Re: [PHPLIB] re-using old sid (after timeout) From: Bob Strouper (bobw123 <email protected>)
Date: 01/03/00

>> To help prevent the user from using back buttons,
>> I use JS to open up a new window without the location,
>> menubar, toolbar etc.

>this might help for the dummy user, but how do you prevent an advanced
>user of using alt-left? this works even if the menubar unavailable.

I realize that there are other ways to go back using
hot-keys or right mouse buttons . I'm doing this
only as a preventative measure. PHPlib breaks ( forms
dissapear ) when the user uses the browsers navigation
instead of the web application. If there is a way around
this please let me know :-)

>> So in other words, I have a main window with
>> links that open up a "transaction" window.
>> I have disabled cookies altogether and am using ONLY
>> the GET method.
>>
>> What I am concerned with is that when the user times
>> out and clicks on a link (from the main window) which
>> in turn opens up a "transaction" window, the login
>> screen appears in the "transaction" window and the
>> user successfully logs in re-using the old session ID.
>> This is what I WANT to happen, but, is this
>> the intended behavior?

>for the session object you should use no timeout at all but session
>cookies, set $lifetime=0 (works also in get mode as far as i know, however
>maybe it doesnt. in this case a very high lifetime (of one day) will do
>the job as well).

Well, it seams that no matter what value ( above zero ) I
use for the session object $lifetime variable, when auth
object times-out phplib will use the old sid. Why I think
this is so, is because the auth object does not check the
lifetime of the session object, it just checks that it exists.
And if it exists, it will use it. Maybe the only thing that
checks the session $lifetime variable is the cleanup routines.

>in the auth object you use timeout like 30 minutes or whatever you like.
>this way, your session id will never expire but your authentication will
>do after 30 minutes. the login screen aprears with the same old session
>variable which is still valid since it has not timed out yet...

>cheers

>-florian

>> On the otherhand, if phplib did not work this way, ( and
>> phplib was unable to re-use sid's ) my application might
>> break... because the "main" window would have the OLD
>> session ID as part of every link, so every time the user
>> tried to open up a "transaction" window he would have to
>> relogin.
>>
>> I look forward to your comments.
>>
>> Thanks,
>> Bob
>>

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001

-
PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
the body, not the subject, of your message.