newbie: do I have to have session_destroy

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Jivanmukta

    newbie: do I have to have session_destroy

    Hello,
    I am learning PHP5. I have a website that consists of two pages: index.php
    and summary.php. In index.php the user is automatically moved to
    summary.php with some $_SESSION data so I use session_end instead of
    session_destroy on index.php page. And the user can manually (hyperlink) go
    to index.php from summary.php with some $_SESSION data so I also use
    session_end, not session_destroy , on summary.php.
    Thus, I have no session_destroy call in my website code.
    QUESTION: May it produce any problems?
    Thanks a lot for your answers.
  • Michael Sherwood

    #2
    Re: newbie: do I have to have session_destroy

    As far as I know, the function session_end doesn't exist, unless you
    meant something like session_unset or whatever.
    So judging by what you want to do, then yes, session_destroy should be
    what you need.

    Jivanmukta wrote:
    Hello,
    I am learning PHP5. I have a website that consists of two pages: index.php
    and summary.php. In index.php the user is automatically moved to
    summary.php with some $_SESSION data so I use session_end instead of
    session_destroy on index.php page. And the user can manually (hyperlink) go
    to index.php from summary.php with some $_SESSION data so I also use
    session_end, not session_destroy , on summary.php.
    Thus, I have no session_destroy call in my website code.
    QUESTION: May it produce any problems?
    Thanks a lot for your answers.

    Comment

    • Twayne

      #3
      Re: newbie: do I have to have session_destroy

      Hello,
      I am learning PHP5. I have a website that consists of two pages:
      index.php and summary.php. In index.php the user is automatically
      moved to summary.php with some $_SESSION data so I use session_end
      instead of session_destroy on index.php page. And the user can
      manually (hyperlink) go to index.php from summary.php with some
      $_SESSION data so I also use session_end, not session_destroy , on
      summary.php.
      Thus, I have no session_destroy call in my website code.
      QUESTION: May it produce any problems?
      Thanks a lot for your answers.
      Just another newbie here so for what it's worth:
      I use session destroy because I discovered with forms, without it, the
      user could easily go back into an earlier stage but past the point of
      human-validation and keep on sending mails if he wanted to.
      As I understand it, the session will be destroyed when the user
      leaves and the server does the housecleaning, but that isn't very quick
      to happan apparently, so might leave the session available for a long
      time if the server is really busy.
      I guess it depends on whether it matters to you whether the session
      data remains there for some unknown period of time after the user is
      done. What kind of damage could a malicious, unknown user do?

      I'm sure someone more knowledgeable will come along shortly. I do know
      php.net has a pretty good write-up on it too.

      HTH

      Twayne


      Comment

      • Jerry Stuckle

        #4
        Re: newbie: do I have to have session_destroy

        Twayne wrote:
        >Hello,
        >I am learning PHP5. I have a website that consists of two pages:
        >index.php and summary.php. In index.php the user is automatically
        >moved to summary.php with some $_SESSION data so I use session_end
        >instead of session_destroy on index.php page. And the user can
        >manually (hyperlink) go to index.php from summary.php with some
        >$_SESSION data so I also use session_end, not session_destroy , on
        >summary.php.
        >Thus, I have no session_destroy call in my website code.
        >QUESTION: May it produce any problems?
        >Thanks a lot for your answers.
        >
        Just another newbie here so for what it's worth:
        I use session destroy because I discovered with forms, without it, the
        user could easily go back into an earlier stage but past the point of
        human-validation and keep on sending mails if he wanted to.
        Not if you do it correctly. Each email would have to be validated.
        As I understand it, the session will be destroyed when the user
        leaves and the server does the housecleaning, but that isn't very quick
        to happan apparently, so might leave the session available for a long
        time if the server is really busy.
        The website has no idea when the user leaves it. That's one reason for
        a timeout value. Also, if you're using cookies to manage the session,
        the session will be lost if the user clears cookies (often set as an
        action when the browser is closed).

        And the busier the server is, the more likely the session is to be
        deleted after it expires.
        I guess it depends on whether it matters to you whether the session
        data remains there for some unknown period of time after the user is
        done. What kind of damage could a malicious, unknown user do?
        >
        Not very much. The session ID is a long hexadecimal value which would
        be almost impossible to guess.

        And unless you're storing gobs of data in the $_SESSION, chances are
        it's not going to cause you any problems with disk usage.
        I'm sure someone more knowledgeable will come along shortly. I do know
        php.net has a pretty good write-up on it too.
        >
        HTH
        >
        Twayne
        >
        >
        And back to the original op - there is no session_end() call in PHP, so
        where are you getting it from? What does it do?

        Or perhaps do you mean session_close() ?

        --
        =============== ===
        Remove the "x" from my email address
        Jerry Stuckle
        JDS Computer Training Corp.
        jstucklex@attgl obal.net
        =============== ===

        Comment

        • Alex Weber

          #5
          Re: newbie: do I have to have session_destroy

          On Oct 24, 1:00 pm, Michael Sherwood <coolha...@gmai l.comwrote:
          As far as I know, the function session_end doesn't exist, unless you
          meant something like session_unset or whatever.
          So judging by what you want to do, then yes, session_destroy should be
          what you need.
          >
          Jivanmukta wrote:
          Hello,
          I am learning PHP5. I have a website that consists of two pages: index.php
          and summary.php. In index.php the user is automatically moved to
          summary.php with some $_SESSION data so I use session_end instead of
          session_destroy on index.php page. And the user can manually (hyperlink) go
          to index.php from summary.php with some $_SESSION data so I also use
          session_end, not session_destroy , on summary.php.
          Thus, I have no session_destroy call in my website code.
          QUESTION: May it produce any problems?
          Thanks a lot for your answers.
          hey Jivanmukta, since you are learning PHP5 its probably good to try
          and learn "best-practices" early to try and avoid common vices and
          whatnot.

          SESSIONS basically control an "interactio n with your website over a
          period of time/browser usage" - sorry its vague but ill clarify. so
          really, once the user leaves your site its up to you to decide if the
          information should still be available if he returns before closing the
          browser (which unless there's an explicit expiration time-limit for
          the session). in your case, for example if the user goes too another
          website and then comes back to yours before closing his browser, if
          you don't destroy the session the summary will contain the values from
          before.

          Comment

          • Twayne

            #6
            Re: newbie: do I have to have session_destroy

            Twayne wrote:
            >>Hello,
            >>I am learning PHP5. I have a website that consists of two pages:
            >>index.php and summary.php. In index.php the user is automatically
            >>moved to summary.php with some $_SESSION data so I use session_end
            >>instead of session_destroy on index.php page. And the user can
            >>manually (hyperlink) go to index.php from summary.php with some
            >>$_SESSION data so I also use session_end, not session_destroy , on
            >>summary.php .
            >>Thus, I have no session_destroy call in my website code.
            >>QUESTION: May it produce any problems?
            >>Thanks a lot for your answers.
            >>
            >Just another newbie here so for what it's worth:
            >I use session destroy because I discovered with forms, without it,
            >the user could easily go back into an earlier stage but past the
            >point of human-validation and keep on sending mails if he wanted to.
            >
            Not if you do it correctly. Each email would have to be validated.
            Oh I know, I was just demo'ing how I originally came across it. I think
            (famous last words) I have it in good shape now<g>.
            >
            > As I understand it, the session will be destroyed when the user
            >leaves and the server does the housecleaning, but that isn't very
            >quick to happan apparently, so might leave the session available for
            >a long time if the server is really busy.
            >
            The website has no idea when the user leaves it. That's one reason
            for a timeout value. Also, if you're using cookies to manage the
            session, the session will be lost if the user clears cookies (often
            set as an action when the browser is closed).
            >
            And the busier the server is, the more likely the session is to be
            deleted after it expires.
            That I didn't know. It's counterintuitiv e IMO but no way I can argue it
            either way. I was going on what I'd read but it's hard to be sure
            sometimes that one is looking at full context with things like that.
            Thanks for the correction.
            >
            > I guess it depends on whether it matters to you whether the
            >session data remains there for some unknown period of time after the
            >user is done. What kind of damage could a malicious, unknown user
            >do?
            >
            Not very much. The session ID is a long hexadecimal value which would
            be almost impossible to guess.
            >
            And unless you're storing gobs of data in the $_SESSION, chances are
            it's not going to cause you any problems with disk usage.
            >
            >I'm sure someone more knowledgeable will come along shortly. I do
            >know php.net has a pretty good write-up on it too.
            >>
            >HTH
            >>
            >Twayne
            >>
            >>
            >
            And back to the original op - there is no session_end() call in PHP,
            so where are you getting it from? What does it do?
            >
            Or perhaps do you mean session_close() ?
            I noticed that, and someone else mentioned it, too. I just assumed he
            was paraphrasing but it's still a good point, just in case, in
            retrospect.

            Regards,





            Comment

            • Twayne

              #7
              Re: newbie: do I have to have session_destroy

              On Oct 24, 1:00 pm, Michael Sherwood <coolha...@gmai l.comwrote:
              >As far as I know, the function session_end doesn't exist, unless you
              >meant something like session_unset or whatever.
              >So judging by what you want to do, then yes, session_destroy should
              >be what you need.
              >>
              >Jivanmukta wrote:
              >>Hello,
              >>I am learning PHP5. I have a website that consists of two pages:
              >>index.php and summary.php. In index.php the user is automatically
              >>moved to summary.php with some $_SESSION data so I use session_end
              >>instead of session_destroy on index.php page. And the user can
              >>manually (hyperlink) go to index.php from summary.php with some
              >>$_SESSION data so I also use session_end, not session_destroy , on
              >>summary.php .
              >>Thus, I have no session_destroy call in my website code.
              >>QUESTION: May it produce any problems?
              >>Thanks a lot for your answers.
              >
              hey Jivanmukta, since you are learning PHP5 its probably good to try
              and learn "best-practices" early to try and avoid common vices and
              whatnot.
              >
              SESSIONS basically control an "interactio n with your website over a
              period of time/browser usage" - sorry its vague but ill clarify. so
              really, once the user leaves your site its up to you to decide if the
              information should still be available if he returns before closing the
              browser (which unless there's an explicit expiration time-limit for
              the session). in your case, for example if the user goes too another
              website and then comes back to yours before closing his browser, if
              you don't destroy the session the summary will contain the values from
              before.
              And, if I may interject, it's fairly easy to demo to one's self and see
              it occur. Since the browser has the data stored, it's easy to go
              somewhere else meantime and then come back to that part of pages. It
              makes sense: Regardless of what you're doing, all the server knows is
              that you took a longer period of time to enter the data it was waiting
              for. But closing the browser throws away the cache you need and it no
              longer works.


              Comment

              • Jerry Stuckle

                #8
                Re: newbie: do I have to have session_destroy

                Twayne wrote:
                >Twayne wrote:
                >>>Hello,
                >>>I am learning PHP5. I have a website that consists of two pages:
                >>>index.php and summary.php. In index.php the user is automatically
                >>>moved to summary.php with some $_SESSION data so I use session_end
                >>>instead of session_destroy on index.php page. And the user can
                >>>manually (hyperlink) go to index.php from summary.php with some
                >>>$_SESSION data so I also use session_end, not session_destroy , on
                >>>summary.ph p.
                >>>Thus, I have no session_destroy call in my website code.
                >>>QUESTION: May it produce any problems?
                >>>Thanks a lot for your answers.
                >>Just another newbie here so for what it's worth:
                >>I use session destroy because I discovered with forms, without it,
                >>the user could easily go back into an earlier stage but past the
                >>point of human-validation and keep on sending mails if he wanted to.
                >Not if you do it correctly. Each email would have to be validated.
                >
                Oh I know, I was just demo'ing how I originally came across it. I think
                (famous last words) I have it in good shape now<g>.
                >
                >> As I understand it, the session will be destroyed when the user
                >>leaves and the server does the housecleaning, but that isn't very
                >>quick to happan apparently, so might leave the session available for
                >>a long time if the server is really busy.
                >The website has no idea when the user leaves it. That's one reason
                >for a timeout value. Also, if you're using cookies to manage the
                >session, the session will be lost if the user clears cookies (often
                >set as an action when the browser is closed).
                >>
                >And the busier the server is, the more likely the session is to be
                >deleted after it expires.
                >
                That I didn't know. It's counterintuitiv e IMO but no way I can argue it
                either way. I was going on what I'd read but it's hard to be sure
                sometimes that one is looking at full context with things like that.
                Thanks for the correction.
                >
                From the doc:

                "session.gc_div isor coupled with session.gc_prob ability defines the
                probability that the gc (garbage collection) process is started on every
                session initialization. The probability is calculated by using
                gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that
                the GC process starts on each request. session.gc_divi sor defaults to 100."

                So the faster you initialize sessions (typically the busy you are), the
                higher your odds of running the session gc.

                >> I guess it depends on whether it matters to you whether the
                >>session data remains there for some unknown period of time after the
                >>user is done. What kind of damage could a malicious, unknown user
                >>do?
                >Not very much. The session ID is a long hexadecimal value which would
                >be almost impossible to guess.
                >>
                >And unless you're storing gobs of data in the $_SESSION, chances are
                >it's not going to cause you any problems with disk usage.
                >>
                >>I'm sure someone more knowledgeable will come along shortly. I do
                >>know php.net has a pretty good write-up on it too.
                >>>
                >>HTH
                >>>
                >>Twayne
                >>>
                >>>
                >And back to the original op - there is no session_end() call in PHP,
                >so where are you getting it from? What does it do?
                >>
                >Or perhaps do you mean session_close() ?
                >
                I noticed that, and someone else mentioned it, too. I just assumed he
                was paraphrasing but it's still a good point, just in case, in
                retrospect.
                >
                Regards,
                >
                --
                =============== ===
                Remove the "x" from my email address
                Jerry Stuckle
                JDS Computer Training Corp.
                jstucklex@attgl obal.net
                =============== ===

                Comment

                Working...