Tuesday, November 20, 2007

PHP Vs. .Net

In the world of web development, the choice of which development language to use commonly comes down to two popular choices.

Web applications, specifically those relying on back end databases, are typically being created using either Microsoft's ASP.Net language, or the Open Source alternative language of PHP. Reasons why one might choose one over the other can include: The cost of development tools, or availability of such tools, or even ones comfort level with the Open Source initiative. The goal of this article is to provide some perspective on reasons why one might choose one over the other.

Active Server Pages or ASP has long been an option for creating dynamic web content. Active Server Pages facilitates the ability to use databases such as Access or SQL just to name a few, to create dynamic, feature rich websites. The work going on behind the scenes in serving up the dynamic content is being done at the server level by the Active Server Pages source code.

Microsoft has spent a great deal of time and resources promoting their .Net family of programming languages of which ASP.Net is a member. We can develop ASP.Net two ways: 1> We can develop only thru any text editor like notepad by inline code. Its not necessary to have code behind. 2> A web developer tool from microsoft which is free ... visual web developer express. That is only for web based i.e. asp.net. You cannot develop win apps in visual web developer. As with all of Microsoft's products, support and updates are constantly made available for ASP.Net. The shear amount of features that Microsoft packs into Visual Studio, coupled with Microsoft's extensive support make certainly make ASP.Net an attractive solution for any corporation's web development needs, but the cost can be prohibitive, if not impossible to afford for the individual web developer.

PHP which is in its 5th revision now, is an Open Source web development language that also facilitates the creation of feature rich, dynamic websites that can use databases. Being Open Source means simply that PHP isn't owned by anyone. Just as with Active Server Pages, the work going on behind the scenes of serving up the dynamic web content is being done by PHP at the server level.

As with most Open Source products, the resources available to a PHP developer are free of charge. This makes PHP extremely attractive to the independent web developer. There are some commercial quality development suites available from companies like Zend, but there is also wealth of free resources just a Google Search away. Because there is really no corporate entity behind PHP, support and development on PHP is done by the community of its users and developers themselves. Surprisingly this does not seem to adversely affect the ability to find support for PHP.

All in all, ASP.Net and PHP are both excellent options, offering basically the same functionality. Whether the decision comes down to the cost of initial investment, or the comfort level one has regarding Open Source, or something else entirely, the end result depends upon the mastery of whichever language is chosen.

Ian Wilson Lockwood is a support analyst for Apollo Hosting. Apollo Hosting provides website hosting, ecommerce hosting, vps hosting, and web design services to a wide range of customers.

I'll say what I have to say (from someone who uses both daily)ASP.NET Its a great language, alot of power and functionality. Can easily move between web and desktop application (code wise) and its "moreless" a compiled lang. (I know I know about its bytecode, don't want to get into that discussion). So it runs exceptionally fast after the first time its run, which is great for a site with major traffic.

It's a windows only lang. (Has be run on a windows server. And I know about Projects like MONO, but I'm talking about native support) Personally I love Windows Server, but it does limit you to a platform. This is probably its biggest con, cause as you know, if your on a budget, Windows Server isn't cheap. I would say that it native support for MSSQL Server is a con, but now with SQL Server Express, thats no longer (to me) a vaild agrument.

PHP
I love PHP. Its portable, now also has OOP support, and myself as a java and c# programmer, I was able to jump on this language and build complex apps inside a day or two. Very easy to get into. PHP has a large community, and I have seen some high traffic PHP sites (meaning it can be interrputed really fast) The greatest benefit to PHP is that you can develop on it for nearly free. You can host it on free OS's, PHP is free (although so is .NET) and its native support for mysql is top notch, and MYSQL is free. The only con I really see, is that if your not a c type programmer, and you did moreless basic type programming, you will have a bit of a learning curve.
My summary:
Both languages are EXTREMELY well suited. Its a perference thing. Don't sit here and listen to .NET fanboys or PHP fanboys agrue and rave because its the only language they know. I have seen exceptionally well coded .NET and PHP sites, and I have seen poorly coded .NET and PHP sites. Both supports the major players in the DB formats (MSSQL and MYSQL). It boils down to this...
1.) If your on a budget, I say go with PHP (Free everything)
2.) If your wanting to build a site and a complimenting desktop application, go with .NET You will be able to reuse alot of code (if coded correctly of course)
3.) If your wanting to use a free OS or hosting on a linux box, go with PHP
4.) If your not c type programmer and BASIC makes more sense to you, go with .NET
5.) If your using SQL Server, or SQL Server EXPRESS, "I" Say go with .NET although PHP can hook into these as well, its just that .NET has great native support for MSSQL, and MSSQL Express
6.) If your working with webservices again "I" say go with .NET, you can handle webservices with great ease. But so can PHP. So this is a perference for me.

You can insert your comments and suggestions for this article.

Regards
Vijay Modi

How to get values from Child window to parent window

Sometimes we have a simple problem and we think its really very complex and leave it. But listen its wrong attitude. We have to solve each and every problem which are comming in our life. I face a problem that I was unable to get the values from child(Popup) window to parent window. what we need to do for setting values from child window(PopUp window/Dialog) to parent window's control(textbox). Just required to add the following javascript where we required to add the values from child to parent windows control.

I am here inserting a value in parent windows TextBox named txtTo from my child windows(PopUp dialog's) TextBox values.

Dim strScript As String = ""
Response.Write(strScript)

This will get the value of txtPopUpTitle textbox and set it in the txtTo.

Regards,
Vijay Modi

php.ini settings

Hello Friends,

A article which describe what is the use of particular variable in php.ini files and how to do settings in this file. How to set each variable in php.ini file and what is the purpose of each is explain in this article. Please go through and will definetely get the solution.

Php.ini setting for each variable:

1 > allow_call_time_pass_reference Boolean

Whether to enable the ability to force arguments to be passed by reference at function call time. This method is deprecated and is likely to be unsupported in future versions of PHP/Zend. The encouraged method of specifying which arguments should be passed by reference is in the function declaration. You're encouraged to try and turn this option Off and make sure your scripts work properly with it in order to ensure they will work with future versions of the language (you will receive a warning each time you use this feature, and the argument will be passed by value instead of by reference).

Passing arguments by reference at function call time was deprecated for code cleanliness reason. Function can modify its argument in undocumented way if it didn't declare that the argument is passed by reference. To prevent side effects it's better to specify which arguments are passed by reference in function declaration only.

====================================================


2 > allow_url_fopen

This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.

This setting can only be set in php.ini due to security reasons.

This option was introduced immediately after the release of version 4.0.3. For versions up to and including 4.0.3 you can only disable this feature at compile time by using the configuration switch --disable-url-fopen-wrapper.

====================================================

3 > always_populate_raw_post_data Boolean

Always populate the $HTTP_RAW_POST_DATA variable.

4 > arg_separator.input

List of separator(s) used by PHP to parse input URLs into variables

5 > arg_separator.output

The separator used in PHP generated URLs to separate arguments


6 > asp_tags


Enables the use of ASP-like <% %> tags in addition to the usual tags. This includes the variable-value printing shorthand of <%= $value %>.

7 > auto_globals_jit Boolean

When enabled, the SERVER and ENV variables are created when they're first used (Just In Time) instead of when the script starts. If these variables are not used within a script, having this directive on will result in a performance gain

The PHP directives register_globals, register_long_arrays, and register_argc_argv must be disabled for this directive to have any affect.

8 > display_error and display_startup_errors

These two settings control whether PHP should display errors in the browser or be silent. It is recommended that you turn these two settings Off during production so that you don't accidentally display sensitive information about your Web site. This is especially true for dynamic Web sites that send usernames and password to access a database. In your php.ini file, this configuration will look like:

display_errors = off

display_startup_errors = off

9 > log_erros and error_log

There two settings control how PHP logs errors for later review. It is helpful to use these two settings if you have turned Off display_errors and display_startup_errors. In your php.ini file, this configuration will look like

Log_errors = On

Error_log = /hwxx/daxx/uwnetid/phperrors.log

Replace /hwxx/daxx/uwnetid/ with the path to your Web directory. Make sure that you have a file called phperrors.log in the root of your Web directory (typically public_html) and make sure it is read and writable by you

10 > session.save_path

This setting controls the location of server-side session cookies when your script uses PHP's session management functions. The server default php.ini file has this variable set to /use/a/folder/in/your/web/root, disabling the user of sessions. In order to use PHP sessions, you will need to create a temp folder in your web directory and change this option to point to it:

There are a number of reasons for requiring this configuration:

(1) To make sure that another user doesn't tamper with these cookies. (2)To keep the /tmp folder from filling up, causing other programs to fail. (3) Due to the clustered nature of the UW webservers, session info should be stored in a place that is available on all machines in the cluster

session.save_path = /hwxx/daxx/uwnetid/tmp

Replace /hwxx/daxx/uwnetid/ with the path to your Web directory. Again, make sure that you have a directory called tmp in the root of your Web directory (typically public_html) and make sure it is read and writable by you only

11 > upload_temp_dir

This setting controls the temporary location of files uploaded with an HTML form. If you don't specify a path for this setting, uploaded files will be temporarily stored in a world-readable location on the server. To protect ease of manipulation and the confidentiality of such files, you should create a directory in your account and specify the new path in your php.ini file

upload_tmp_dir = /hwxx/daxx/uwnetid/tmp

Replace /hwxx/daxx/uwnetid/ with the path to your Web directory. Make sure that you have a directory called tmp in the root of your Web directory (typically public_html) and make sure it is read and writable by you only.

13 > enable_dl

This directive is really only useful in the Apache module version of PHP. You can turn dynamic loading of PHP extensions with dl() on and off per virtual server or per directory.

The main reason for turning dynamic loading off is security. With dynamic loading, it's possible to ignore all open_basedir restrictions. The default is to allow dynamic loading, except when using safe mode. In safe mode, it's always impossible to use dl().

14 > extension_dir string

In what directory PHP should look for dynamically loadable extensions

15 > file_uploads

Whether or not to allow HTTP file uploads. See also the upload_max_filesize, upload_tmp_dir, and post_max_size directives

16 > gpc_order

Set the order of GET/POST/COOKIE variable parsing. The default setting of this directive is "GPC". Setting this to "GP", for example, will cause PHP to completely ignore cookies and to overwrite any GET method variables with POST-method variables of the same name

This option is not available in PHP 4. Use variables_order instead

17 > include_path

Specifies a list of directories where the require(), include() and fopen_with_path() functions look for files. The format is like the system's PATH environment variable: a list of directories separated with a colon in Unix or semicolon in Windows

Unix include_path

include_path=".:/php/includes”

Window include_path

include_path=".;c:\php\includes”

Using a . in the include path allows for relative includes as it means the current directory

18 > magic_quotes_gpc

Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.

19 > magic_quotes_runtime

If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

20 > magic_quotes_sybase

If the magic_quotes_sybase directive is also ON it will completely override magic_quotes_gpc. Having both directives enabled means only single quotes are escaped as ''. Double quotes, backslashes and NUL's will remain untouched and unescaped

21 > max_execution_time

This sets the maximum time in seconds a script is allowed to run before it is terminated by the parser. This helps prevent poorly written scripts from tying up the server. The default setting is 30.

The maximum execution time is not affected by system calls, stream operations etc. Please see the set_time_limit() function for more details.

You can not change this setting with ini_set() when running in safe mode. The only workaround is to turn off safe mode or by changing the time limit in the php.ini.

Your webserver can have other timeouts. E.g. Apache has Timeout directive, IIS has CGI timeout function, both default to 300 seconds. See the webserver documentation for meaning of it.

22 > max_input_time

This sets the maximum time in seconds a script is allowed to receive input data, like POST, GET and file uploads

23 > open_basedir

Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.

When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink.

The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().

In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with "php_admin_value open_basedir none".

Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.

The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"

Note: Support for multiple directories was added in 3.0.7.

The default is to allow all files to be opened.

24 > output_buffering

Normally, session, cookie or HTTP header data in a PHP script must be sent before any output is generated by the script. If this is not possible in your application, you can enable what PHP calls output buffering, with the output_buffering variable.

With output buffering on, PHP stores the output of your script in a special memory buffer and sends it only when explicitly told to do so. This allows you to send special HTTP headers and cookie data even in the middle or at the end of your script; however, it can degrade performance marginally.

output_buffering = Off

You can also pass the output_buffering variable a number indicating the size of the buffer, for example:

output_buffering = 2048

25 > output_handler

You can redirect all of the output of your scripts to a function. For example, if you set output_handler to mb_output_handler(), character encoding will be transparently converted to the specified encoding. Setting any output handler automatically turns on output buffering.

Note: You cannot use both mb_output_handler() with ob_iconv_handler() and you cannot use both ob_gzhandler() and zlib.output_compression.

Note: Only built-in functions can be used with this directive. For user defined functions, use ob_start().

26 > post_max_size

Also related to form submission is the post_max_size variable, which controls the maximum amount of data that PHP will accept in a single form submission with the POST method. It's unlikely you'll ever need to increase this from the default value of 8 MB; instead, you should probably reduce it to a more realistic figure. However, if you're planning on using the file upload features of PHP, keep this value greater than the value of upload_max_filesize.

post_max_size = 8M

27 > precision

The number of significant digits displayed in floating point numbers.

28 > register_argc_argv

Tells PHP whether to declare the argv & argc variables (that would contain the GET information).

29 > register_globals

New to PHP 4.1.0, the register_globals setting controls how you access form, server, and environment variables. By default this variable is set to Off, requiring you to use special arrays to access these variables. Those familiar with older versions of PHP will be used to an environment in which the register_globals variable is effectively On; with this setting, you can access form, server and environment variables simply by name

Note: This change occurred in PHP 4.1.0 because when register_globals is set to On, PHP scripts are more vulnerable to attacks. Some older PHP applications will require this setting to be on, but it is safer to write new scripts with the assumption that register_globals will be set to Off

To retrieve the value of from a form submitted with the POST method, use the following syntax

PHP code when register_globals = On

$myNewVariable = $formVariable

PHP code when register_globals = Off

$myNewVariable = $_POST['formVariable'];

30 > report_memleaks

report_memleaks is one of the few directives in the php.ini file that I've never had reason to change. Setting this to "Off" will prevent memory leak errors being displayed. However, memory leaks are only displayed when you compile PHP with "--enable-debug" (which allows you to perform some advanced tasks (eg backtraces). This would never affect a production environment, and rarely a development one.
Values: On (default), Off

31 > safe_mode

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now

Whether to enable PHP's safe mode. Read the Security chapter for more information.

32 > safe_mode_exec_dir

If PHP is used in safe mode, system() and the other functions executing system programs refuse to start programs that are not in this directory. You have to use / as directory separator on all environments including Windows.

One Safe Mode trouble maker is safe_mode_exec_dir. By default safe_mode_exec_dir is empty, so external programs like `convert' cannot be started.

In my testing, on one (Debian) server I was able to use Image Magick's `convert' command (but not for converting gallery images) by using the following steps:

Create a link to `convert' in /usr/local/bin/ with

ln -s /usr/bin/convert /usr/local/bin/
Enable starting programs in that directory with a line in php.ini

safe_mode_exec_dir = "/usr/local/bin"
Restart the web server.
Make Qdig aware of the new location with

$convert_cmd = '/usr/bin/convert';@@
This also works:

Enable starting /usr/bin programs in php.ini with

safe_mode_exec_dir = "/usr/local/bin"
Restart the web server.

so does this:

Create a directory for PHP-safe binaries

mkdir /usr/local/php_safe_bin
Create a link to `convert' in /usr/local/bin/ with

ln -s /usr/bin/convert /usr/local/php_safe_bin/
Enable starting programs in that directory with a line in php.ini

safe_mode_exec_dir = "/usr/local/php_safe_bin"
Restart the web server.
Make Qdig aware of the new location with

$convert_cmd = '/usr/php_safe_bin/convert';@@
The reason for creating a link rather than copying the file is because otherwise system updates will not replace the copy you are using.

For review, the three pertinent settings in php.ini are

safe_mode = On
safe_mode_gid = On
safe_mode_exec_dir = "/path/to/convert/executable"
where only the top two lines are necessary if you are using GD to convert images.

33 > safe_mode_gid

By default, Safe Mode does a UID compare check when opening files. If you want to relax this to a GID compare, then turn on safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) checking upon file access

To avoid the server-can't-access-files-it-has-written error, the server administrator can enable PHP's safe_mode_gid by adding this line

safe_mode_gid = On
to the the server's PHP configuration file (php.ini) and restarting the web server daemon.

Your web hosting provider should be willing to enable safe_mode_gid (manual page) for you because the security benefit probably exceeds the security risk. This is because

· files written in ordinary (non-SetGID) directories still will be blocked, and

· leaving it disabled encourages users to use world-writable directories and files.

Enabling safe_mod_gid, combined with using (temporarily) "2777" (versus "777") permissions for the qdig-files/ directory during setup, will cause your Qdig installation to Just Work as long PHP's GD extension is loaded and available for image conversion

34 > safe_mode_include_dir

UID/GID checks are bypassed when including files from this directory and its subdirectories (directory must also be in include_path or full path must including).

As of PHP 4.2.0, this directive can take a colon (semi-colon on Windows) separated path in a fashion similar to the include_path directive, rather than just a single directory.

The restriction specified is actually a prefix, not a directory name. This means that "safe_mode_include_dir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "safe_mode_include_dir = /dir/incl/"

If the value of this directive is empty, no files with different UID/GID can be included in PHP 4.2.3 and as of PHP 4.3.3. In earlier versions, all files could be included.

35 > sendmail_from

In either case, you'll want to set the sendmail_from option to your email address, or whichever address you'd like to appear as the default 'from' address for emails sent from PHP scripts.

Here's how the section might look on a typical Windows server, or on a Linux server without sendmail:

[mail function]
; Setup for Windows systems
SMTP = smtp.my.isp.net
sendmail_from = me@myserver.com

And here's how it might look on a Linux server with sendmail:

[mail function]
; Setup for Linux systems
sendmail_path = /usr/sbin/sendmail -t
sendmail_from = me@myserver.com

36 > sendmail_path

If you're going to use PHP's mail() function, there are three variables you may need to set. The SMTP and sendmail_from variables (on Windows) or the sendmail_path variable (on UNIX) are used when sending e-mail messages through PHP's mail() function. On Windows, these variables set the SMTP server to be used and the From: address to display in e-mail messages; on UNIX, the sendmail_path variable sets the path of the MTA (mail transfer agent) for mail delivery:

SMTP = myserver.localnet.com
sendmail_from = me@localhost.com
sendmail_path = /usr/sbin/sendmail
37 > short_open_tag

Tells whether the short form () of PHP's open tag should be allowed. If you want to use PHP in combination with XML, you can disable this option in order to use inline. Otherwise, you can print it with PHP, for example: . Also if disabled, you must use the long form of the PHP open tag ().

Note: This directive also affects the shorthand SMTP

If you're going to use PHP's mail() function, there are three variables you may need to set. The SMTP and sendmail_from variables (on Windows) or the sendmail_path variable (on UNIX) are used when sending e-mail messages through PHP's mail() function. On Windows, these variables set the SMTP server to be used and the From: address to display in e-mail messages; on UNIX, the sendmail_path variable sets the path of the MTA (mail transfer agent) for mail delivery:

SMTP = myserver.localnet.com

39 > smtp_port

Used under Windows only: Number of the port to connect to the server specified with the SMTP setting when sending mail with mail(); defaults to 25. Only available since PHP 4.3.0.

40 > track_errors

If enabled, the last error message will always be present in the global variable $php_errormsg

In addition, if you set the php.ini setting track_errors = On, the last error message encountered will be stored in $php_errormsg. This is true regardless of whether you have used the @ syntax for error suppression

41 > unserialize_callback_func

The unserialize_callback_func directive is one of the more advanced settings in the php.ini file, and the chances are very good that if you change this before you are familiar with serialization, you will cause massive problems on your own server. I'd leave this well alone!

42 > upload_max_filesize

The maximum size of an uploaded file. When an integer is used, the value is measured in bytes. You may also use shorthand notation as described in this FAQ.

43 > upload_tmp_dir

This setting controls the temporary location of files uploaded with an HTML form. If you don't specify a path for this setting, uploaded files will be temporarily stored in a world-readable location on the server. To protect ease of manipulation and the confidentiality of such files, you should create a directory in your account and specify the new path in your php.ini file:

upload_tmp_dir = /hwxx/daxx/uwnetid/tmp

Replace /hwxx/daxx/uwnetid/ with the path to your Web directory. Make sure that you have a directory called tmp in the root of your Web directory (typically public_html) and make sure it is read and writable by you only.

44 > user_dir

The base name of the directory used on a user's home directory for PHP files, for example public_html.

45 > variables_order

Set the order of the EGPCS (Environment, GET, POST, Cookie, Server) variable parsing. The default setting of this directive is "EGPCS". Setting this to "GP", for example, will cause PHP to completely ignore environment variables, cookies and server variables, and to overwrite any GET method variables with POST-method variables of the same name

46 > y2k_compliance

The y2k_compliance directive instructs PHP to use 4-digit years. This setting can apparently cause problems with some browsers (Navigator 3, and possibly others - any that can't understand 4-digit years) when set to On. However, not having it On will possibly cause problems with modern browsers, which can have problems with 2-digit years. I leave this on.

Values: On (default), Off

47 > zend.ze1_compatibility_mode

Enable compatibility mode with Zend Engine 1 (PHP 4). It affects the cloning, casting, and comparing of objects

SESSION

48 > Session Support

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.

A visitor accessing your web site is assigned an unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.

The session support allows you to register arbitrary numbers of variables to be preserved across requests. When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start() or implicitly through session_register()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.

49 > session.name string

session.name specifies the name of the session which is used as cookie name. It should only contain alphanumeric characters. Defaults to PHPSESSID. See also session_name().

50 > session.auto_start boolean

session.auto_start specifies whether the session module starts a session automatically on request startup. Defaults to 0 (disabled).

51 > session.serialize_handler string

session.serialize_handler defines the name of the handler which is used to serialize/deserialize data. Currently, a PHP internal format (name php) and WDDX is supported (name wddx). WDDX is only available, if PHP is compiled with WDDX support. Defaults to php.

52 > session.gc_probability integer

session.gc_probability in conjunction with session.gc_divisor is used to manage probability that the gc (garbage collection) routine is started. Defaults to 1. See session.gc_divisor for details.

53 > session.gc_divisor integer

session.gc_divisor coupled with session.gc_probability defines the probability that the gc (garbage collection) process is started on every session initialization. The probability is calculated by using gc_probability/gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process starts on each request. session.gc_divisor defaults to 100.

54 > session.gc_maxlifetime integer

session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up.

Note: If you are using the default file-based session handler, your filesystem must keep track of access times (atime). Windows FAT does not so you will have to come up with another way to handle garbage collecting your session if you are stuck with a FAT filesystem or any other fs where atime tracking is not available. Since PHP 4.2.3 it has used mtime (modified date) instead of atime. So, you won't have problems with filesystems where atime tracking is not available.

55 > session.referer_check string

session.referer_check contains the substring you want to check each HTTP Referer for. If the Referer was sent by the client and the substring was not found, the embedded session id will be marked as invalid. Defaults to the empty string.

56 > session.entropy_file string

session.entropy_file gives a path to an external resource (file) which will be used as an additional entropy source in the session id creation process. Examples are /dev/random or /dev/urandom which are available on many Unix systems.

57 > session.entropy_length integer

session.entropy_length specifies the number of bytes which will be read from the file specified above. Defaults to 0 (disabled).

58 > session.use_cookies boolean

session.use_cookies specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).

59 > session.use_only_cookies boolean

session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Defaults to 0 (disabled, for backward compatibility). Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0.

60 > session.cookie_lifetime integer

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0. See also session_get_cookie_params() and session_set_cookie_params().

61 > session.cookie_path string

session.cookie_path specifies path to set in session_cookie. Defaults to /. See also session_get_cookie_params() and session_set_cookie_params().

62 > session.cookie_domain string

session.cookie_domain specifies the domain to set in session_cookie. Default is none at all. See also session_get_cookie_params() and session_set_cookie_params().

63 > session.cookie_secure boolean

session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off. This setting was added in PHP 4.0.4. See also session_get_cookie_params() and session_set_cookie_params().

64 > session.cache_limiter string

session.cache_limiter specifies cache control method to use for session pages (none/nocache/private/private_no_expire/public). Defaults to nocache. See also session_cache_limiter().

65 > session.cache_expire integer

session.cache_expire specifies time-to-live for cached session pages in minutes, this has no effect for nocache limiter. Defaults to 180. See also session_cache_expire().

66 > session.use_trans_sid boolean

session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).

Note: For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.

URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.

67 > session.bug_compat_42 boolean

PHP versions 4.2.3 and lower have an undocumented feature/bug that allows you to initialize a session variable in the global scope, albeit register_globals is disabled. PHP 4.3.0 and later will warn you, if this feature is used, and if session.bug_compat_warn is also enabled. This feature/bug can be disabled by disabling this directive.

68 > session.bug_compat_warn boolean

PHP versions 4.2.3 and lower have an undocumented feature/bug that allows you to initialize a session variable in the global scope, albeit register_globals is disabled. PHP 4.3.0 and later will warn you, if this feature is used by enabling both session.bug_compat_42 and session.bug_compat_warn.

69 > session.hash_function integer

session.hash_function allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits).

Note: This was introduced in PHP 5.

70 > session.hash_bits_per_character integer

session.hash_bits_per_character allows you to define how many bits are stored in each character when converting the binary hash data to something readable. The possible values are '4' (0-9, a-f), '5' (0-9, a-v), and '6' (0-9, a-z, A-Z, "-", ",").

Note: This was introduced in PHP 5.

71 > url_rewriter.tags string

url_rewriter.tags specifies which HTML tags are rewritten to include session id if transparent sid support is enabled. Defaults to a=href,area=href,frame=src,input=src,form=fakeentry,fieldset=

Note: If you want XHTML conformity, remove the form entry and use the
tags around your form fields.

You can add your comments and suggesions regarding this article.

Great Na?

Regards
Vijay Modi