[thelist] PHP session lifetime?!

Jackson Yee jyee at vt.edu
Sun Jul 14 16:18:01 CDT 2002


----- Original Message -----
From: "James Mclean" <james at adam.com.au>
To: <thelist at lists.evolt.org>
Sent: Sunday, July 14, 2002 13:27
Subject: Re: [thelist] PHP session lifetime?!


> Hi,
> you are using a post method in your forms, if you use get, or no method
> (which defaults to get), this will stop happening.

The problem with using GET rather than POST in login forms is that the user's
name and password will be stored in the page's URL, which on a public computer
would be a *huge* security risk.  IE will forget all of the POST data when you
close it down, but the URL will remain in history for some time to come.

It sounds to me like this post isn't dealing with PHP sessions at all, but
with IE's behavior toward POSTed pages in general.  If you browse to another
site from the page that is returned by submitting the form, this *will*
happen, as IE believes that you're dealing with a dynamic page and the
information should be resubmitted to ensure that the page contents are
current.  If you browse to another page on the site after that, then IE won't
be on a POSTed page anymore, and you can browse to another site and return
without any problems.  Therefore, if you make the page immediately after your
form submission page something along the lines of

"You have been successfully logged in.  Please <link>continue to your
requested page</link>."

then you won't have this issue, as the user will have to click on another link
to get to the page.

With user logins in particular though, I highly suggest the use of persistent
cookies, as they save people who only use one computer like myself the hassle
of having to log into the site every single time I visit it.  PHP's session
support can take care of those users who don't have cookies enabled, but most
of the technically inclined crowd would know how to configure their browsers
to accept cookies from only selected sites, and most of the technically
challenged crowd wouldn't have cookies disabled in the first place.  This is
something I'm implementing in my own site, and PHP makes it rather easy with
setcookie() and $HTTP_COOKIE_VARS.

Off to do more development work,
Jackson Yee
jyee at vt.edu
http://www.jacksonyee.com/




More information about the thelist mailing list