I can't understand the code below and I don't know when we use session_id() before session_start() .
<?php
if($_GET){
//defining the session_id() before session_start() is the secret
session_id($_GET['session_id']);
session_start();
echo "Data: " . $_SESSION['theVar'];
//use your data before below commands
session_destroy();
session_commit();
}else{
//common session statement goes here
session_start();
$session_id=session_id();
$_SESSION['theVar'] = "theData";
echo "your.php?session_id=" . $session_id;
}
?>
i want you to explain it ! not just copying the description of php.net !
on the other hand , where is session_id() used ?! what's its usage ?!
thank you in advance !
finally i understood ! i give you two examples :
<?php
session_start();
session_id();
?>
result |stbug36ge9efg20cpdjnq83m50 ( session id )
and whenever the browser or tab is closed , the session will be omitted and the next time you enter the site , you can manage two action to occur :
1. start a new session with previous session_id
2. or start a new session witt a new id
as the usual , the action num.2 will happen but if you want num.1 to happen you have to embed session_id before session_start . look at the code below :
<?php
session_id("stbug36ge9efg20cpdjnq83m50");
session_start();
?>
and here we're starting a new session with previous session id .
and
the usage of Session_id()
you can easily write a online visitors counter -- each time a session starts(use is online ) , its id will store in database . so we can find out how many users are online.
Setting the session id before starting the session lets you manually "resume" a session, so to speak. If you session_start() without setting the ID, and the previous session has expired, it will generate a new ID and start a brand new session.
From the PHP documentation:
If id is specified, it will replace the current session id. session_id() needs to be called before session_start() for that purpose.
See more at: http://php.net/manual/en/function.session-id.php
The manual is a good place to start. session_id isn't required to start or manage sessions. PHP and the browser (through a cookie) will usually handle this automatically if you exclude session_id. You can however maintain multiple sessions per end user by specifying a session ID.
Related
I'm building a site (e-commerce) which stores session_id in DB (Generated by $session = session_id(); ). I need to destroy it once checkout completes. I've added
session_unset();
session_destroy();
at the end, but a simple print shows that session_id() is not being destroyed and is the same even after checkout. How can I completely destroy that. As you probably know, Firefox destroys all session on close while Chrome does not. I'm trying to destroy the session_id() generated. Any ideas ?
So after thinking and surfing the internet, Many people said that it is a bad idea (not sure why) to store id generated from session_id()
So, instead I used uniqid()
I do something like this to generate the id on the first page and then start the session on every page and get its value via $_SESSION
session_start();
if (!isset($_SESSION['session_id']))
{
$session = uniqid();
$_SESSION['session_id'] = $session;
}
else
{
$session = $_SESSION['session_id'];
}
Turns out, this solved my problem. I can easily session_unset(); / session_destroy(); the session at the final checkout step (where cart is dumped)
i have searched and searched and read and read a lot about what exactly session_destroy does ! but no result at least for me ! first read the details below :
When a session is created (session_start) a file is created with a
unique identifier that is given to the user as a cookie, when
variables in the $_SESSION array are modified or added the temporary
file is updated with that information so that it can be used somewhere
else on the website.*
session_destroy* will delete this file, this is commonly done for when
a user logs out of your website so that the (now useless and
unnecessary) file isn't taking up space.
we know that session id is stored in session cookie and as the tutorials say , session destroy removes the session cookie file (that includes session_id ) so why when i started a new session it didn't generate a new id ! it makes me confused ! look at the example :
<?php
session_start();
echo session_id();
session_destroy();
session_start();
echo "---".session_id();
?>
result : l4k80dkrl5kd6cdlobhbu5s3i1---l4k80dkrl5kd6cdlobhbu5s3i1
so it gives me the session id same as the previous one .
so what does session_destroy really do !! ?
thanks in advance
From PHP documentation:
It does not unset any of the global variables associated with the
session, or unset the session cookie.
So after session_destroy() the cookie that holds the session id is still alive, and just the session file will be deleted. So start_session() tries to find the file for the session id in the cookie, and it fails of course, and it just creates a new empty file for that. So your id does not change.
If you really want to change that, try to delete the cookie.
You are almost correct about what you have said, BUT if you destroy the session and the script ends in PHP, thats the time file is deleted. If you just try to destroy and create it again, it uses the same file/session ID.
Its not only the file that is created, but also the file contains all the data you are storing in the session. Have a look at your session data in your server, its very interesting.
Update
More interesting things you can do. Write a PHP file
<?php
session_start();
sleep(29000);//delete the session after 29 seconds
session_destroy();
?>
Now have a look at the session file, it should be deleted after 20 seconds.
Do
<?php session_start(); ?>
and go to google chrome, and remove the cookie manually from there. The session won't be available anymore.
<?php session_destroy(); ?> will not destroy the cookies on the
client side. Next time you create a session, it will just use the same
old information. This is the prime reason of your question.
Do
file1:
<?php session_start(); $_SESSION['test'] = "A"; ?>
file2:
<?php session_start(); $_SESSION['test'] = "B"; ?>
resultFile:
<?php session_start(); echo $_SESSION['test']; ?>
Now from two computers, access your website with file1 on one computer and file2 on another. From google chrome, switch their cookie information and see how session A is assigned to B and B is assigned to A.
I installed a pre-built forum on my website and I want (in a diffrent page) to check if the forum's session is active.
Something like :
if (isset($_SESSION['forum'])) { echo "Session is active!"; }
Problem is - I don't know the sessions name...
Tried downloading some chrome add-ons for session managing but I can't get the name of the session.
Whats the right way of doing this?
Thanks ahead!
You can see the dump of $_SESSION variable
var_dump($_SESSION);
session_name() will give you the session name, that usually is defined in php.ini. By default it is always: PHPSESSID. This name is used as cookie name or as POST/GET variable name.
session_id() will give you the identifier for the current session. It will be the contents of the cookie or POST/GET variable.
Then you have $_SESSION that will contain all your session data. use print_r() to see what you have stored in it so far.
To know if session vars are set you can also just do if(isset($_SESSION)&&count($_SESSION))
try
print_r ($_SESSION);
taht way you'll see all sessions
<?php
session_start();
print_r($_SESSION);
?>
Use this to see which session variables are currently set.
You need to check that the session is currently active, and then that the forum key is defined
if ( ! ($sid = session_id()) {
session_start(); // open session if not yet opened
$sid = session_id(); // get sid as session ID
}
// $sid contains the session ID (in cookie)
if (isset($_SESSION['forum'])) {
// forum is defined
}
See also the answer from this page
I started a session $_SESSION['ProdID'] = $ProdID; earlier in my code and I started another ProdID session in another page of my script.
I want to end the first one while this new one will be active without logging out.
Create a page with any name you want.
For example you create a page named as logout.php and paste this code in it.
<?php
session_start();
session_destroy();
header('location:login_page.php');
?>
if you want to destroy all sessions , it's better to use session_destroy()
if you want to destroy specific session , you can use unset($_SESSION['']);
First destroy the current session by regenerating a new session ID to create new cookies. You can then set your values in the new session, the old session is destroyed. Optionally delete all old session variables if you don't need them any longer:
/* generate new session id and delete old session in store */
session_regenerate_id(true);
/* optional: unset old session variables */
$_SESSION = array();
/* set new value(s) */
$_SESSION['name'] = 'value';
If you still want to keep the old session ("without logging out") you can remove the true parameter so the old session is kept in store:
/* generate new session id and keep old session in store */
session_regenerate_id();
The rest would remain the same.
Try using session_destroy(); to end your current session.
Use
unset($_SESSION["ProdID"]);
Only type unset session end of code,
Like this
unset($_SESSION['ProdID']);
I am the administrator of the site. I want unset a particular session, and I know its session id.
The users are just starting the session like this:
session_id("usernumber");
session_start();
Let’s say user A has usernumber "123".
I want to destroy all the values of the user A. User A will not regenerate the sessio_id() after setting that as session_id("123");.
How can I unset destroy only for user A?
Answer by Jack Luo on php.net
$session_id_to_destroy = 'nill2if998vhplq9f3pj08vjb1';
// 1. commit session if it's started.
if (session_id()) {
session_commit();
}
// 2. store current session id
session_start();
$current_session_id = session_id();
session_commit();
// 3. hijack then destroy session specified.
session_id($session_id_to_destroy);
session_start();
session_destroy();
session_commit();
// 4. restore current session id. If don't restore it, your current session will refer to the session you just destroyed!
session_id($current_session_id);
session_start();
session_commit();
Without reverse enginering the session handler....
<?php
session_id($_GET['killsid']);
session_start();
session_destroy() || die "failed to kill";
You could try to get session_save_path() (in this directory session files are stored).
When you are using default session names the filename looks like sess_jgimlf5edugvdtlaisumq0ham5 where jgimlf5edugvdtlaisumq0ham5 is user session id so you can just unlink this file unless you dont have permissions to edit those files.
As far as I know, the only supported way to do so with the default session handler is to impersonate the user with session_id("usernumber"); and then remove the values.
You could also store sessions in a database, which would make this all pretty straightforward, yet you need to write your own session handling code.
BTW, the session ID is supposed to be a long random string which you cannot guess. Using 123 means that any anonymous visitor can easily log in with any user credentials.