the cookie. No problems here.
But what about that pesky user that logs in but *never* logs out? Well, the cookie remains until it's time for it to blow up and so does the file. However the file doesn't know when to self-destruct so it just sits there. Which is why you have session files laying around that are >1 day old..
Sorry for the long explanation but it's the only way I knew how to explain why...
-
Shendemiar
- Forum Contributor
- Posts: 404
- Joined: Thu Jan 08, 2004 8:28 am