I am having problems with a custom start session.For security reasons I decide to look for a method that is safe when starting a session and I came across this tutorial and implemented the method related to start session.
The problem is that whenever I am initiating a new session variable and redirect to another page which is expecting the value from the initialized session, all my session variable that I initialed earlier on get destroyed forcing the user to logout.Below is my function I am using to start sessions:
function sec_session_start(){
$session_name = 'sec_session_id';//set a custom session Name
$secure = false;//true if are using https
$httponly = true; //this stops javascript from accessing session id
ini_set('session.use_only_cookies', 1);//FORCES session to only use cookies
$cookie_params = session_get_cookie_params();//Get current cookie params
session_set_cookie_params($cookie_params['lifetime'],$cookie_params['path'],$cookie_params['domain']
,$secure,$httponly);
session_name($session_name);//set the session name to the one set above
if (!isset($_SESSION)){session_start();}//start the php session
session_regenerate_id();//regenerate new session id and delete the old one THIS IS TO PREVENT SESSION HIJACK
}
I have searched for an answer to my problem with no luck, Please help me on this.
N.B - when I use the default session_start
everything works perfect.
You should start session, not when $_SESSION is not set.
if (!isset($_SESSION)){session_start();}//start the php session
session_regenerate_id();//regenerate new session id and delete the old one THIS IS TO PREVENT SESSION HIJACK
should be
session_start();//Start new or resume existing session
session_regenerate_id();//regenerate new session id and delete the old one THIS IS TO PREVENT SESSION HIJACK
Reference: session_regenerate_id
Try to put session_start() at top of your php code, as first instruction.
Related
I have used session_destroy in MVC pattern.
If I click logout link, it will redirect correct url but page disappears. It is displaying the below error in Firefox.
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in
a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies."
This is the function I'm using for logout.
Logout function:(Not working)
public function Logout(){
session_destroy();
$this->redirect('index.php?r=admin/login');
}
I have unset($_SESSION['userName']) the session variable. It is working fine. But session_destroy is not working in that place.
What is the reason for that?
Logout function:(working)
public function Logout(){
unset($_SESSION['userName']);
$this->redirect('index.php?r=admin/login');
}
you can use another way to remove session like:-
$_SESSION = array(); // define it with empty array and clear the session values
or use start the session again and then destroy
session_start();
session_destroy();
For more :- why session_destroy() not working
and for better understanding you can read #Chen Asraf answer
From the PHP documentation of session_destroy:
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
So in order to truly get rid of the session, you also have to unset or override the $_SESSION superglobal, like you did before.
I started a session $_SESSION['ProdID'] = $ProdID; earlier in my code and I started another ProdID session in another page of my script.
I want to end the first one while this new one will be active without logging out.
Create a page with any name you want.
For example you create a page named as logout.php and paste this code in it.
<?php
session_start();
session_destroy();
header('location:login_page.php');
?>
if you want to destroy all sessions , it's better to use session_destroy()
if you want to destroy specific session , you can use unset($_SESSION['']);
First destroy the current session by regenerating a new session ID to create new cookies. You can then set your values in the new session, the old session is destroyed. Optionally delete all old session variables if you don't need them any longer:
/* generate new session id and delete old session in store */
session_regenerate_id(true);
/* optional: unset old session variables */
$_SESSION = array();
/* set new value(s) */
$_SESSION['name'] = 'value';
If you still want to keep the old session ("without logging out") you can remove the true parameter so the old session is kept in store:
/* generate new session id and keep old session in store */
session_regenerate_id();
The rest would remain the same.
Try using session_destroy(); to end your current session.
Use
unset($_SESSION["ProdID"]);
Only type unset session end of code,
Like this
unset($_SESSION['ProdID']);
I've been looking at using session_regenerate_id in a login class which I have been developing and from reading the PHP documentation and a few other sites it seems that it creates a new session with a newly generated ID carrying across the previous data since the function was added in PHP 4.3.2.
Since PHP 5.1 it has a delete_old_session parameter and if set to true it will also destroy the previous session but in previous versions it will not.
My question is if I was to use session_regenerate_id on a server running a PHP version below 5.1 what would be the best way to use session_regenerate_id and to destroy the previous session?
I don't think session_destroy() would work because if I used it before session_regenerate_id then it wouldn't be able to carry across the previous session data and if used after it would just destroy the new session.
This should solve your problem:
session_start();
// gets current (previous) session
$previousID = session_id();
session_regenerate_id();
// get the new session id
$newID = session_id();
// close session related files
session_write_close();
// set the old session id
session_id($previousID);
// start the old session
session_start();
// clear the old session
session_destroy();
// save the old session state (destroyed session)
session_write_close();
// set the regenerated session id
session_id($newID);
// start the new session
session_start();
Now your old session data is erased and transfered to a new session id.
I have a login page than involved destroying a session and starting a new one. I have very inconsistent results between both Chrome and Firefox.
I am clearing the session using:
session_unset();
session_destroy();
session_start();
$_SESSION = array();
But variables in the session seem to still exist until I refresh the page and then they disappear. My second problem ontop of this is that crucial $_SESSION variables are different on ajax pages called from this login page. This is causing big problems and inconsistent results on ajax pages.
What is the best way to destroy a session and set it with fresh variables that will be available to ajax pages?
If you're using session cookies you have to "remove" them as well.
$cookie_params = session_get_cookie_params();
setcookie(
session_name(),
false,
strtotime('2000-01-01')
$cookie_params['path'],
$cookie_params['domain'],
$cookie_params['secure']
);
Of course the cookie will not be deleted by the browser until you sent the response.
The new session would be created on the next request.
PS: The manual states:
Only use session_unset() for older deprecated code that does not use $_SESSION.
I found:
session_unset();
session_destroy();
session_start();
$_SESSION = array();
To be very unpredictable and yielded varying results between browsers which is unusual for PHP.
To resolve I simply replaced it with:
session_start();
$_SESSION = array();
I know this doesn't completely clear and replace a session, but all I really needed was the session to be cleared. The fact that the session has the same session_id doesn't really matter in my scenario.
Hope this helps some people having the same mare as me!
I'm making somewhat of a "module" that gets included into another unrelated PHP application. In my "module" I need to use sessions. However, I get the 'session has already been started...' exception. The application that my "module" is included into is starting the session. If I cannot disable sessions in this application, what are my options? I'd like to use Zend_Session, but it seems upon first glance that it is not possible. However, maybe there is another way? Any ideas?
Thanks!
With PHP’s session implementation, there can only be one session at a time. You can use session_id to check if there currently is a session:
if (session_id() === '') {
// no current session
}
Now if there is already an active session, you could end it with session_write_close, change the session ID’s name with session_name to avoid conflicts, start your session, and restore the old session when done:
$oldName = session_name();
if (session_id() !== '') {
session_write_close();
}
session_name('APPSID');
session_start();
// your session stuff …
session_write_close();
session_name($oldName);
session_start();
The only problem with this is that PHP’s session implementation does only send the session ID of the last started session back to the client. So you would need to set the transparent session ID (try output_add_rewrite_var) and/or session cookie (see setcookie) on your own.
Try setting a custom "name" parameter for your application.
The default is PHPSESSID. You can change it to PHPSESSID_MYAPP to avoid conflicts with the other app.
Add the following code before you want to use the Session feature:
#session_start();