## Secure session handling in PHP

I tried to search and read for 10-12 hours on how to have a secure session, and this is the code that I came up with. (found no good book or article with complete guide about PHP Sessions, each had something and missed something else)

Could you kindly please check if I have taken the necessary steps or if I’ve made a mistake somewhere?

Additional Info: PHP 7.3.x will be used, Webserver is nginx on Ubuntu 18.04, will have a maximum of ~500 visitors per second, sessions are written on disk (default of PHP)

function secure_session_start($domain,$  ip, $useragent) { // Change PHPSESSID for better security, remove this if set in php.ini session_name('app_session'); // Secure session_set_cookie_params session_set_cookie_params(0, '/',$  domain, true, true);      // Don't show any output if session_start fails, die immediately     @session_start() or die();      // Keep session alive (as suggested by comment on https://www.php.net/function.session-start)     $_SESSION['time'] = time(); // Hash Useragent to be safe from storing malicious useragent text as session data on server$  useragent_hash = hash('sha256', $useragent); // Make sure we have a canary set if ( ! isset($  _SESSION['canary']))     {         // Regenerate & delete old session as well         session_regenerate_id(true);          $_SESSION['canary'] = [ 'birth' => time(), 'ip' =>$  ip,             'useragent_hash' => $useragent_hash ]; } // Regenerate session ID every 5 minutes: if ($  _SESSION['canary']['birth'] < time() - 300)     {         // Regenerate & delete old session as well         session_regenerate_id(true);         $_SESSION['canary']['birth'] = time(); } // If user is logged in, log out user if IP or Useragent is changed (this is intentional, I know users behind load-balancers etc will have issues) if (isset($  _SESSION['username']) && ($_SESSION['canary']['ip'] !==$  ip) OR ($_SESSION['canary']['useragent_hash'] !==$  useragent_hash)))     {         // Destroy cookie         setcookie (session_name(), "", time() - 3600, '/', $domain, true, true); // Destroy session session_unset(); session_destroy(); // Redirect (avoid loop by checcking ip_browser_changed) if( ! isset($  _GET['ip_browser_changed']))         {             header('Location: '.URL.'login/?ip_browser_changed');             exit('IP Address or Browser has been changed, please login again!');         }     } } 

Then I will simply do secure_session_start() in my code after validating user IP Address with filter_var($ip, FILTER_VALIDATE_IP) ## drush handling array variable values Am using drupal 7 and drush 7.4.0 How to handle drush array variables. For example: Am having a variable: social_sharing which has drush vget social_sharing social_sharing : facebook: facebook google_plus: google_plus linkedin: linkedin twitter: twitter pininterest: pininterest  Using drush command, # 1: How can I get the value of only facebook using drush vget? # 2: How can I delete one specific variable? for example if I want to remove google_plus from the list using drush vdel? ## Controllers and complex routes handling When we have API routes looking like /company/1/employee, which controller should handle this route? I’m leaning towards employees controller, but I guess an argument could be made for the company controller and for a separate controller that handles this route. ## Handling negative variances on the derivative of Gaussian processes The variance of the derivative of a Gaussian process, $$f$$, is given by (9.1): $$Var(\frac{\partial f}{\partial x}) =\frac {\partial ^2 k(x,x)}{\partial x^2},$$ where $$k(·, ·)$$ is both a positive-definite quantity and the covariance function of $$f$$. But when evaluating the error corresponding to $$\frac{\partial f}{\partial x}$$, we observe that it is not necessarily positive everywhere. Therefore, is the above definition for $$Var(\frac{\partial f}{\partial x})$$ actually correct? Is it valid to simply take the absolute value of this quantity when computing the error or should this variance be handled differently? As a simple case, if we consider a modified squared exponential kernel centered at $$x_a$$ and $$x_b$$, then $$k(x_i,x_j) = \exp(-(x_i-x_a)^2 – (x_j-x_b)^2)$$. This is positive definite. But $$\frac {\partial k(x_i,x_j)}{\partial x_i} = -2(x_i – x_a) k(x_i, x_j)$$ and $$\frac {\partial k(x_i,x_j)}{\partial x_i \partial x_j} = 4(x_i – x_a)(x_j – x_b) k(x_i, x_j)$$, which can both possibly be negative. Therefore, is (9.1) by itself a valid covariance function? To obtain the variance, is taking the absolute value of values along the diagonal of the covariance matrix appropriate? ## Approach to handling multiple instances of an application that make large database operations simultaneously So, essentially the flow of my application works like this: • A user selects some options to start a process on the server. • Once they hit submit, on the server it opens up a console application that processes large amounts of data and then exits when it’s finished • The idea being that the user can start multiple processes and have them all run at the same time (due to how the architecture is designed, multi-threading couldn’t address this issue). There are certain parameters that a user can choose that will cause a large insert to occur during the start of the process (something like 1,500,000 records from an external source). Even if there are multiple processes running, but only one of them has the option selected to perform that large insert, the applications perform reasonably well (the insert portion of the process takes roughly 4 minutes). However, if there are at least two instances that require that bulk insert, performance and timing drastically falls (i.e. the applications have been running for half an hour, stuck on the insert). It might be worth mentioning that I’m doing this through a stored procedure call from the application to an Oracle 11g database. I don’t have very many ideas on how to handle this, but one approach is to check if the procedure is running with a different application, and waiting for the procedure to finish. I’m not sure if this is feasible or even the best approach. Any suggestions or directions for me to research is greatly appreciated. Here is the code that performs the bulk insert: public void CaptureDataForProcess(int processId) { using (var context = new SomeContext()) { var in_processId = new OracleParameter("in_processId", OracleDbType.Int32, processId, ParameterDirection.Input); context.Database.SqlQuery<object>("BEGIN SP_CAPTURE_DATA_FOR_PROCESS(:in_processId); END;", in_processId); } }  Also, this is more or less the stored procedure (Since it’s just a regular Insert command, I’ve limited the columns referenced for the sake of brevity): CREATE OR REPLACE PROCEDURE SP_CAPTURE_DATA_FOR_PROCESS (in_processid IN NUMBER) AS BEGIN DECLARE processId NUMBER(38, 0) := in_processid ; BEGIN INSERT INTO CURRENT_PROCESS_SNAPSHOTS ("MARKET", "COUNTY", "STATE", "VENDOR", "PROCESSID") SELECT "MARKET", "COUNTY", "STATE", "VENDOR", processId FROM external_source@foo; END; END; /  ## Handling Errors in Slowly Converging Dirichlet Beta Infinite Sum I have tried to calculate the following slowly converging double sum in Mathematica 11.3 $$\sum _{k=1}^{\infty } \left(\frac{ 1}{(2 k-1) (2 k+1)} \left(\sum _{n=1}^{\infty } \frac{(-1)^{n-1}}{(2 n-1)^{2 k-1}} \right) \right)\tag{1}$$ where $$\beta(2k-1) =\sum _{n=1}^{\infty } \frac{(-1)^{n-1}}{(2 n-1)^{2 k-1}}$$ When using symbolic notation as in (1) Mathematica gives the incorrect symbolic answer $$\frac{3 \zeta (3)}{2 \pi ^2}$$, the correct answer being $$\frac{4}{\pi^2}\frac{ 7\, \zeta (3)}{8}\approx0.4262783988$$. If I use the text function Sum[] instead, lots of Recursion and Iteration Depth Errors result which were presumably suppressed in the symbolic sum. I have contacted Wolfam for clarification on this. The problem I face in avoiding a double sum is that the standard output result for the $$\beta(k)$$ summation in terms of the generalised Riemann Zeta Function is not valid for $$k=1$$. (The well known result for $$\beta(1)$$ is $$\beta(1)=\frac{\pi}{4}$$) $$\beta(k)=2^{2-4 k} \left(\zeta \left(2 k-1,\frac{1}{4}\right)-\zeta \left(2 k-1,\frac{3}{4}\right)\right)$$ I don’t know how to force the assumptions on Sum[] to change this behaviour. Any thoughts? ## Handling error messages on mobile when there are many fields I am designing a signup form that has the following fields in it: • Username • Email • Password • Confirm Password • Where did you hear about us? I have to show validation errors in these fields. There are a couple of options in my mind: 1. Show a tooltip on each field (Tooltip might hide other fields) 2. Showing a popup with a summary of errors (Not a good idea) 3. Showing placeholders in each field with examples then showing an error message on signup. (Can password fields have example placeholder?) Any idea on how to handle this situation? ## Handling Mutiple pull request from a branch Our current workflow is that we create a Sprint branch and then developers create Feature branch having the userstory number. Once the story is complete this feature branch is merged to sprint branch by pull request where it undergoes code review. Once Code review is complete then we raise another pull request to Develop branch, where Onsite code review is done. The problem is when multiple teams are creating pull request from Sprint to Develop branch, pipelined pull request are approved when the latest pull request is approved. [ Is this the expected behavior? ] Onsite coordinators use the pullrequest information from Sprint to Develop branch to track the changes that needed to be released to production. But since my pull requests are automatically approved when another in the pipeline is approved, I am not able to get the status of the pull request which I raised. I have to go to the commit history of Develop branch for finding the merge commit of the pull request. Is there any easy way of tracking my pull request? ## Handling strange physics behaviour while sliding between coplanar surfaces We’ve got a character setup based around manually resolving collisions, and we’re using bullet to do so. Our characters have a kinematic rigidbody to push things around, but their movement and positioning is done using a separate (pair caching) ghost object. Every physics tick we iterate over all contacts for that ghost and resolve collision either by depenetrating 100% when it’s ground, or by depenetrating gradually/not at all with walls or other characters. We then apply our ghost’s new position to the kinematic rigidbody so that can interact with other physics objects. Unfortunately, when moving around a flat world made up of a bunch of coplanar blocks, when the characters moves from one block to another it will often do one of two things; • Fall through the cracks • Get bumped upward a significant distance (we’re talking up to half a unit/meter with a character that is 2 units/meters tall) Debugging this tells me sometimes these contact points are unexpected, and not something I want to resolve by depenetrating 100%. Gravity moving the character downward can result in a contact point that is closer to the side of the terrain block than the top, and it will give you a normal/distance accordingly (blue arrow). Resolving that with 100% depenetration will just push you in between the blocks, while not counteracting the gravity forces. This would explain the falling through the cracks. But I don’t know why I sometimes get contact points with normals pointing straight up, but with a distance that would place the collider far above the ground (purple arrow). I’ve come to the point where I feel like my only option to handle character movement like this is by not colliding with the ground at all, and just spherecast downwards at the character’s position on the horizontal plane just to place it down on the ground properly. Now obviously I want to get rid of this behaviour. And seeing how you don’t see this happen in many games, I’m lead to believe others have solved this issue somehow. Has anyone here encountered similar issues, and how did you go about fixing them? ## Handling$AND$and$OR\$ cases in MILP?

Suppose I want to have an integer program for handling the cases

1. $$x_1>1\wedge x_2>1\wedge x_3>1\wedge\dots\wedge x_n>1\iff\delta=1$$

2. $$x_1>1\vee x_2>1\vee x_3>1\vee\dots\vee x_n>1\iff\delta=1$$

how many number of integer variables are needed to handle case?

Is it possible at least one of them needs at most a constant number of binary variables?