[prev in list] [next in list] [prev in thread] [next in thread]
List: php-doc-cvs
Subject: [DOC-CVS] cvs: phpdoc(REF_STRUCT_DEV) /en/reference/session constants.xml reference.xml
From: "Hannes Magnusson" <bjori () php ! net>
Date: 2007-10-27 22:18:26
Message-ID: cvsbjori1193523506 () cvsserver
[Download RAW message or body]
bjori Sat Oct 27 22:18:26 2007 UTC
Modified files: (Branch: REF_STRUCT_DEV)
/phpdoc/en/reference/session constants.xml reference.xml
Log:
Upgrade markup
["bjori-20071027221826.txt" (text/plain)]
http://cvs.php.net/viewvc.cgi/phpdoc/en/reference/session/constants.xml?r1=1.5&r2=1.5.2.1&diff_format=u
Index: phpdoc/en/reference/session/constants.xml
diff -u phpdoc/en/reference/session/constants.xml:1.5 \
phpdoc/en/reference/session/constants.xml:1.5.2.1
--- phpdoc/en/reference/session/constants.xml:1.5 Wed Jun 20 22:25:22 2007
+++ phpdoc/en/reference/session/constants.xml Sat Oct 27 22:18:26 2007
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.5 $ -->
-<section xml:id="session.constants" xmlns="http://docbook.org/ns/docbook">
+<!-- $Revision: 1.5.2.1 $ -->
+<appendix xml:id="session.constants" xmlns="http://docbook.org/ns/docbook" \
xmlns:xlink="http://www.w3.org/1999/xlink"> &reftitle.constants;
&extension.constants;
<variablelist>
@@ -18,7 +18,7 @@
</listitem>
</varlistentry>
</variablelist>
-</section>
+</appendix>
<!-- Keep this comment at the end of the file
Local variables:
http://cvs.php.net/viewvc.cgi/phpdoc/en/reference/session/reference.xml?r1=1.60.2.1&r2=1.60.2.2&diff_format=u
Index: phpdoc/en/reference/session/reference.xml
diff -u phpdoc/en/reference/session/reference.xml:1.60.2.1 \
phpdoc/en/reference/session/reference.xml:1.60.2.2
--- phpdoc/en/reference/session/reference.xml:1.60.2.1 Wed Oct 3 11:41:15 2007
+++ phpdoc/en/reference/session/reference.xml Sat Oct 27 22:18:26 2007
@@ -1,139 +1,115 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.60.2.1 $ -->
+<!-- $Revision: 1.60.2.2 $ -->
<!-- Purpose: basic.session -->
<!-- Membership: core -->
- <reference xml:id="ref.session" xmlns="http://docbook.org/ns/docbook" \
xmlns:xlink="http://www.w3.org/1999/xlink">
- <title>Session Handling Functions</title>
- <titleabbrev>Sessions</titleabbrev>
-
- <partintro>
-
- <section xml:id="session.intro">
- &reftitle.intro;
- <para>
- Session support in PHP consists of a way to preserve certain data
- across subsequent accesses. This enables you to build more
- customized applications and increase the appeal of your web site.
- </para>
- <para>
- A visitor accessing your web site is assigned a unique id, the
- so-called session id. This is either stored in a cookie on the
- user side or is propagated in the URL.
- </para>
- <para>
- The session support allows you to register arbitrary numbers of
- variables to be preserved across requests. When a visitor accesses
- your site, PHP will check automatically (if <link
- linkend="ini.session.auto-start">session.auto_start</link>
- is set to 1) or on your request (explicitly through
- <function>session_start</function> or implicitly through
- <function>session_register</function>) whether a specific session
- id has been sent with the request. If this is the case, the prior
- saved environment is recreated.
- </para>
- <caution>
- <para>
- If you do turn on <link linkend="ini.session.auto-start">
- session.auto_start</link> then you cannot put objects into
- your sessions since the class definition has to be
- loaded before starting the session in order to recreate the
- objects in your session.
- </para>
- </caution>
- <para>
- All registered variables are serialized after the request
- finishes. Registered variables which are undefined are marked as
- being not defined. On subsequent accesses, these are not defined
- by the session module unless the user defines them later.
- </para>
- <warning>
- <para>
- Some types of data can not be serialized thus stored in sessions. It
- includes <type>resource</type> variables or objects with circular
- references (i.e. objects which passes a reference to itself to another
- object).
- </para>
- </warning>
- <note>
- <para>
- Session handling was added in PHP 4.0.0.
- </para>
- </note>
- <note>
- <para>
- Please note when working with sessions that a record of a session
- is not created until a variable has been registered using the
- <function>session_register</function> function or by adding a new
- key to the <varname>$_SESSION</varname> superglobal array. This
- holds true regardless of if a session has been started using the
- <function>session_start</function> function.
- </para>
- </note>
- </section>
-
- <section xml:id="session.security">
- <title>Sessions and security</title>
- <para>
- External links: <link xlink:href="&url.session-fixation;">Session \
fixation</link>
- </para>
- <para>
- The session module cannot guarantee that the information you store
- in a session is only viewed by the user who created the session. You need
- to take additional measures to actively protect the integrity of the
- session, depending on the value associated with it.
- </para>
- <para>
- Assess the importance of the data carried by your sessions and deploy
- additional protections -- this usually comes at a price, reduced
- convenience for the user. For example, if you want to protect users from
- simple social engineering tactics, you need to enable
- <literal>session.use_only_cookies</literal>. In that case,
- cookies must be enabled unconditionally on the user side, or
- sessions will not work.
- </para>
- <para>
- There are several ways to leak an existing session id to third parties.
- A leaked session id enables the third party to access all resources which
- are associated with a specific id. First, URLs carrying session ids. If
- you link to an external site, the URL including the session id might be
- stored in the external site's referrer logs. Second, a more active
- attacker might listen to your network traffic. If it is not encrypted,
- session ids will flow in plain text over the network. The solution here
- is to implement SSL on your server and make it mandatory for users.
- </para>
- </section>
- <section xml:id="session.requirements">
- &reftitle.required;
- &no.requirement;
- <note>
- <para>
- Optionally you can use shared memory allocation (mm), developed by
- Ralf S. Engelschall, for session storage. You have to download
- <link xlink:href="&url.mm;">mm</link> and install it. This option is not
- available for Windows platforms. Note that the session storage module
- for mm does not guarantee that concurrent accesses to the same session
- are properly locked. It might be more appropriate to use a shared memory
- based filesystem (such as tmpfs on Solaris/Linux, or /dev/md on BSD) to
- store sessions in files, because they are properly locked.
- Session data is stored in memory thus web server restart deletes it.
- </para>
- </note>
- </section>
-
- &reference.session.configure;
-
- &reference.session.ini;
-
- <section xml:id="session.resources">
- &reftitle.resources;
- &no.resource;
- </section>
-
- &reference.session.constants;
-
- <section xml:id="session.examples">
- &reftitle.examples;
+<book xml:id="ref.session" xmlns="http://docbook.org/ns/docbook" \
xmlns:xlink="http://www.w3.org/1999/xlink"> + <title>Session Handling \
Functions</title> + <titleabbrev>Sessions</titleabbrev>
+
+ <!-- {{{ preface -->
+ <preface xml:id="session.intro">
+ &reftitle.intro;
+ <para>
+ Session support in PHP consists of a way to preserve certain data
+ across subsequent accesses. This enables you to build more
+ customized applications and increase the appeal of your web site.
+ </para>
+ <para>
+ A visitor accessing your web site is assigned a unique id, the
+ so-called session id. This is either stored in a cookie on the
+ user side or is propagated in the URL.
+ </para>
+ <para>
+ The session support allows you to register arbitrary numbers of
+ variables to be preserved across requests. When a visitor accesses
+ your site, PHP will check automatically (if <link
+ linkend="ini.session.auto-start">session.auto_start</link>
+ is set to 1) or on your request (explicitly through
+ <function>session_start</function> or implicitly through
+ <function>session_register</function>) whether a specific session
+ id has been sent with the request. If this is the case, the prior
+ saved environment is recreated.
+ </para>
+ <caution>
+ <para>
+ If you do turn on <link linkend="ini.session.auto-start">
+ session.auto_start</link> then you cannot put objects into
+ your sessions since the class definition has to be
+ loaded before starting the session in order to recreate the
+ objects in your session.
+ </para>
+ </caution>
+ <para>
+ All registered variables are serialized after the request
+ finishes. Registered variables which are undefined are marked as
+ being not defined. On subsequent accesses, these are not defined
+ by the session module unless the user defines them later.
+ </para>
+ <warning>
+ <para>
+ Some types of data can not be serialized thus stored in sessions. It
+ includes <type>resource</type> variables or objects with circular
+ references (i.e. objects which passes a reference to itself to another
+ object).
+ </para>
+ </warning>
+ <note>
+ <para>
+ Session handling was added in PHP 4.0.0.
+ </para>
+ </note>
+ <note>
+ <para>
+ Please note when working with sessions that a record of a session
+ is not created until a variable has been registered using the
+ <function>session_register</function> function or by adding a new
+ key to the <varname>$_SESSION</varname> superglobal array. This
+ holds true regardless of if a session has been started using the
+ <function>session_start</function> function.
+ </para>
+ </note>
+ </preface>
+ <!-- }}} -->
+
+ <chapter xml:id="extname.setup" xmlns="http://docbook.org/ns/docbook" \
xmlns:xlink="http://www.w3.org/1999/xlink"> + <title>Installing/Configuring</title>
+
+ <section xml:id="session.requirements">
+ &reftitle.required;
+ &no.requirement;
+ <note>
+ <para>
+ Optionally you can use shared memory allocation (mm), developed by
+ Ralf S. Engelschall, for session storage. You have to download
+ <link xlink:href="&url.mm;">mm</link> and install it. This option is not
+ available for Windows platforms. Note that the session storage module
+ for mm does not guarantee that concurrent accesses to the same session
+ are properly locked. It might be more appropriate to use a shared memory
+ based filesystem (such as tmpfs on Solaris/Linux, or /dev/md on BSD) to
+ store sessions in files, because they are properly locked.
+ Session data is stored in memory thus web server restart deletes it.
+ </para>
+ </note>
+ </section>
+
+ &reference.session.configure;
+
+ &reference.session.ini;
+
+ <section xml:id="extname.resources">
+ &reftitle.resources;
+ &no.resource;
+ </section>
+
+ </chapter>
+
+ &reference.session.constants;
+
+ <!-- {{{ Examples -->
+ <appendix xml:id="session.examples">
+ &reftitle.examples;
+ <section xml:id="session.examples.basic">
<note>
<para>
As of PHP 4.1.0, <varname>$_SESSION</varname> is available as a
@@ -373,11 +349,50 @@
create a set of user-level storage functions.
</para>
</section>
- </partintro>
+ </appendix>
+ <!-- }}} -->
+
+ <!-- {{{ Security -->
+ <chapter xml:id="session.security">
+ <title>Sessions and security</title>
+ <para>
+ External links: <link xlink:href="&url.session-fixation;">Session fixation</link>
+ </para>
+ <para>
+ The session module cannot guarantee that the information you store
+ in a session is only viewed by the user who created the session. You need
+ to take additional measures to actively protect the integrity of the
+ session, depending on the value associated with it.
+ </para>
+ <para>
+ Assess the importance of the data carried by your sessions and deploy
+ additional protections -- this usually comes at a price, reduced
+ convenience for the user. For example, if you want to protect users from
+ simple social engineering tactics, you need to enable
+ <literal>session.use_only_cookies</literal>. In that case,
+ cookies must be enabled unconditionally on the user side, or
+ sessions will not work.
+ </para>
+ <para>
+ There are several ways to leak an existing session id to third parties.
+ A leaked session id enables the third party to access all resources which
+ are associated with a specific id. First, URLs carrying session ids. If
+ you link to an external site, the URL including the session id might be
+ stored in the external site's referrer logs. Second, a more active
+ attacker might listen to your network traffic. If it is not encrypted,
+ session ids will flow in plain text over the network. The solution here
+ is to implement SSL on your server and make it mandatory for users.
+ </para>
+ </chapter>
+ <!-- }}} -->
+
+ <reference xml:id="functions.session" xmlns="http://docbook.org/ns/docbook" \
xmlns:xlink="http://www.w3.org/1999/xlink"> + <title>Sessions &Functions;</title>
-&reference.session.functions.entities;
+ &reference.session.functions.entities;
</reference>
+</book>
<!-- Keep this comment at the end of the file
Local variables:
--
PHP Documentation Commits Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic