Databases Reference
In-Depth Information
this problem can be solved by storing the session key in the URL, but we don't discuss
that here.
Sessions can be destroyed by calling the
session_destroy( )
function. This is typically
done to end a user's session in an application:
<?php
// Logout of the system
session_start();
session_destroy();
print "You've logged out!";
?>
Note that a session must be started before it can be destroyed.
In a web environment, there is no guarantee that users will actually log out. They may
forget to log out of an application, leaving the session active, and thus allow another
person using the same browser to access the restricted sections of the application.
Moreover, since the browser is tied to the session data on the server through a cookie
value, an attacker could fake the cookie information to gain access to the target session.
To reduce the risk of unauthorized users gaining access to a session, PHP sessions have
a timeout. This means that if a user doesn't access the web server within a predeter-
mined period, the session is destroyed. By default, the timeout is set to 1,440 seconds
or 24 minutes, after which time the session is a candidate for being cleaned up. This
can be adjusted—along with other session parameters—through the
php.ini
configu-
ration file.
The Reload Problem
In “Processing and Using User Data,” earlier in this chapter, we showed you an example
that writes data to the
music
database. This section briefly discusses a common problem
that can arise when writing to web databases and shows you a simple way to avoid it.
Consider a simple script,
process.php
, that writes an artist to the
music
database:
<?php
if(!empty($_GET))
{
// Include database parameters and related functions
require_once("../db.php");
$DB_databasename='music';
// Connect to the MySQL DBMS and use the wedding database - credentials are
// in the file db.php
if(!($connection= mysqli_connect($DB_hostname, $DB_username, $DB_password,
$DB_databasename)))
showerror($connection);
// Untaint the artist name, and use at most 15 characters
$artist_name = clean($_GET["artist_name"], 15);
