> -----Original Message----- > From: Eric Butera [mailto:eric.butera@xxxxxxxxx] > Sent: Friday, January 18, 2008 11:21 PM > To: mike > Cc: PHP eMail List > Subject: Re: Foreach > > On Jan 18, 2008 5:06 PM, mike <mike503@xxxxxxxxx> wrote: > > On 1/18/08, Eric Butera <eric.butera@xxxxxxxxx> wrote: > > > > > Nonetheless as I keep re-iterating, people will copy and paste this > > > stuff as is because they don't know better. It is the > responsibility > > > of people writing the answers to make sure their code is validated > and > > > as "secure" as possible unless there is some glaringly obvious > comment > > > saying {get your data here} with a link to how to validate it > > > properly. > > > > I agree. Everyone should be pushing for the best code possible > here... > > > > > Using session based form tokens is a better approach to make sure > the > > > post came from within your application. > > > > Except if your sessions timeout while the user is filling out the > > form. I have a forum and sometimes people spend a LOT of time > > composing messages (copy/pasting replies to reply to them, etc) and > if > > it's session-based, their session may timeout (depending on how it's > > configured) before they hit submit, resulting in a total loss of > data. > > Unless the application understands to restart a session, but then > > what's the point of the token... > > > > I have non-user-specific tokens issued every request (with an expiry > > of 24 hours) per form so it can only be submitted once. It's worked > > pretty well, but as with everything there are a couple ways around > it, > > but it would take some work to do that. > > > > That is a good point to consider. On our servers we have the session > timeout set to when the browser is closed so I forget sometimes people > put actual time limits on them. > > -- Please, don't get me wrong, I'm just curious, how does the server know when the browser is closed? Do you use javascript (AJAX) or something to notify the server? As far as I remember, sessions are: 1 - A cookie (or a GET/POST parameter that gets passed by from page to page) 2 - A session file So when the user closes the browser and opens it up again, a new cookie will be generated by the server if it didn't get one in the request (and a new session file will be created as well), but that doesn't delete the old session file. I mean, isn't it supposed to be a garbage collection feature in any session implementation (that is what the session timeout is for, isn't it)? Or is it just that I'm missing something? Regards, Rob PS. Yes, I know you can have persistent cookies, and you can store session data in there. But the data length has a limit of some KB AFAIK, and you'd have to encrypt/decrypt sensitive information. Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | TEL 954-607-4207 | FAX 954-337-2695 Email: info@xxxxxxxxxxxxx | MSN Chat: best@xxxxxxxxxxxxx | SKYPE: bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php