Menu
▾
▴
RE: [Pagekit-users] Session questions
|
From: Sean L. <se...@ch...> - 2004-07-13 12:55:23
|
Dear Boris, >Yes, it is security. For a user that is logged in, the user info is used to >validate the cookie. This is to protect you against guessed cookies. Or >Login >as someone else. If so, instead of making new session data in say, database, wouldn't it make more sense to store this hash of username and password in session, which was created already (and would be able to control expiration of, in config file)? And auth_session_key to check this value from session data? I mean, instead of making new session and when logged out falling back to new session, making one session at startup, if someone logs in, then in the session we already created, store new hash and tick to say that this user is logged in, and when they logout, simply remove this hash from the session? Better even, as a new column in session table, so it's easier to check if user is online or not and make list of logged in users and to search information within logged in users (eg: using only SQL)? >Either you use apache2 with a broken libapreq2 or you did not use >pkit_remember just add it to your login as hidden parameter. >http://pagekit.org/guide/ch02s04.html Ohhh, I didn't know about pkit_remember :-) sorry. Thank you Boris, Sean --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.719 / Virus Database: 475 - Release Date: 12/07/2004 |
