Hi, here a small PHP-Class that stores your SESSION to db. github.com/voku/session2db it use the "session_set_save_handler()"-function from php -> devzone.zend.com/413/trick-out-your-session-handler/ Mfg Lars
Good night, Great your video but it was with a doubt in a shop situation that user browses the store and only at the end of the purchase is that it logs in or do not effect the registration, what value I give the session to this user if they are not logged in.
Hello sir, this is very good informative tutorial. but i have one question is that if session is stored on server then why user is going logout when any user close the browser?
FlevasGR 1.no,you can;t access another domain cookies.2. Yes,you can modify your cookies,but cookies are encrypted in the real world,so you can't know user'id which is a long random string,including yourself's.
MrOxinova Yes, this is absolutely possible. It is an attack called session hijacking and there are two common attack vectors. 1. An attacker will try and guess someone else's session ID. It is for this reason that you must use an unpredictable and secure session ID. 2. When authentication is involved, session cookies are basically bearer token. In other words, you are correct, anyone who has this cookie can make authenticated requests. XSS vulnerabilities are commonly exploited to execute JS on a victims web page. That JS could read the document.cookies and send them to the attacker's server. Obviously you want to prevent against XSS in the first place but as a last line of defence, you can mark the cookie as "HttpOnly". You are pretty much screwed if someone has physical or remote (think malware) access to your machine. The attacker could open your developer tools, copy the cookie and provided you're session is still alive, authenticate.
Nika S There are two types of sessions: server-side sessions and client-side sessions. I believe PHP uses server-side sessions. In the case of server-side sessions, only the session ID is stored in the cookie. There is nothing to encrypt and so, nothing is encrypted.
I honestly think your shit is beautifull. You explain it sooo perfect for ME (as an individual who does self study) to understand. few questions(ikr, 2016, vid from 2014, little chance of getting answers :) ): 1) 19:41 why, after setting the sessions, it wont be destroyed(unset) with session_destroy after declaring them. why is the declaration overpowering it? 2) that file being created server side for the sessions. Is it per ip (per client side) or is it for all ip's (ALL the visitors) of a server request? 3) Nilesh Khalas' question that I would like to rephrase, to confirm my question #2: If I close the brower, the session is gone, alias, the cookie is gone. Why is that, since it's server side. Does php Destroy the file and delete the cookie client side onBeforeClose of the browser? p.s. I just reread my questions. lol. "it's beyond the scope of this tutorial" is the answer I'm hearing :p keep it up man, you're a great tutor. Thank You.
You sir could do what several days at college and a college teacher could not. I finally understand the differences.
Great video, I'm taking my zend php certification exam in february and videos like these are perfect for revising the basics.
Glad you are going back to the basics! I needed this!
Very good! I finally found a video that mentions that the session id is saved as a cookie.
Nice to listen, very clear and straightforward! Thank you!
Thank you, i think i understand more read docs after this videos
Awesome.... more please. especially about using both cookies and sessions for login session please.
Fantastic introductory tutorial
thanks for giving me a clear idea of session and cookies
How you say, not brilliant but spiffing !
Amazing Alex! It's just what I need. I mean this topic is my very weak point. Big thanks!
Awesome! although I already knew what sessions and cookies are, your videos are very interesting!
Excellent, a really enjoyable demo.
Excellent video Alex. Many thanks.
Excellent video. Is it possible to use sessions without cookies?
Many thanks.Precise explanation.Keep up the excellent work.
Very nice video. Thanks.
Alex, as always thanks. Could you show us how to use database sessions and if there is any advantages?
Hi, here a small PHP-Class that stores your SESSION to db. github.com/voku/session2db it use the "session_set_save_handler()"-function from php -> devzone.zend.com/413/trick-out-your-session-handler/
Mfg Lars
You can also try Zebra Session: stefangabos.ro/php-libraries/zebra-session
the session has an expiration time. it usually lasts for 24 minutes but it can easily modified with the php.ini
awesome tutorial. thanks .
awesome demo ❤️
Great, Video! Thank you :-)
I've got a short question: which editor are you using?
Or may everyone else answer this question?
Thank you!
He's using Sublime Text, if I'm not mistaking
Nice class! Thx.
thank you
did you have a tutorial for creating a secure sessions and cookies ?
Good night, Great your video but it was with a doubt in a shop situation that user browses the store and only at the end of the purchase is that it logs in or do not effect the registration, what value I give the session to this user if they are not logged in.
Thank you. That cleared a lot of things :)
Thank.
Very helpful
Hello sir, this is very good informative tutorial. but i have one question is that if session is stored on server then why user is going logout when any user close the browser?
great video :)
thank you
Can u take a photo from your recording room and share it with us?
2 questions.
Is it possible to access cookies from an other domain?
Can i modify my cookie which stores my session id with an other user's id?
FlevasGR 1.no,you can;t access another domain cookies.2. Yes,you can modify your cookies,but cookies are encrypted in the real world,so you can't know user'id which is a long random string,including yourself's.
Where's my Team DISM at?
Lol, I read 'cookiesandsessions' as cookie sanspd sessions :P
Could it happen that i change my local cookie to point to another user's session?
Is there some protection there?
MrOxinova All cookies are encrypted.You can't know what is it
MrOxinova Yes, this is absolutely possible. It is an attack called session hijacking and there are two common attack vectors.
1. An attacker will try and guess someone else's session ID. It is for this reason that you must use an unpredictable and secure session ID.
2. When authentication is involved, session cookies are basically bearer token. In other words, you are correct, anyone who has this cookie can make authenticated requests.
XSS vulnerabilities are commonly exploited to execute JS on a victims web page. That JS could read the document.cookies and send them to the attacker's server. Obviously you want to prevent against XSS in the first place but as a last line of defence, you can mark the cookie as "HttpOnly".
You are pretty much screwed if someone has physical or remote (think malware) access to your machine. The attacker could open your developer tools, copy the cookie and provided you're session is still alive, authenticate.
Nika S There are two types of sessions: server-side sessions and client-side sessions. I believe PHP uses server-side sessions. In the case of server-side sessions, only the session ID is stored in the cookie. There is nothing to encrypt and so, nothing is encrypted.
+Nika S (邦邦) no they are not if the developer did not encrypt them.
Thank you so much, until now my knowledge on the theme was so damn vague!
Why {} is used to echo $_COOKIE['language'];
ALex is amazing...
I honestly think your shit is beautifull. You explain it sooo perfect for ME (as an individual who does self study) to understand.
few questions(ikr, 2016, vid from 2014, little chance of getting answers :) ):
1) 19:41 why, after setting the sessions, it wont be destroyed(unset) with session_destroy after declaring them. why is the declaration overpowering it?
2) that file being created server side for the sessions. Is it per ip (per client side) or is it for all ip's (ALL the visitors) of a server request?
3) Nilesh Khalas' question that I would like to rephrase, to confirm my question #2:
If I close the brower, the session is gone, alias, the cookie is gone. Why is that, since it's server side. Does php Destroy the file and delete the cookie client side onBeforeClose of the browser?
p.s. I just reread my questions. lol. "it's beyond the scope of this tutorial" is the answer I'm hearing :p
keep it up man, you're a great tutor. Thank You.
heyyy awesome content , you should put yourself on udemy i rather pay you than those messy php courses there x
Thank you