I have a PHP script that uses session_decode to get the session variables of customer's session (from session stored file).
The problem is that whenever I call the script and it reads the session variables, it also add them to my own session. Is there a way to avoid this or maybe use a better method to get the customer's session information without using session_decode?
Thanks
I think I have found the simplest solution/workaround:
<?php
// if session is not started
session_start();
// store our current session
$my_sess = $_SESSION;
// decode $data (the encoded session data, either from a file or database). Remember, decoded data is put directly into $_SESSION
session_decode($data);
$data = $_SESSION;
print_r($data);
// restore our own session
$_SESSION = $my_sess;
?>
Related
I've visited my website for the first time and I see the session cookie set by server. I'm reloading the page and I see that only my browser sends the session identifier to server, while server doesn't return session cookie. I'm using Kohana framework. I'm wondering whether this is native PHP behavior to not send session cookie if the request already has it and it's not expired or this is handled by the framework?
I've found the following piece of code which presumable does the magic:
protected function _read($id = NULL)
{
// Sync up the session cookie with Cookie parameters
session_set_cookie_params($this->_lifetime, Cookie::$path, Cookie::$domain, Cookie::$secure, Cookie::$httponly);
// Do not allow PHP to send Cache-Control headers
session_cache_limiter(FALSE);
// Set the session cookie name
session_name($this->_name);
if ($id)
{
// Set the session id
session_id($id);
}
// Start the session
session_start();
// Use the $_SESSION global for storing data
$this->_data =& $_SESSION;
return NULL;
}
Is it what I'm looking for?
Official manual says:
When session_start() is called or when a session auto starts, PHP will
call the open and read session save handlers. These will either be a
built-in save handler provided by default or by PHP extensions (such
as SQLite or Memcached); or can be custom handler as defined by
session_set_save_handler().
The read callback will retrieve any existing session data (stored in a
special serialized format) and will be unserialized and used to
automatically populate the $_SESSION superglobal when the read
callback returns the saved session data back to PHP session handling.
So the answer should sound like this: This is native PHP behavior unless you defined custom save handler by session_set_save_handler().
How can I switch to a previously saved session using Zend\Session\SessionManager? I know the session ID.
For example, this doesn't work:
$sm->start();
$sm->setId('abc');
$_SESSION will not contain the data of session 'abc'. Calling $sm->writeClose() after $sm->start() doesn't help either.
I can easily do this using standard PHP functions:
session_start();
session_write_close();
session_id('abc');
session_start();
//$_SESSION is populated with 'abc' data.
Zend uses session namespaces for that. If you give the session a name like this
$sess = new Zend_Session_Namespace('abc');
you can access the contents via $sess->var and reload the session in a different PHP file just by creating the new session with the same name again.
http://framework.zend.com/manual/1.12/de/zend.session.basic_usage.html
When I log a user out of an app I am building I use session_destroy();
But when I go back to the page, all session variables are still set.
How can I completely destroy all session variables and ultimately require a user to log back in again?
Here is my code:
session_unset(); // clears all session variables
$_SESSION = array();
session_destroy(); // deletes session id
Thanks
After using session_destroy(), the session cookie is removed and the session is no longer stored on the server. The values in $_SESSION may still be available, but they will not be on the next page load.
If you need to clear the values of $_SESSION, set the array equal to an empty array:
Of course, you can't access the values of $_SESSION on another page once you call session_destroy, so it doesn't matter that much.Still if you are concerned .
Try the following:
session_destroy();
$_SESSION = array(); // Clears the $_SESSION variable
you are not calling session_destroy() for sure, your code may be unable to access it.
Post more code so we could help you
I have a situation where I've started a session with:
session_id( $consistent_session_name_for_user );
session_start();
$_SESSION['key'] = $value;
but then later I decide I don't actually want to "commit" (write) this session. PHP doesn't seem to have any kind of session_abort_write() function. I don't want to destroy the session variables from prior script runs, so I can't use session_destroy()
I tried session_id(""), but that call fails. I could "redirect" the session so it writes to another session, like session_id("trash"), but that would cause a lot of PHP (Apache) connections to try to write to the same session "file", which I want to avoid.
I'm highly simplifying the problem here, we're actually storing sessions in Memcached and this is a complex codebase. So I don't want to be sending unnecessary "trash" sessions to the Memcached server all the time.
From PHP.net,
session_regenerate_id
will replace the current session id with a new one, and keep the
current session information.
session_unset will free all registered variables
session_unregister ( string $name ) will unregister a specific variable
I haven't actually determined if this method prevents writing the session to the session store, but here's the solution I finally used:
session_id( 'trash' ); // or call session_regenerate_id() as someone else suggested
$_SESSION = array(); // clear the session variables for 'trash'.
I'm hoping this has the effect that nothing will get written, but I'm guessing it still will write a blank file, because PHP can't know that sess_trash isn't already there.
If you want to completely avoid writing the session, you'll have to use a custom session handler in PHP and set a global flag to prevent writing the session.
You could probably use something with session_set_save_handler to put dummy functions in for session handling.
<?php
function fakeIt() {
return true;
}
session_set_save_handler("fakeIt", "fakeIt", "fakeIt", "fakeIt", "fakeIt", "fakeIt");
There is session_write_close(). It dumps out the session array to storage and then "closes" it - $_SESSION will still be available and read/writeable, but any changes will no longer be saved, unless you do a session_start() again later on within the script.
Code below:
$_SESSION = array();
Will it clear all session data? If I wouldn't want to use session_destory().
Yup, it will destroy all session data but not the session itself.
Basically, there's three elements to a session:
The session itself, initialized with session_start()
The session cookie which is set automatically
Session data which is set via $_SESSION['foo'] = 'bar'
So you are only destroying the session data. session_destroy() destroys both the data and the session itself, but does not remove the session cookie.
The only "real" difference between $_SESSION = array() and session_destroy() is that after session_destroy(), setting session data will not work anymore before initializing a new session.
Yes, setting $_SESSION to a blank array will essentially unset all existing array keys.