I am new to PHP. What I do for managing sessions in my code is, simply start session using session_start(). Reading around on web, I came across, session_id and session_name.
What is the use of session_id and session_name. Application based, where can we use session_name and session_id in Php.
How I write my code is:
<?php
session_start();
if(isset($_SESSION['name']))
{
//Render the page.
}
else
{
session_destroy();
//redirect to some simple page.
}
?>
As per my code, where can I use session_id or session_name. Is this a good style to write the code, or should I choose to use session_id and session_name?
Thank you.
The Session name is the name of the cookie/url param stores the session_id. By default when you create a session, a special cookie will be created normally with the name PHPSESSID, the session_id, is the value of that cookie that later identifies you. You can change the default session name by using session_name, but you must call session_name, before session_start. Hope that helps.
EDITED.
Session will send a cookie, to your browser, remember PHP is configured to use COOKIES as session management.
Once the cookie has been created and sent to the browser, then you can access it like any other cookie, if you print_R($_COOKIE), you will see the php session cookie and its value.
The the very minimum, all you need is a call to session_start() , this will start a session for you, it must be called, before any output data is sent to the browser.
For example, this will cause error.
echo "Hello";
session_start();
This is because session_start() must be called before any output to is sent to the browser.
So, why do you need session_name(), simply because it allows you to rename the cookie, as mentioned by default session name is PHPSESSID. Renaming the session lessens the chances of a hacker trying to find a cookie with the name PHPSESSID. Every php developer knows what the default session cookie name is, if I was a hacker, what cookie do you think I will look for first? But this is not a prevention mechanism.
The session_id(), is just to get the id of the session, it is not always used, it is there for convenience but also used if you trying to implement your own session management as PHP does allow you to do this.
In a nutshell, session_name or session_id, is not necessary to start a session. If you have further questions, you can follow me on my google page,
https://plus.google.com/113820735365251703271
and I will be happy to explain further.
Related
I am beginning to learn php. I have a question regarding sessions.
Right now, I know that session_start() creates a session variable.
What I don't know is, when I access the session I created, do I need to use session_start() again?
If yes...
Why is this? Because I already created a session and I wonder why it wouldn't last the entire browsing session.
because what i understand from it is, that it is going to create a new session.
No:
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
http://php.net/session_start
Each new page you visit is an entirely new context for PHP. session_start allows you to reestablish a previous context/session/data.
The session_start function tells PHP to enable session tracking. It doesn't wipe out the session created by a previous page. You must call session_start() before you'll have access to any variables in $_SESSION.
Because of the manual session_start()
session_start — Start new or resume existing session
the same way you would connect to database every time you want to use it. it will connect to however you're storing your sessions. The session variables are no wiped out.
Also read more here but this should help to understand how sessions work:
When you are working with an application, you open it, do some changes
and then you close it. This is much like a Session. The computer knows
who you are. It knows when you start the application and when you end.
But on the internet there is one problem: the web server does not know
who you are and what you do because the HTTP address doesn't maintain
state.
A PHP session solves this problem by allowing you to store user
information on the server for later use (i.e. username, shopping
items, etc). However, session information is temporary and will be
deleted after the user has left the website. If you need a permanent
storage you may want to store the data in a database.
Sessions work by creating a unique id (UID) for each visitor and store
variables based on this UID. The UID is either stored in a cookie or
is propagated in the URL.
Session data is stored at the Server side but the reference or id to the session is stored on the client's browser cookie. For the server to know your session id we make a call to session_start() on each page it is required (at the top) so that the first thing done is to get the id from the user and retrieve the session data. It is required on every page whenever you want to access session data.
Here is a video tutorial also. http://blip.tv/step4wd/php-sessions_en-5983086
The answer is yes. You have to do that on every page. If you don't do that you get a undefined index error.
This will work because we include the file
Index.php
<?php
session_start();
//file doesn't have session_start
include "file.php";
?>
No: it is NOT always going to create a new session. It only tells the script that this page wants to start OR maintain an existing session.
A session is nothing more that a STATE AT THE SERVER that you carry from from page to page.
It is NOT accessible from the client (browser).
The only thing the browser must do to keep the session is passing an ID (called default PHPSESSID in PHP).
This ID can be stored in a cookie, GET or POST, as long as you get it transfered to the server with each request you make.
Youve to use session_start(), everywhere you need to work with session like, creating, accessing, destroying.
Unlike cookies, you can't access or work with session unless you initiate the session.
Does it start a current session based on cookies? Got that from the PHP website. How does PHP control the session? If I start a session when a user opens up my login page, what do I even use that session for? Can I use the current session to get info about the logged in user?
The PHP session system lets you store securely data in the $_SESSION global array. A typical example is to store the user's identifier in the session when they type in their password:
if ($user = try_login($login, $password))
$_SESSION['user'] = $user;
Then, you can access that information on all other pages:
if (isset($_SESSION['user']))
// logged in !
echo user_name($_SESSION['user']);
The data is stored on the server, so there is no risk of tampering (on the other hand, mind your disk usage).
Starting the session lets the current request use $_SESSION. If this is the user's first visit, the array will be empty and a new session cookie will be sent for you.
Closing the session merely prevents the current request from using $_SESSION, but the data stays around for the next requests.
Destroying the session throws away all the data, forever. The sessions are destroyed a certain duration after the last visit (usually around 30 minutes).
I assume you want to know what a PHP session means for you, the programmer.
When you do session_start() you are telling PHP that you want to use the session. This is made available to you as an array called $_SESSION. You can use that like any other array with the difference that the stuff you put in there stays there from one page to another (provided you use session_start() at the beginning of each page).
The actual mechanism may vary depending on configuration (php.ini), but a typical installation can use cookies for the session. Let's assume that your webserver is on linux and you're using cookies. You do the following
session_start();
$_SESSION['name']='Bob';
When PHP sees this it creates a text file with a semi-random name (for example sess_a3tfkd5558kf5rlm44i538fj07), sticks the $_SESSION contents in there as plain text and then sends a cookie to the user with the session id, which can be used to find the session file (for example a3tfkd5558kf5rlm44i538fj07).
The next time the user comes back he hands in the session id in his cookie, PHP goes to the relevant file and loads its contents in $_SESSION.
You'll note that the actual information is kept on the server while the user is only given an id. Kinda like handing in your coat in a club and getting a ticket with a number on it.
PHP's session_start starts OR resumes an HTTP session, which is explained fairly well in this article:
http://en.wikipedia.org/wiki/Session_(computer_science)
The concept of an HTTP "session" isn't specific to PHP, it's used in many (all?) server side HTTP frameworks as one way to allow for some state to be stored/associated across different request/responses (since HTTP is stateless). A unique token (which is often, but not always, stored in a cookie) identifies a particular client, and the server can associate the "session."
Here's some more info about sessions and PHP in particular that may help: http://www.php.net/manual/en/book.session.php
Like it says in the Manual
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
If you start a new session at your login page, the session is initially empty. You can store in it whatever you want, for instance, store the user id once the user has logged in. The session data is destroyed when you close the session.
You might want to read all chapters in the Session Extension Manual Pages and also see
what is session and cookies in php and where it stored
You can compare PHP session with the cookie, but session is the much more secure way of storing information. Cookie store data on user's computer, but session store on the server in a temporary file securely.
I have discussed session and how to use it on one of my blog post - How to start a PHP session, store and accessing Session data?
Below is an example code of storing data in PHP session:
<?php
session_start();
$_SESSION["name"] = "John";
?>
Below is the example of retriving the session data:
<?php
session_start();
echo $_SESSION["name"];
?>
The above code will display the name "John".
Source: How to start a PHP session, store and accessing Session data?
ok im a newbie on sessions lets imagine that we have a little login site,
heres a logic
login
if password right = use $_SESSION[isaloginuser] = 1
check session to see menus with if $_SESSION[isaloginuser] = 1
show the menus
the user want to logoff
unset session
destroy session system
what it use
session_register
session_destroy
session_unset
session_start
where does the session_id & the session_regenerate or session_name goes in ?
at php site it says
session_id() is used to get or set the
session id for the current session.
i still just dont get it, why do we need them anyway ? in real environment what does it do ?
No, you don’t need to use them. In general all you need is
session_start to start the session handling, and
session_destroy to destroy the stored session data (this does not modify $_SESSION), and
session_unset to reset the $_SESSION variable (but you can also do $_SESSION = array()).
session_id and session_name are to get and set the current session ID and session ID name (default is PHPSESSID). session_regenerate_id can be used to regenerate/change the session ID of the current session. This might be useful if, for example, you want to refresh the session ID every 10 minutes or after changing the state of authenticity of a user associated with a session.
session_regenerate_id() is used in order to prevent session fixation.
Session fixation means the following: You visit a website and examine your session ID. Then you manipulate another user into visiting the site using your session ID, and signing in. Now you're signed in as that user and have his privileges, because you're both using the same session.
To prevent this, give the user a new session ID using session_regenerate_id() when he successfully signs in. Now only he has the session ID, and your old session ID is no longer valid.
session_register() is depreciated in 5.3, I would suggest against using. Instead just use
$_SESSION['varname'] = "value";
session_id it just used if you want to get the session id for storing in a database, this is not "necessary" for use. session_name, just sets a name, this is not necessary. The regenerate is if you want to do a new id, this is also not necessary unless your application needs it, for a login session, I highly doubt you will use it.
The others, I hope you understand what they do (ie the unset / destroy). But hope that gives some insight.
Session IDs are the identifier for the session. The way a server stores data about a client is in a cookie. This cookie is sent with each HTTP request to the server by that client. PHP sets a cookie to be a random string token. This token identifies the client and relates it to a set of key-value pairs. The idea of a session variable is that cookies can be easily tampered with. Session IDs, however, being random strings, are hard to duplicate and thus add security.
I usually use session_id() when creating shopping baskets so I can track what that user has added then once I have got a response back from the payment gateway that the payment was successful, I then session_regenerate() so that when they are back on to my website their previous baskets are not visible and to me its like a new user has "entered" the shop.
User fills in username and password.
If it's correct, the page loads some information such as user_id to a session variable.
The script makes a header('Location') redirect.
Somehow the next page doesn't recognize the session... how come?
The redirection is to the same domain, and all pages have session_start();
And I found it more likely to happen in IE than in FF... strange.
Is it possible that cookies aren't enabled?
In order to be able to associate session variables with a specific client instance (ie. how session variables can be used on your browser and my browser at the same time without getting into a conflict), a "session ID" (or "SID") is generated per session. This ID is stored on the server, as well as on the client, usually in the form of a cookie. However, if cookies are not enabled, the session ID is passed along as part of the query string of the URL in each request so that the server can know what session ID belongs to the client.
When you redirect by a header() call, PHP does not automatically insert the SID into the new request, so you will need to append it yourself, in the form of:
header("Location: my_url.com/my_page.php?" . SID)
where SID is a constant defined by PHP that contains the necessary part of the query string (equivalent to session_name() . '=' . session_id(), if a session ID exists).
See Passing the Session ID for more details.
I just had a similar issue, the solution was to simply add an exit(); instruction under the header(..) redirection.
Two thoughts:
Is session_start() located at the top of the scripts, before anything is sent to the browser?
Is the domain exactly the same? www.mydomain.com re-directing to mydomain.com would lead to the problem you describe.
header("Location: my_url.com/my_page.php?" . SID)
exit();
It only worked after I added exit() below the header();
The WordPress documentation states that cookies will be cleared if the user's password is changed. That will kill the session, regardless of whether a redirect happens. So long as you can prevent the cookies from being cleared (and an exit() may do that, as suggested in other answers) than the session should remain.
Note: If current user's password is being updated, then the cookies
will be cleared!
http://codex.wordpress.org/Function_Reference/wp_update_user
I had this problem today and have been searching for a way to fix it. I already had what everyone else has mentioned and could not find an answer anywhere.
Eventually I found the answer after watching my session variables with Firebug. I noticed that on the pages that the variables were being lost, the session Parameter:secure was being set to true for some reason unknown to me.
The fix was to set the secure parameter to false before the session was created.
I accomplished this using session_set_cookie_params. Something like this:
session_set_cookie_params([lifetime], [path], [domain], false, true);
It's possible I'm not properly deleting PHP sessions when the user signs out. I've noticed that if I sign out and sign back in without closing the browser, the session ID doesn't change but if I sign out, close the browser window, open a new one and sign in, the session ID will be different. Do I need to be doing something different or is this normal behavior? I've been using the same process for three years but something happened recently that made me think that maybe I need to do something different.
Here's what I basically do when someone clicks Sign Out.
<?php
session_start();
if( isSet($_SESSION['FacID']) )
$facID = $_SESSION['FacID']; //Want to re-instate this after we destroy the session.
unset($_SESSION);
session_destroy();
if( isSet($_SESSION['FacID']) )
$_SESSION['FacID'] = $facID;
?>
If you feel the need to force a new id
http://pl.php.net/manual/en/function.session-regenerate-id.php
And to your question, from the manual:
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Your session is getting destroyed.
PHP will only generate a session id if the browser isn't specifying one. As long as the session has been destoryed, there is no problems with this.
What's with the massive save-and-destroy? Just session_start and set your variables. No need to destroy, then reset them!
Your "problem" with the browser is that when you close your browser window, your browser is deleting the cookie which PHP sends it so it knows the session ID. This is a browser option and cannot be changed on the server side (unless you exploit). It can be circumvented using some methods, but that's probably not your best option.