HTTP and Sessions 125 Thus, the data needs
HTTP and Sessions 125 Thus, the data needs to be stored on the server.Where exactly you store it isn t all that important; it can be in a relational database management system (RDBMS), plaintext file, dBASE file, etc. Because a Web application generally already uses a relational database such as MySQL, this should be the preferred storage medium. To associate the data with a user, you need a session identity number a key that ties the user to his data. But, as mentioned earlier, HTTP lacks a mechanism to identify users.What should you use,then,to brand the user? One idea that may come to mind immediately is to use the user s IP address.While this approach sounds logical at first glance, the associated problems disqualify it from being used: n Many ISPs force dial-up users to use proxy servers; of course, $REMOTE_ADDR will show the IP of the proxy. If two AOL users try to use your Web application at the same time, things would get messed up. n Some ISPs (for example, cable access providers) change their users IP addresses once in a while to prevent them from running Web servers. n Last but not least, the user could decide to close his Internet connection, go for coffee, and return 15 minutes later to your online shop (with a different IP, of course). After you accept the fact that there s no generic way to identify the user with some predefined magic number, the only solution left is to create a session ID of your own and pass it from page to page. ( How? you ask. Read on, we provide details a bit later.) This ID must be very random, or your users will try to predict it and take over other sessions. If the ID is linear, for example a normal number (page.php3?ID=5), you can bet that one user will try to open page.php3?ID=6. It may only be embarrassing if normal users can see each other s shopping carts, but it becomes a very dangerous security threat when hackers take over other sessions to steal credit card numbers or produce fraudulent orders. PHP has a built-in uniqid() function, but because it s based on the system time, it s not secure enough to be used for a session ID. However, you can combine it with a hash function and rand() to construct a truly random string with 2128 possible elements: srand((double)microtime()*1000000); // Seed the random number generator $session_id = md5(uniqid(rand())); // Construct the session ID Accessing the User s IP Address You can access the user s IP address from the environment variable $REMOTE_ADDR. Use phpinfo() to get a list of all available environment variables.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services